[matt-p]

This is V0, the actual requirements are regulations, which can be updated really easily. Much easier to pass a law with very basic requirements and increase them later.

This is much better than nothing, which is what most countries have.

[graemep]

I would actually prefer a low that (in addition?) required a reasonable standard of care with regard to security, imposed responsibility for consequential loss for negligence, and left the courts to interpret it.

[tsimionescu]

Anything that relies on suing major corporations over unclear standards is doomed to mean nothing.

[matt-p]

You can already sue a manufacturer for consequential loss if you can prove negligence?

[graemep]

Yes, but 1) I would like to make it clearer that failing to meet generally accepted good security practice is negligence, and 2) make importers and retailers liable to some extent for negligence with regard to security, not just manufacturers.

I would apply this to hardware, not pure software, or separately sold software.