Lords push for wide-ranging security improvements

Recommendations include the introduction of data security breach notification law in the UK

A new report out today from the House of Lords Science and Technology Committee could lead to a major overhaul of current UK internet security practices, with recommendations ranging from the introduction of a central web-based e-crime reporting system to the introduction of security breach notification laws.

According to the report, the reporting tool would help law enforcement agencies gain an understanding of the computer crime landscape in the UK, and offer a central repository to collate reports and identify patterns.

The new system could be a welcome addition for businesses concerned about the current policing of internet attacks. Since the National Hi-Tech Crime Unit (NHTCU) was swallowed up into the UK’s crime-fighting organisation, the Serious Organised Crime Agency, firms wanting to report IT crime incidents were directed to their local police stations. A web-based system could be a useful tool for companies if it offered a confidential method of reporting attacks and a more direct link to police IT specialists, something previously provided by the NHTCU.

Another Lords recommendation was the introduction of data security breach notification legislation that would force firms to report incidents that impact customer privacy. Similar legislation is already in place across many US states.

"A data security breach notification law would be among the most important advances that the United Kingdom could make in promoting personal internet security", advises the report. “We recommend that the government, without waiting for action at European Commission level, accept the principle of such a law, and begin consultation on its scope as a matter of urgency.”

Greg Day, senior security analyst at McAfee, said a disclosure law would improve confidence in the long-term. “It increases pressure on businesses to stop those sorts of breaches from happening,” he added.

A more controversial aspect of the report is a call for IT vendors to be held liable for weaknesses in their products.

Day argued that it would be “very difficult” to hold vendors responsible for breaches. He added, “It comes down to how solutions are implemented. You would have to ask, ‘Did they have it configured correctly, updated and maintained?’”

Andy Kellet of analyst Butler Group agreed that the report takes too simplistic a view. “There is a need for a better understanding of how security works, how vendors build solutions and how they are implemented, " he argued.

Another sector that could be impacted by the report is the financial services industry. The Lords committee calls for a review of the current system that requires online fraud to be reported directly to banks. Instead, fraud victims “should be able to lodge a police report and have some formal acknowledgement of the fact of a crime having been committed”, the report argues. It also recommends the introduction of legislation that holds banks liable for losses as a result of online fraud.