It's an election year, so it only seems right to put forward my own ideas on how to improve our world. ;) Actually, rather than talking about theoretical ideas, I thought it would be nice to put those ideas into specific suggestions. In this case, two of them would be legislative actions, while the third would require card brands to revise their contractual agreements from top to bottom.
Incidentally, the underlying theory is this: rather than mandating specific detailed practices (as the now-dead Cybersecurity Act of 2012 threatened to do, and as Pres. Obama has threatened to enact via executive order), I think instead it makes sense to allow the market to optimize for revised performance and/or behavior requirements. The reason I prefer this approach is because we're still in a rapidly changing and transitional period in time. Until this round of technological growth and evolution slows down and stabilizes, it's short-sighted and irresponsible to codify too many specific actions or behaviors (e.g., imagine trying to codify each of Microsoft's server security guides as law... by the time you get it ratified, it's likely obsoleted by a new OS release, not to mention that it would inevitably stifle innovation). Thus, you change the overall business environment dynamics and let the market sort itself out. Or so the theory goes.
Without further adieu, my three (3) ideas...
1. Codify Legal Defensibility
I first discussed the notion of legal defensibility as applied to infosec a couple years ago, even mentioning the need to codify these requirements. At a minimum, the legislation should make all business owners and executives subject to legal remedy (both civil and criminal) when they fail to undertake appropriate security and risk management measures. Part, if not all, of this would likely fit well under negligence and disclosure laws, similar to the SEC guidance on quarterly filings.
Basically, it comes down to this: if your business cannot clearly demonstrate that it took reasonable measures to protect itself from "cyber" threats, then you're going to legally liable for it, possibly to the extent of being found criminally negligent. This measure alone should sufficiently unbalance the status quo and spur dramatic changes; at least until gamesmanship slows things down again.
2. Mandate Incident & Breach Disclosure
Part and parcel to enforcing legally defensible practices, it's imperative that businesses be required to disclose security incidents and data breaches. To make this more useful and constructive, it is important to also mandate capturing actual costs and financial impact (this would go a long way toward helping baseline the financial impact of data breaches for risk management purposes). I am against making this reporting anonymous (especially for public companies), and I believe there should be significant penalties (financial and criminal) for failing to comply (in order to ensure disclosures occur).
3. Prohibit Small Merchant Insourcing
Lastly, it's time for the payment card industry to do something more useful than PCI DSS. Specifically, it's time to take card processing and transaction handling out of the hands of smaller merchants (in this case, I define this as merchants handling less than 1 million transactions/year total - maybe even more than that - so, primarily Level 3 and 4 merchants) and mandate contractually that these merchants must outsource all handling of related activities (other than the card-present swipe itself) to a certified, bonded, and insured third party, including all maintenance of the associated infrastructure.
In short, this means that smaller merchants have limited responsibilities and liabilities related to card transactions, pushing the responsible onto those more able and better incentivized to handle more stringent security requirements. Additionally, mandating insurance and certification becomes more reasonable. More importantly, the card brands are more likely to have contractual relationships with the acquirers, processors, etc., whereas they typically do not have contracts directly with merchants (and especially not with smaller merchants). Thinking back to the Park City, UT, restaurant suing the card brands, this problem essentially goes away for the restaurant because their duties and responsibilities are transferred wholly to an insured and bonded third party that can be held directly responsible. To me, this makes absolute sense, even if it increases the cost of credit card transactions for these merchants.
Again, these are just some simple, tangible ideas that I think would effectively unbalance the status quo and lead to businesses and the legal system recalibrating to the current threat landscape. Many have complained about inadequate actions by businesses and government, but detailed legislation like the Cybersecurity Act of 2012 end up missing the mark by going into too much detail on the "how" rather than simply focusing on the desired outcome (the "what").