In this discussion of legislation to protect the citizen against harm resulting from the use of information contained in computer data systems, several important questions emerge: Would the legislation apply to the public sector or to government--Federal? State? Local? Should it apply equally or separately to the private sector? Would a regulatory agency or a judicial system enforce the law? Who will define what "harm" is? What about the Social Security number as an ad hoc personal identifier? The author suggests (1) passage of a broad-gauge omnibus bill applicable to the public sector only but making every individual liable for harm caused by misuse or abuse of personal information; (2) treatment of private-sector problems by specific legislation as difficulties are discovered; (3) creation of legislation prohibiting use of the Social Security number as a personal identifier, except as provided by Federal law, but providing a mechanism for granting exceptions. 5 pp.