the e-commerce sites they use are suitably certified. If irresponsible

businesses can be motivated and penalized up-front, instead of AFTER a

failure of information security systems, then perhaps the bar can be

raised . And if the businesses really don't want to do it, then that's

their own decision-at least customers would then be able to make an