A growing number of lawsuits over data breaches could place more liability on the companies behind the software that was exploited in the attacks — and thus force an increase in security, Ars Technica
In addition to the lawsuits, there is also growing concern at the Federal Trade Commission about the state of online security.
"The world in which software companies could safely treat security as an afterthought is gone," the article said, "but it's not yet clear what will replace it … the right rules will encourage companies to take security seriously, but too much regulation could unduly hamper the software development process."
Alex Halderman, a computer science professor at the University of Michigan, told Ars Technica that legal and government pressure is necessary because consumers are not well enough informed about security issues to be able to effect change in how companies approach data protection. However, Halderman said the FTC and similar agencies may also be lacking in expertise. Halderman argued that the best way to improve security is for a company to have a mentality of taking security seriously, the article said. This is tough to mandate from an outside agency, but legal pressure might help shape a company's culture, Halderman said.
Halderman cautioned that heavy legal or other scrutiny might make companies swing too far in the opposite direction: they could become so security-conscious that it affects their ability to bring a product to market.
"Forcing companies to devote too much effort to security can be as harmful as devoting too little," the article said.
