The Government have been called to act on the risks of e-crime by the House of Lords Science & Technology Committee. The Committee reported that the internet was now a lawless ‘Wild West’ and the Government’s insistence that responsibility for internet security should rest with the individual user was unrealistic. Anew principle of vendor liability is among the proposals.
In a comprehensive report, the Committee highlighted the increasing dependency on the internet which is now embedded in the critical infrastructure of many countries. Despite this, it noted that there is a ‘laissez faire’ attitude to internet security taken by the Government, internet service providers (ISPs) and hardware and software manufacturers which risked undermining public confidence in the internet. The Government must, therefore, do more to protect individual users of the internet.
Research has shown that public anxiety over e-crime is on the rise and that people fear e-crime more than mugging, car theft or burglary. The Committee urged the Government and Ofcom to engage with the IT industry to develop more uniform standards of security across the industry. The IT industry has not previously made security a priority but this is necessary to keep up with the ingenuity of criminals. Failure to do so could lead to a disastrous loss of confidence in the internet.
The Committee considered that the steps being taken by businesses trading on the internet to protect their customers’ information were inadequate. The financial services sector’s refusal to accept responsibility for the security of personal information was described as “disturbing,” and not helped by the Government’s apparent indifference to the issue.
The peers were critical of the Government’s policy of making the individual end-user responsible for security. This was particularly so when the costs and dangers of the internet were poorly appreciated by the general public. The current Government position was described as “inefficient and unrealistic.” The Committee chairman, Lord Broers, stated “You can’t just rely on individuals to take responsibility for their own security. They will always be outfoxed by the bad guys.”
The House of Lords Committee’s recommendations included:
- The removal of the ‘Mere Conduit’ immunity (a defence for network operators against liability for the consequences of traffic delivered via their network) once an ISP has detected or been notified of the fact that machines on a network are sending out SPAM or infected code.
- That the Government explore, at European level, the introduction of the principle of vendor liability within the IT industry. It is recommended that liability should be imposed on software and hardware manufacturers where negligence can be demonstrated.
- That the Government take steps to raise the level of understanding of the internet and e-crime across the court system.
- A “data security breach notification law” to be introduced to include workable definitions of data security breaches and a mandatory and uniform central reporting system.
- An increase in the resources and security available to the police and criminal justice system to catch and prosecute e-criminals.
- The development of a BSI approved kite mark for secure internet services and social networking sites, such as Facebook.
Although the Committee’s report highlights significant issues which need to be addressed, it remains unclear how realistic some of the recommendations are. It would seem overly burdensome to compel the IT industry to protect the general public from viruses or malicious code (malware) and to face liability where increasingly more sophisticated malware does get through.
Holding software and hardware manufacturers liable for negligence could prove difficult in practice. Issues regarding how a user’s system was configured and maintained may present defence arguments to such claims, where the individual security requirements of the user were not reviewed in detail. The adoption of a proposal to hold ‘offthe- shelf’ software and hardware manufacturers more accountable may lead to the revision of exclusion and limitation provisions in IT supply contracts. Of course, such contracts would still need to comply with the Unfair Contract Terms Act and related legislation.
The recommendation to require businesses to report data security breaches to affected customers is a sensible step but a “mandatory and uniform central reporting system” will require the introduction of a workable system which is not overly cumbersome for small on-line traders.
Undoubtedly internet e-criminals are becoming more sophisticated and given the ever increasing dependency on the internet, the Committee’s recommendations are welcome if workable solutions to implement the recommendations can be developed. It remains to be seen whether the Government will act on many of the recommendations, which will involve significant investment.