The government is something of a blunt instrument. The difficulty in the proposal as described is how you can precisely define the terms such that you can reliably measure 'compliance' -- cue: lots of legalese and paperwork (cf medical device regs where you really do want stringent controls and considered processes). Sanctions for data breaches and poor security might work but then they simply become costs of doing business and don't necessarily lead to improvments (just passing the buck).
In my view (see my other comment [1]), we need to reconsider how we build, deploy and manage software for this 'connected-age'. If developers are not willing to try to solve this with better tools/infrastructure, then no amount of legislation is going to fix it. If anything, the poorly-secured incumbents will simply misappropriate existing laws to go after those who uncover faults.
(NB: I'm not suggesting that government doesn't have a role to play, but solely relying on them is doomed to fail -- eg who d'you think would be advising them on such legislation? Not the people you'd likely want.)
I thoroughly agree that this is something we developers have to fix instead of adding yet more hoops to jump through. Like you I am also working on the problem of tools/infrastructure to solve this problem though probably a different aspect of the problem, with my startup resin.io
In my view (see my other comment [1]), we need to reconsider how we build, deploy and manage software for this 'connected-age'. If developers are not willing to try to solve this with better tools/infrastructure, then no amount of legislation is going to fix it. If anything, the poorly-secured incumbents will simply misappropriate existing laws to go after those who uncover faults.
(NB: I'm not suggesting that government doesn't have a role to play, but solely relying on them is doomed to fail -- eg who d'you think would be advising them on such legislation? Not the people you'd likely want.)
[1] https://news.ycombinator.com/item?id=9089160