Although this is not the kind of liability I’ve been advocating, it might be of some use:

The Cyber-Security Enhancement and Consumer Data Protection Act of 2006, introduced this week by House Judiciary Chairman James Sensenbrenner (R-Wis.), would punish companies for failing to notify the Secret Service or the FBI of an electronic database breach if that archive holds information on 10,000 or more people or data on federal employees. Under the bill, violations would be punishable by fines and prison sentences of up to five years.

Bill Would Criminalize Failure to Report Breaches, Brian Krebs on Computer Security, WashingtonPost.com, 11 May 2006

This bill, H.R. 5318 could produce some useful data, but, as the article notes, it’s not clear what good it will do if the feds don’t do anything with the data.

The article notes that the FBI has bumped cybercrime up on its priority list, and there have been some high profile convictions of bot herders lately. Those are both good things.

However, government funding for such investigations and prosecutions is still a drop in the bucket compared to the military budget, and there’s still no real liability for vendors of the software that enables most of the exploits bot herders use. And the article makes another general point.