Tuesday, July 08, 2008

Lords follow-up report on Personal Internet Security

The House of Lords Science and Technology Committee has published a follow-up report on Personal Internet Security, after their original report last August was rejected by the government. As they note, with the hindsight of the HMRC data disaster, these recommendations are more important than ever:

We acknowledge that, following the Government's disappointing response to our Report, they have reflected further and, with regard to some of the issues we raised, there has been some progress towards meeting our concerns. What progress there is, however, appears to be slow. Given this, we particularly welcome Mr Coaker's offer to keep the Committee informed, every two months, of what is happening (Q 50). We accept this offer and look forward to the Minister's first report in July. We anticipate that we shall be returning to this topic on a regular basis.

Their new report contains specific comments on consumer protection against e-crime; software vendor liability; personal data protection and breach notification; fraud and e-crime reporting and classification; funding for a central police e-crime unit; and international co-operation. It is short and to the point, and well worth a read.


Ben Wright said...

Ian: In the States we've been debating what constitutes a real breach of security and what does not. I argue it is irresponsible for law and legal practice to bury consumers with an excessive number of data breach notices. What do you think? --Ben http://hack-igations.blogspot.com/2007/09/definition-of-data-security-breach.html

Rizwan said...

I agree, consumers should not be part of any cnotices, reason for this the liability of breach of security is on the company offering online services. If taking consent from the consumer during onsite validation of transaction with regard to any breach, is a direct attack on comsumer rights. Security breach is blunder of the company not of consumers, whereas they should shop with ease as they do in the local markets.

Ian Brown said...

Thanks Ben. I would argue that this is a side issue because corporations should be taking the level of care necessary (minimising the storage of sensitive data, encrypting that they do store etc) to largely avoid the issue in the first place. See more in a recent white paper of mine on privacy engineering.

Internet Security said...

The questions surrounding software vendor liability should deserve a wider debate. Here I agree with the report. As it also suggests, this should be done at the European or international level.

Yet, shouldn’t the open source be taken seriously in the current situation? Who is even liable in these settings? If I together with a small academic community write a new product with nasty stack overflow in it, will we be liable and to whom? Or will these so-called “vendors” take the burden? Vendors that have possibly no commercial assets?