Data breaches misunderstood by gov't, say Lords

The government has failed to understand the threat to the continued growth of the internet posed by cyber crime, according to the influential House of Lords Science and Technology Committee.

Lord Erroll, a member of the committee, hit out at the government's reaction to the committee's report into personal internet security, saying the government had failed to react appropriately.

silicon.com's Full Disclosure campaign - what we are asking for...

silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.

We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals' sensitive personal data at risk.

We want to hear your views about this campaign and the issues it raises. Make your voice heard by leaving a Reader Comment below, emailing us at editorial@silicon.com.

He said: "Throughout our inquiry we tried to think outside the box, to look ahead 10 years at what the internet might be like, taking into account the emerging risks and challenges today. That's why our recommendations concentrated on incentives; we must ensure that everyone is motivated to improve security. Unfortunately, the government dismissed every recommendation out of hand, and their approach seems to solely consist of putting their head in the sand."

The government's reply to the committee's wide-ranging report on personal internet security, published on 10 August, was presented to parliament last week.

The Lords report had warned of the danger that public confidence in the web would crumble, due to "perception that the internet is a lawless 'Wild West'". However, in its reply, the government rejected "the suggestion that the public has lost confidence in the internet and that lawlessness is rife", saying there is "an acceptable level of comfort with the technology".

Part of the government's reply addressed the recommendation there should be a data-breach notification law to provide businesses with incentives to take better care of customer data. The government rejected this, saying there is no clear evidence that a law that forced companies to admit when they had been the victims of cyber crime would be effective.

The government response states: "We are... clearly not so convinced as the committee that [a data-breach notification law] would immediately lead to an improvement in performance by business in regard to protecting personal information, and we do not see that it would have any significant impact on other elements of personal internet safety."

But Erroll said the government has "missed the point" of having a data-breach notification law. Not only would this give businesses an incentive to better safeguard customer data, he said, but it would also provide law enforcement with accurate figures to judge the scale of the problem and react accordingly.

Erroll said: "One challenge to internet security is that there are no real figures on the scale of the problem, and such a law would provide those figures. Primarily, the law would tighten up company procedures but no one really knows the scale of the problem."

The government did say it would consider finding "more formal ways" of reporting security breaches to the Information Commissioner's Office (ICO) but only "when problems arise".

Erroll said this did not go far enough, as, by the time problems have arisen, is too late - especially given that the information commissioner has to be invited into an organisation that has suffered a security breach. The committee had wanted extra powers for the information commissioner to be able to audit systems before problems arose.

He added: "The information commissioner can only act after a breach or serious concern has been raised. If you've got to wait until the horse bolts before you put a lock on the stable door, it's too late. We'd like the information commissioner to be able to examine the stable doors."

The information commissioner is charged with upholding the Data Protection Act. Erroll said the committee thinks the government is reluctant to grant the information commissioner more powers to proactively audit systems because the government itself would then be subject to more ICO scrutiny.

The government also rejected calls for software and hardware vendors to be liable for the security of their products, and for banks to guarantee e-fraud refunds.

Tom Espiner writes for ZDNet UK