The most likely way is regulation similar to HIPAA which mandates data controls for sensitive personal information and lays out penalties and procedures for disclosure.
Regulation would be okay... maybe something forbidding the storage of plain-text passwords, special instructions for hashing, a special protocol for (not) storing credit card numbers... Like a security 101...
