And, in the payments industry, self-policing is in place through the PCI-DSS (Payment Card Industry Data Security Standard) which, while not a federal law, has become law in some states.
Despite the fact that every security framework from Cobit to ITIL to ISO calls for vulnerability scanning, and PCI DSS requires it, most organizations are still doing it on an ad-hoc basis, if at all.