Current scholarly understanding of information security regulation is limited. Several competing mechanisms exist, many of which are untested in the courts and before state regulators, and new mechanisms are being proposed on a regular basis. Perhaps of even greater concern, the pace at which technology and threats change far outpaces the abilities of even the most sophisticated regulators. Based on the American case, Thaw´s dissertation focuses on understanding how these laws are classified, what effects they have, and what are the implications of these effects for organizations and professionals. The author draws two conclusions. First, the combination of laws and management-based "regulatory delegation" models together is better at preventing breaches of personal information by organizations than is either model alone. Second, compliance-oriented prescriptive legislation weakens the role of security professionals within organizations, while management-based regulatory delegation models strengthen the role of professionals within organizations.