When I see PCI or HIPAA programs, the motivating factor seems to be CYA tied to executive or market accountability. That is, if there is a breach, affected parties want to know that the organization took every reasonable precaution. That’s when compliance with specific sections of PCI or HIPAA comes in handy.
We are now on the threshold of more regulations. It is very clear that governments cannot mandate how organizations secure confidential information. The attacks and defense technologies just change too rapidly for any such regulations to be effective for long (like PCI requiring an IDS). New statutes for such things as data encryption or identity theft should use executive and market accountability as the enforcement hammers. Let the businesses adapt and innovate over time as threats and risks evolve. Anything else is doomed to be unproductive without improving security one iota.
CYA? Damn Skippy! What little HIPAA compliance I see is entirely the result of CYA; in fact, it is a large part of my consulting pitch. And while we have gone through a long period of lax or non-existant enforcement, the pendulum is clearly swinging back. Best we all be thinking about C'ing our A's.