While I am rarely a fan of laying legislation atop technology, data breeches like the recent hack of Sony’s Playstation Network are one area where this could actually help, especially in terms of consumer protections. Most of us have signed into a fancy online service, from gmail to activating our iPhones, and been presented with 800 pages of “terms and conditions,” most of which legally absolve the provider from any and all responsibility for an incident like this.
Rather than trying to legislate specific technologies, I would advocate legislation that sets standards for what companies must do should they be hacked, similar to the current legislation around credit cards (limitations on consumer liability, etc). Some specific areas where legislation would be appropriate:
- Minimum standards for the liability a company accepts when hacked. For example in PSN’s case, this legislation might mandate that Sony cover credit monitoring services, and any damages resulting from identity theft due to the hack.
- Minimum notification standards when hacked. Some companies have tried to bury these types of events, and legislation would prevent that.
- Security audit standards for companies of a certain size, or with a certain volume of financial data, similar to the current audit rules for public companies financial statements. The PSN hack hopefully will trigger more companies to do this voluntarily.