Real Computer Security is hard, because you have to prevent bad stuff without being noticed as the good guys go about their jobs. When you get noticed, you've done something wrong, either because there has been a breach or because someone can't do their job because your security system stopped them. There is a certain art to finding the balance and it depends greatly on the specific requirements of the people you are working for and your wisdom in being judicious about what you control. Things like SOX and HIPPA micromanage the problem with one size fits all policies that inevitably fail in the real world.
Congress should operate on the level of incentivization and not on the level of specific requirements. For example, one of the reasons credit card fraud is so easy is that credit card companies don't bare the costs associated with fraud (the merchants do) and so they don't have any economic incentive to deploy technologies that are harder to subvert. In fact, credit card companies are making money on fraud by selling useless identity theft protection and credit report monitoring services. This is a problem lawyers can fix. They should focus on who is liable and leave computer security to the computer security professionals.
Indeed.
