Lords renew calls for security laws

The House of Lords today launched the official follow-up to its report on personal internet security published last year, renewing calls for a data breach notification law, new legislation to hold banks liable for online fraud and a change to current fraud reporting rules.

The House of Lords Science and Technology Committee stated in the new document that although "there has been some progress towards meeting our concerns", the government has still failed to introduce measures such as legislation to compel organisations to disclose any data breach incidents.

"We need to set the correct level by which [the victims] can be informed about a breach," said Lord Broers, a member of the committee. "Arguing that it's not that effective and that people become numbed by all the disclosures is a completely inadequate reason not to do this."

Richard Turner, chief executive of content security vendor Clearswift said that firms which clearly communicate to their customers what information they gather and store, and what will happen in the event of a breach, could use it as a competitive differentiator.

"Without this legislation there won't be the constant driver for the responsible and safe management and collection of information," he added. "As a custodian of someone's information, business or personal … you have an absolute obligation to tell that person as soon as you find out."

Vin Bange, data privacy expert and associate at law firm Eversheds, argued that although there is "already a robust framework" in terms of data protection in the UK, there is no legal obligation on organisations to tell the data subject if there has been a breach.

He added that "the detail will be the biggest point of debate" in any proposed data breach notification law; specifically what balance is given between volume of data lost and its impact on the data subject when setting the minimum level for breach disclosure.

The committee also reiterated calls for banks to be held legally responsible for losses incurred by online fraud, arguing current Banking Code rules are not sufficient.

"We have significant concerns about the way in which complaints of online banking fraud are currently handled and, in particular, the basis on which the banks determine that an alleged fraud is to be attributed to the customer, whet her by fraudulent or negligent activity," said the report.

The follow-up report highlighted fraud reporting as another area in which the government has done little to address the current situation, where fraud victims must report to their banks in the first instance, rather than the police.

"We were concerned about reporting fraud in this sequence on the ground that the decision of the banks to pass a report to the police might be influenced by commercial factors," said the report.

In related news, web security vendor Trend Micro has released new research suggesting that data leaks are becoming one of the top security concerns for corporates.

The firm surveyed 1,600 corporate end users in the US, UK, Germany and Japan and found that loss of company data and information was ranked as the second most serious threat, more important than spam, spyware and other threats.

However, only 46 per cent of those companies surveyed said they had a policy to prevent data leaks.