House of Lords on Computer Security
The Science and Technology Committee of the UK House of Lords has issued a report (pdf here) on “Personal Internet Security.” It’s 121 pages long. Richard Clayton, who helped the committee, has a good summary of the report on his blog. Among other things, the Lords recommend various consumer notification standards, a data-breach disclosure law, and a liability regime for software.
Another summary lists:
- Increase the resources and skills available to the police and criminal justice system to catch and prosecute e-criminals.
- Establish a centralised and automated system, administered by law enforcement, for the reporting of e-crime.
- Provide incentives to banks and other companies trading online to improve the data security by establishing a data security breach notification law.
- Improve standards of new software and hardware by moving towards legal liability for damage resulting from security flaws.
- Encourage Internet Service Providers to improve customer security offered by establishing a “kite mark” for internet services.
If that sounds like a lot of the things I’ve been saying for years, there’s a reason for that. Earlier this year, I testified before the committee (transcript here), where I recommended some of these things. (Sadly, I didn’t get to wear a powdered wig.)
This report is a long way from anything even closely resembling a law, but it’s a start. Clayton writes:
The Select Committee reports are the result of in-depth study of particular topics, by people who reached the top of their professions (who are therefore quick learners, even if they start by knowing little of the topic), and their careful reasoning and endorsement of convincing expert views, carries considerable weight. The Government is obliged to formally respond, and there will, at some point, be a few hours of debate on the report in the House of Lords.
EDITED TO ADD (8/22): Good article here:
They agreed ‘wholeheartedly’ with security guru, and successful author, Bruce Schneier, that the activities of ‘legitimate researchers’ trying to ‘break things to learn to think like the bad guys’ should not be criminalized in forthcoming UK legislation, and they supported the pressing need for a data breach reporting law; in drafting such a law, the UK government could learn from lessons learnt in the US states that have such laws. Such a law should cover the banks, and other sectors, and not simply apply to “communication providers” — a proposal presently under consideration by the EU Commission, which the peers clearly believed would be ineffective in creating incentives to improve security across the board.