[127001brewer]

States have already been passing such laws for security breaches that contain personal identifiable information since 2002:

http://en.wikipedia.org/wiki/Security_breach_notification_la...

It has to be considered that effective security has significant costs financially and non-financially. (An example of a non-financial cost is a overly difficult registration process for a web application that requires long, complex passwords with multiple security questions and answers.)

[roc]

I was thinking more about the systems for major banks, defense contractors, industry suppliers, etc.

And effective security wasn't meant to imply the best thing you can think of. It would be a huge step forward if more people simply did the things we all know we should be doing: e.g. policies of accounts not having more access than necessary, network security not 100% focused on the firewall, etc.

[127001brewer]

It would be a huge step forward if more people simply did the things we all know we should be doing...

That's what I mean by "effective security".

Although security breaches at banks should fall under such laws (especially since they have personal identifiable information), I do not believe defense contractors, energy concerns, industrial suppliers, etc, should even acknowledge such breaches simply because of national security.

[roc]

> "That's what I mean by "effective security"."

That stuff doesn't cost all that much more. It's non-trivial, sure. But it's not going to make a huge impact on the bottom line. A demand for it would end up costing enterprise software suppliers quite a bit in one-time costs to clean up their code-bases and standard install practices.

> "I do not believe defense contractors, energy concerns, industrial suppliers, etc, should even acknowledge such breaches simply because of national security."

Perhaps not to the general public, but certainly they should be required to disclose to their clients.