Virtually all of tort law is judge made. There are almost no statutes on the books proscribing what constitutes "negligence" or "reasonable care." Indeed, the entire CONCEPT of negligence exists only in the common law (judge made.)

Indeed, the LAW doesnt need to be changed -- its relatively simple - DO WHAT IS REASONABLE. The problem is, is "reasonable" defined by what IS being done, or what can reasonably be done? The legislature can mandate specific things (e.g., seat belts), but thats probably not a good approach for network security, since FAILING to mention some new technology might convince people that they need NOT apply that technology. Indeed, most regulated entities would prefer a mere reasonableness standard, other than legislatures defining specific (and outdated) procedures. We actually need better informed litigators, not more laws. At least in my opion. More jobs for lawyers -- that cant be bad!

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/387/33181#33181