A recent court case was brought to my attention in which a user whose personal and financial information was stolen tried to sue the company for not using encryption on the data.  The article covering it is explains how the data was stolen and the ruling of the courts.

The question raised is whether the suit should have been supported?  While I agree with the ruling, I think that certain industries need to actually gradually design best practices like the use of encryption into their required security precautions.  This may be pandora’s box, but if it is done over time then it might actually be done right (wishful thinking?).

Security is still black art to most people.  We need to define “reasonable measures” in ways that make sense to the masses.