Re: The law is fine and doesn't need changing
One of the problems is that customers currently have no recourse if they find (or suspect) a vulnerability and that companies care very little. How about a branch manager of one of the top-3 banks in the USA who had never even heard of PCI-DSS...? Or one of the top-10 banks I called to report that it was possible to gain access account holders' accounts - only to be told that they had no process for escalating my findings to their Cyber Security department?
Worse, if a customer suspects an issue they don't have a legal means to dig a little deeper to see if their data may in fact be at risk.
To compound the problem, some companies go to great lengths to hide their problems rather than to address them. Remember the bank (!) that formally asked (forced?) Qualys to disallow the public from running an SSL-test on their main domain because it kept returning an "F"?
I would propose three actions as part of fixing the general security legislation:
1) A (government) clearinghouse/database where the public can report issues. Reports are to be automatically made public after x days, or at the very least it should be public where the company is failing. Receiving even general flags like "PCI-DSS violation, OWASP-violation, NIST-violation, unpatched systems, runs EOL-software", would most likely spur companies into action.
2) A (government) agency where members of the public can register themselves, report suspected issues and be given clearance to investigate (within white-hat boundaries) a specific issue.
3) Make executives personally liable for breaches that are the result of demonstrated decisions to do due diligence. That should all but eliminate those instances where people "on the floor" are flagging an issue only to be rebuffed by the corporation.