The report, ‘Personal internet security’, says many businesses are failing to take adequate steps to protect customers’ personal information. “The refusal of the financial services sector in particular to accept responsibility for the security of personal information is disturbing, and is compounded by apparent indifference at government level,” it says, adding that making banks liable for losses incurred through electronic fraud would bring such transactions into line with a law which has covered cheques since 1882.
The authors believe that a data security breach notification law would be “among the most important advances that the United Kingdom could make in promoting personal internet security”. The report adds: “We recommend that the government, without waiting for action at European Commission level, accept the principle of such a law, and begin consultation on its scope as a matter of urgency.” This would dictate thresholds for the sensitivity of data, “a mandatory and uniform reporting system” and rules on the format of notification letters.
The report also says that the UK government should push for a European Union-wide directive which would impose legal liability on software and hardware vendors for damage resulting from security flaws, “notwithstanding end user licensing agreements”. Such agreements normally force users to waive such claims.
In a statement, Lord Broers, the committee’s chairman, described the internet as “a huge force for good”, but added that it is increasingly perceived as “a sort of ‘wild west’, outside the law”.
“People are said to fear e-crime more than mugging. That needs to change, or else confidence in the internet could be destroyed,” he said. “You can’t just rely on individuals to take responsibility for their own security. They will always be out-foxed by the bad guys. We feel many of the organisations profiting from internet services now need to take their share of the responsibility. That includes the IT industry and the software vendors, the banks and internet traders, and the internet service providers.”
In other recommendations, the report says that the effectiveness of the information commissioner’s office (ICO) should be examined as a matter of urgency, describing the organisation as “handicapped” by a lack of resources. The ICO should have the ability to levy greater penalties and to conduct random audits of organisations holding personal data, it argues.
The parliamentarians also recommend that the police again become responsible for investigating online crime, with the establishment of a central, automated web-driven system for internet users to report incidents. They urge the government to reverse a recent decision under which the public report online fraud to banks, rather than the police, adding that the police must be given more resources in this field.
They also recommend that internet service providers lose their “mere conduit” defence for carrying illegal material after they have been notified that they are sending spam or infected code. They are however, given a grace period if they detect such activity themselves. The committee members believe that internet service providers should be encouraged to establish a British Standards Institute-approved ‘kite mark’ for secure internet services.
The report also urges the government to remove legitimate security researchers from the danger of criminalisation under recent amendments made to the Computer Misuse Act 1990, but says it should criminalise the sale or purchase of a botnet of zombie computers. It says that voice-over IP telephone services should be asked to provide ‘999’ calls to the emergency services on a best efforts basis, rather than being compelled to do so.
The Home Office told BBC News that it will respond to the committee shortly regarding its recommendations.
House of Lords calls for more police involvement in internet security (24 April 2007)