[omeid2]

This kind of law would be very ineffective as they need to grand-father previously built applications and so enforcement becomes very complicated and only practical in data-breach scenarios, so might as well make laws that fines for data breach in relations to non-zero day and neglect of security by industry standards (I know it when I see it, expert opinion, et al).

That is, don't legislate implementation but consequences.

[kevincox]

Why would you need to grandfather previously built applications? It seems to be that these would be the best things to target with the law. When you pass the law include a date at which enforcement starts. Now you need to fix any in use applications.

[pocketarc]

They don't need to grandfather anything - it's similar to the GDPR in the sense that you can give companies time to prepare, and then it comes into force.

Prepare the law, give companies 3-5 years to prepare, and after that, anything is fair game. If your company is accepting plaintext passwords there should be something that makes you say "oh we have 3 years to change this, let's hire someone to fix this". If a system is live and in use, it -should- follow some -minimal- standards for security.

That doesn't preclude your data breach fine idea - that'd be useful for more advanced security situations that can't be predicted (as you said, based on expert opinions).

But something as basic as "you're not allowed to pretend it's 2FA if it's just password + questions" or "you're not allowed to store passwords in plaintext", that sort of thing should be the minimal baseline that companies should have to adhere to, surely.