Friday, August 10, 2007

HL Report into Personal Internet Security published

The House of Lords Science and Technology Committee has published its report on Personal Internet Security. Here is the abstract:

"The Internet is a powerful force for good: within 20 years it has expanded from almost nothing to a key component of critical national infrastructure and a driver of innovation and economic growth. It facilitates the spread of information, news and culture. It underpins communications and social networks across the world. A return to a world without the Internet is now hardly conceivable. But the Internet is now increasingly the playground of criminals. Where a decade ago the public perception of the e-criminal was of a lonely hacker searching for attention, today’s “bad guys” belong to organised crime groups, are highly skilful, specialised, and focused on profit. They want to stay invisible, and so far they have largely succeeded. While the incidence and cost of e-crime are known to be huge, no accurate data exist. Underpinning the success of the Internet is the confidence of hundreds of millions of individual users across the globe. But there is a growing perception, fuelled by media reports, that the Internet is insecure and unsafe. When this is set against the rate of change and innovation, and the difficulty of keeping pace with the latest technology, the risk to public confidence is clear. The Government have insisted in evidence to this inquiry that the responsibility for personal Internet security ultimately rests with the individual. This is no longer realistic, and compounds the perception that the Internet is a lawless “wild west”. It is clear to us that many organisations with a stake in the Internet could do more to promote personal Internet security: the manufacturers of hardware and software; retailers; Internet Service Providers; businesses, such as banks, that operate online; the police and the criminal justice system. We believe as a general principle that well-targeted incentives are more likely to yield results in such a dynamic industry than formal regulation. However, if incentives are to be effective, they may in some cases need to be backed up by the possibility of direct regulation. Also, there are some areas, such as policing, where direct Government action is needed. So Government leadership across the board is required. Our recommendations urge the Government, through a flexible mix of incentives, regulation, and direct investment, to galvanise the key stakeholders. The threat to the Internet is clear, but it is still manageable. Now is the time to act, both domestically, and internationally, through the European Union and through international organisations and partnerships."

This is quite a lengthy report, but see also the recommendations (in the context of data security breaches):

"Conclusions and Recommendations

5.53. The steps currently being taken by many businesses trading over the Internet to protect their customer’s personal information are inadequate. The refusal of the financial services sector in particular to accept responsibility for the security of personal information is disturbing, and is compounded by apparent indifference at Government level. Governments and legislators are not in position to prescribe the security precautions that should be taken; however, they do have a responsibility to ensure that the right incentives are in place to persuade businesses to take the necessary steps to act proportionately to protect personal data.

5.54. We therefore recommend that the Government introduce legislation, consistent with the principles enshrined in common law and, with regard to cheques, in the Bills of Exchange Act 1882, to establish the principle that banks should be held liable for losses incurred as a result of electronic fraud.

5.55. We further believe that a data security breach notification law would be among the most important advances that the United Kingdom could make in promoting personal Internet security. We recommend that the Government, without waiting for action at European Commission level, accept the principle of such a law, and begin consultation on its scope as a matter of urgency.

5.56. We recommend that a data security breach notification law should incorporate the following key elements:

• Workable definitions of data security breaches, covering both a threshold for the sensitivity of the data lost, and criteria for theaccessibility of that data;
• A mandatory and uniform central reporting system;
• Clear rules on form and content of notification letters, which muststate clearly the nature of the breach and provide advice on the steps that individuals should take to deal with it.

5.57. We further recommend that the Government examine as a matter of urgency the effectiveness of the Information Commissioner’s Office in enforcing good standards of data protection across the business community. The Commissioner is currently handicapped in his work by lack of resources; a cumbersome “two strike” enforcement process; and inadequate penalties upon conviction. The Government have expressed readiness to address the question of penalties for one type of offence; we recommend that they reconsider the tariffs for the whole of the data protection regime, while also addressing resources and enforcement procedures as well. These should include the power to conduct random audits of the security measures in place in businesses and other organisations holding personal data."


No comments: