Government Technology

In August this year the House of Lords Science and Technology Committee published a report detailing the results of their inquiry into personal internet security. The report raises many important issues and rightly gained much media attention. Throughout, the report calls for greater collaboration and agreement across government and industry. As a guiding principle, this is highly laudable and we would support the development of a centralised unit to examine and establish methods of handling reported e-crime.
    
The report covered several points, in this article I will look at the two that I feel would have the greatest impact on the technology industry: data breach notification and liability.

Data breach notification
Looking at the detail of the report, one of its more specific recommendations is that the government should pass a law requiring organisations to notify all affected parties in the event of a loss of confidential data. Intellect is already working with stakeholders to investigate to implications of a data breach notification law and what role it could play. At present we do not believe it will sufficient by itself and it is not as simple a concept as it may sound.
    
Most consumers and businesses are not in the habit of treating personal information as an asset but they should be. Data breach notification could be one way of helping to achieve this. The goal of such a law should be to make companies change their behaviour towards the use of customers’ data – in short to make them act more responsibly than they do at present.
    
Another important consideration with data breach notification, or indeed any legislation in this area, is that a new law should not raise the cost of doing business for everyone as this is unfair to those organisations already behaving ethically.
    
Data breach notification should form part of a wider range of measures. For example a British Standards Institute kite mark for complying with different levels of the Information Commissioner’s forthcoming Best Practice framework could be implemented. Or, like the Basel II capital requirement, an insurance requirement based on the amount of personally identifiable information used by an organisation could be enforced.
    
Data security is an area of great importance to us and to the companies we represent. We support the discussions around data breach notification and have recently held a roundtable discussion on this topic with representatives from the House of Lords, the Information Commissioner’s Office, the Metropolitan Police, legal firms and IT vendors. As part of our ongoing work we have also set up a new working group to look specifically at this issue.

Liability for security breaches
The House of Lords report also focused on liability for security breaches. Intellect believes that while a solid security principle needs to be at the heart of all products, the committee’s recommendation to place sole liability for security breaches on technology companies is unworkable.
    
Such a development would have far-reaching implications, in particular for many smaller software companies who would be discouraged from innovating in case they were held responsible for a security breach. This in turn could lead to the UK losing competitive advantage and a reduction in the number of British companies working in this growing market. Intellect and its members agree there needs to be standards that vendors look to work towards, but these need to be globally recognised rather than varying from country to country.
    
In reality we all need to share the responsibility for internet security. While software vendors must take appropriate steps to ensure their software is secure, their customers need to take their own steps to protect their businesses and private information. For example, when patches become available for their security software, these should be installed.
    
Without simple precautions like that, users cannot reasonably expect the IT sector to bear the consequences. Other sectors are not subject to such liability: We do not buy a car and then expect the manufacturer to pay up when it gets broken into.
    
Similarly, in non-technology companies, responsibility for security breaches should not be placed at the door of the CIO alone. When a breach occurs, it is not a question of the IT director being responsible but all the company directors. Another reason for not putting criminal liability on the CIO is that companies must deal with the loss of low-tech as well as high-tech data. We support the Information Commissioner’s view that it is not just the corporate world that should be held accountable - consumers need to think before they act.
    
The greatest benefit will only be achieved if there is co-operation between all those involved, from the Government, through the Internet Service Providers to organisations providing services to customers over the Internet. Education is going to play a major role in this co-operation and we see a strong case for successful initiative like Get Safe Online being extended to a wider audience.

Beyond the internet
The Lords report focused on security of data over the internet, but the issue is wider that that. Companies that hold data on customers must make sure their data processes are secure, and that all handling and disposing is done securely and efficiently. As this is an issue of customer trust and confidence, security incidences, however few there are, only add to the increasing fear of individuals and their identity. Eliminating those breaches of security means having staff trained properly in the handling of data, whatever the medium.

Intellect agrees that there are standards of software that need to be met but to expect vendors of software or hardware to hold sole responsibility of securing this information is unrealistic. Some responsibility must be taken by the individual to protect their businesses or their private information.
    
Most businesses and individuals still look at security in terms of processes, threats and products. In reality, security is a state of mind. We have to think differently and adopt this state of mind. There is a spectrum of measures that can be taken to help create this state of mind, from best practice to enforcement, but legislation that is unworkable or unfair to software companies will not necessarily improve data security. Instead it is more likely to stifle innovation and economic growth. We need to find a balance for the good of everyone.

Carrie Hartnell is transformational business programme manager at technology trade association Intellect. The trade association for the UK technology industry provides a collective voice for its members and drives connections with government and business to create a commercial environment in which they can thrive. Intellect represents over 800 companies ranging from SMEs to multinationals. As the central hub for this networked community, Intellect is able to draw upon a wealth of experience and expertise to ensure that its members are best placed to tackle challenges now and in the future.

For more information
For more information about Intellect’s work in the area of internet and security or about the new working group on data breach notification, please contact Carrie Hartnell, Intellect, on 020 7331 2000
Website: www.intellectuk.org