I think that statement might confuse more people than it soothes. It's probably better to just say that you won't distribute their information (on purpose). That is unless you are dealing with technically advanced users... in which case they'll probably be skeptical about how secure any database on a web server is anyway ;)

it is required by law that you protect any personal information that you gather in order to do business with your clients/users.

You never see it because it is not an option.

I didn't realize it was required by law. What lengths are you required to go to in order to protect user data?

I did find this line on Yahoo's security page:
"No data transmission over the Internet or information storage technology can be guaranteed to be 100% secure."

it is required by personal privacy laws which are usually federal. I am most familiar with US and CA.

you must take all reasonable measures, the lengths to which you need to go is determined by what type of data you keep.

This is why it is important that merchants/sites only take the information they require to do business with the client/user.