[moreira]

I've often read discussion about how you can't regulate this sort of thing because the industry moves so fast that what's a best practice today can be tomorrow's horrible security (then enforced by law).

But, isn't it possible to legislate this on a blacklist basis? "Fine of up to $X if you're storing passwords in plaintext. Fine of up to $X if you're limiting the length of passwords to < 16 characters. Fine of up to $X if you misrepresent your 2FA implementation (as in the article). Fine of up to $X if you accept unencrypted logins over the web."

Outlawing a small set of easily identifiable and correctible attack vectors, would be enough to get companies thinking about security a bit more seriously. It doesn't have to be anything big, and I wager it'd have a serious impact.

[mr_overalls]

I think requiring mandatory insurance against "cyber-disaster" for qualifying types of companies would be the best way to accomplish this.

Insurance premiums of all types are based on risk factors, so the policy would be written against a checklist of best practices.

Similar to how having a fire extinguisher in your kitchen reduces your home insurance premiums by small percentage, the same could be said for each security practice. Encrypted passwords: -2%. Mandatory 2FA in place: -3%. Etc.

[omeid2]

This kind of law would be very ineffective as they need to grand-father previously built applications and so enforcement becomes very complicated and only practical in data-breach scenarios, so might as well make laws that fines for data breach in relations to non-zero day and neglect of security by industry standards (I know it when I see it, expert opinion, et al).

That is, don't legislate implementation but consequences.

[kevincox]

Why would you need to grandfather previously built applications? It seems to be that these would be the best things to target with the law. When you pass the law include a date at which enforcement starts. Now you need to fix any in use applications.

[pocketarc]

They don't need to grandfather anything - it's similar to the GDPR in the sense that you can give companies time to prepare, and then it comes into force.

Prepare the law, give companies 3-5 years to prepare, and after that, anything is fair game. If your company is accepting plaintext passwords there should be something that makes you say "oh we have 3 years to change this, let's hire someone to fix this". If a system is live and in use, it -should- follow some -minimal- standards for security.

That doesn't preclude your data breach fine idea - that'd be useful for more advanced security situations that can't be predicted (as you said, based on expert opinions).

But something as basic as "you're not allowed to pretend it's 2FA if it's just password + questions" or "you're not allowed to store passwords in plaintext", that sort of thing should be the minimal baseline that companies should have to adhere to, surely.

[StreamBright]

You can regulate by having legislation that has 2 components. One is the law that such companies have to follow best practices. Second, best practices are created and published by a set of companies who have the best record of implementing security correctly, or even having security professionals (and there are many well respected security experts who can do this since they talk about it on their blogs all the time).

[taejo]

You can also regulate by having fines or substantial civil damages for breaches, requiring insurance to cover the liability, and letting the insurers figure out what practices are needed to get cheap rates.