Vague lingo is currently accepted, among white-collar crime academics, as absolutely the best path forward for reining in corporate behavior.
When you have very specific lingo, it’s extremely easy to circumvent the law. You want to keep the law vague and open so you have lots of maneuver room to prosecute. This assumes you trust the government, which when compared with companies I 97% do. Bruce Schneier’s latest book, “Click Here to Kill”, makes the same point .
Vague language is the best way to enable selective enforcement. Large companies who can afford the best lawyers will be able to find interpretations that are in their favor. Smaller companies would be unable to do this and thus more likely to lose.
And this only gets worse if large companies spend more effort on lobbying — they can get vague wording that makes the public feel good (like something is happening!) but which requires no effort on the company to comply.
Companies don't have a monopoly on force that the government does. This greatly changes how you calculate who the law should favor. I much prefer specific laws instead of laws that are selectively applied to whomever the government decides to target, because there is a long history of showing a very evil nature in how they pick targets.
Core question: what does "reasonable" mean? Do I get to define it, or some information security peer? Is it going to be defined as a matter of convenience by some functionary looking to make quota?
It's my professional responsibility to provide informative and actionable risk assessments and guidance. Crap like this makes that impossible.
Laws like GDPR are there to protect people from companies. Not make things easier for them. It's perhaps possible that people might be better protected by laws that are clear than by laws that gesture vaguely in the direction of security. Similarly, people are well-protected by clear automotive safety standards, and poorly protected by the regulation around dietary supplements.
Might that be worth considering?