Overview

5.1.  Our focus in this inquiry has been on individual Internet users. However, once individuals have made personal information available online, whether by sending an email, or using a search engine, or opening an online bank account, they no longer have direct control over the uses to which that information is put. So, before looking at the individual, we examine the steps that businesses and other organisations processing or storing personal information in electronic form can take to improve personal Internet security.

5.2.  Myriad businesses and other organisations operate online. For many the Internet is a cheap and efficient alternative to more traditional ways of doing business. The banks, for instance, make savings in staff and branches, and can afford to offer online customers better interest rates. Dedicated online traders, such as Amazon, have profoundly changed the way people shop, allowing them to search for items and compare prices more or less instantaneously. Trading sites such as eBay are still more fundamentally dependent on the Internet, relying on features such as member feedback that would not be possible in a conventional forum.

5.3.  What all these businesses have in common, along with other organisations with an online presence, such as government agencies, is that they hold personal information that individual users have disclosed to them. This information may be confidential, such as account details and passwords, or it may be more directly and personally sensitive, such as health records. In either case, its loss would expose the individual to the risk of serious harm, whether financial or personal.

5.4.  It would therefore seem to be incumbent on businesses operating online to protect their customers' security and safety by ensuring that the information they hold is not lost. But as the Foundation for Information Policy Research noted, "Security failures are often due to misplaced incentives; when the people guarding a system are not the people who suffer when it fails, then one may expect less than the socially optimum level of diligence" (p 209). There is currently no direct commercial incentive for businesses to make the security of private individuals a high priority, given that it is those individuals who typically bear the losses resulting from security breaches.

5.5.  Nor is the legal regime within which businesses operate online particularly onerous. The statutory framework for protection of personal information online is found in the Data Protection Act 1998, in particular in the seventh "data protection principle" in Schedule 1 of that Act. This provides that "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data." Enforcement of breaches of the Act is the responsibility of the Information Commissioner.

5.6.  The provisions of the Data Protection Act are supplemented by the Privacy and Electronic Communications (EC Directive) Regulations 2003, which implemented the ePrivacy Directive.[17] The Regulations cover a range of issues such as calling line identification, billing and other services provided by ISPs; but for the purposes of this chapter the key areas are unsolicited communications and email "spam".

5.7.  Our key questions, therefore, have been:

• What security standards are or should be observed by businesses and other organisations operating online?
• Are additional incentives needed, and if so of what kind, to raise standards?
• Does the enforcement regime provide a strong enough deterrent to those who fail to observe adequate security standards?

Security standards

5.8.  The Internet offers business a huge and fast-changing market-place. One consequence is that no accurate data exist on the level of losses suffered by individuals buying and selling online. There is no uniformity of reporting, and published figures are correspondingly unreliable. There is, for example, no precise break-down of the proportion of online fraud perpetrated by means of phishing, card-not-present fraud, and so on. Colin Whittaker of APACS estimated that "phishing accounts for anywhere between 25 and 50 percent of the attacks that we see that cause losses on customer accounts" (Q 90). An estimate as imprecise as this contributes little to our understanding of what is happening.

5.9.  Nor are data available on the numbers of attacks on particular banks or businesses. APACS refused to divulge any data on the numbers of attacks on banks, Mr Whittaker merely insisting that "there is no evidence that one bank is any worse or any better off than any others" (Q 96). Where there are public reporting systems, such as the FBI-run IC3 website in the United States, the vagaries of reporting still make it difficult to read much into the data. Thus we were told at the Federal Trade Commission in Washington that some 63 percent of online frauds reported to IC3 concerned online auctions[18]. It was only when we visited eBay in Silicon Valley that we were able to put this startling figure into perspective: not only are eBay and its subsidiary PayPal, in the words of Matthew Pemble, "the primary targets worldwide for phishing" (Q 108), but they also, unusually, report all frauds to the website and encourage customers to do the same.

5.10.  The key point about phishing is that it works by means of social engineering—victims are persuaded to go to a fraudulent site, on which they themselves enter their account details and other personal information. No malware needs to be involved, and standard technical measures such as anti-virus software are of no use. Phishing, and the social engineering techniques employed by criminals, become more subtle all the time, and a certain proportion of individuals will always be fooled. As we were told at eBay, some victims simply do not learn from their mistakes, but will give out account details to phishers time after time.

5.11.  It follows that action by the companies whose customers are targeted and whose websites are spoofed by the phishers is essential to limit the threat to e-commerce. A key measure is the rapid closing down of phishing sites. Card operator Visa, for instance, told us that it maintained "a dedicated resource … for investigating the phishing emails and contacting the host to get sites shut down" (p 35). This proactive approach is of course welcome, but Visa is the target of only a small proportion of phishing emails. Nor is the process of getting hosts to close down phishing sites straightforward, given that these hosts may be based anywhere in the world. As the European Information Society Group (EURIM) noted:

"There is a need to bring the current proliferation of fragmented local and national reporting operations together into international reporting networks that cross public-private boundaries and to collate and route information to those who are in a position to take action" (p 369).

5.12.  Simple administrative measures could also help. For instance, the success of phishing emails is undoubtedly boosted by the fact that banks continue to email customers. Sandra Quinn of APACS made much of the fact that "we have made some very clear messages, such as your bank will never ask you to access your website through a link in an email" (Q 134). Thus to take an example at random, the page of the Lloyds TSB website offering advice on phishing states, "While we may email you from time to time, we will never send you emails asking for your Internet banking or telephone banking information either through an email or a website."[19] But while this seems clear, the fact that emails are sent at all leaves an opening for the phishers—once the possibility that banks will contact their customers by email is admitted, the social engineering skills of the "bad guys" will do the rest.

5.13.  Thus the demands of marketing and those of security appear to be in direct conflict. As Philip Robinson of the Financial Services Authority asked, "if there are very large numbers of marketing material hitting your inbox … how do you determine which are real and which are not when they all often look the same?" (Q 179). In the present circumstances, we do not believe it is appropriate that banks should send unsolicited emails to customers under any circumstances.

5.14.  Technical measures might also reduce the impact of phishing. A fundamental element of online transactions is that banks and merchants have to establish that the customer purporting to use their services is who he or she claims to be. At present they typically rely on what might be called "shared secrets"—information known to customer and, say, bank, but no-one else. Such secrets include passwords, or questions and answers (for instance, mother's maiden name or first primary school). All these secrets are lost if the individual can be persuaded to log onto the phishing site. Thus the system of shared secrets is, as Nicholas Bohm commented, "inherently weak" (Q 352). Its weakness has contributed, particularly since the introduction of "chip and pin", to a huge increase in the prevalence of "card not present" fraud.

5.15.  One way to combat this weakness would be to introduce a system whereby websites operated by banks or other businesses offering financial services authenticated themselves to customers, rather than simply requiring customers to authenticate themselves by entering account information, card details and passwords. In the field of online shopping, Visa's new "Verified by Visa" system introduces a personalised security page (which they told us could not be spoofed by a phishing website) before requesting passwords (see Q 103).

5.16.  Similar systems could be introduced by banks, but at present there is no uniformity across the sector. Although such a system is employed by Alliance and Leicester, Colin Whittaker's comment was that "That was their response to their cost-benefit investment decisions for their requirements for their customers. Over time individual institutions will make their own decisions and those decisions will evolve as and when the cost-benefit case changes over time" (Q 115). In other words, the market will deliver.

5.17.  Another solution that has been proposed is "two factor authentication". This means, as Robert Littas of Visa put it, that the bank or merchant asks for "something you have and something you know" (Q 113). In other words, not only are "shared secrets" requested, but the customer is required to demonstrate they are in possession of something (typically a token or key fob generating a random series of six-digit numbers). This offers a degree of protection, particularly against phishing—as Paul Wood of MessageLabs noted, phishing increasingly "targets banks and organisations which do not deploy … 'two factor authentication'" (Q 461).

5.18.  However, two factor authentication also has its limits. The first is practical. Individuals are already overburdened by the need to remember a range of pin numbers and passwords, to such an extent that they have little choice but to write them down, so negating their very purpose. It is unlikely that they would welcome having to keep safe, and, potentially, carry around a similar number of key fobs.

5.19.  There are also technical limitations. For instance, two factor authentication is still susceptible to "man in the middle" attacks, where the attacker places himself between the consumer and the bank. In addition, the emergence of new types of "Trojan horse" could undermine its usefulness. We have already described the threat posed by keyloggers, malware installed by means of Trojans, which allow criminals to monitor and record keystrokes (and even mouse movements). While two factor authentication might appear to offer a degree of protection, Paul Wood noted that the more sophisticated malware now being installed by Trojans means that "the Trojan will potentially take over your browser session after you have completed the authentication" (Q 461). In other words, the Trojan remains dormant and invisible until the victim has logged onto a (legitimate) site, for instance to check his bank account. The Trojan then allows the criminal to take control of the web browser remotely, emptying the bank account.

5.20.  This is a relatively new development, albeit one witnessing what Mr Wood called "increasing activity". It is difficult to see what businesses using the Internet, such as banks, can do to counter it. Their most promising defence will be in monitoring transactions and detecting suspicious activity patterns. However, the conclusion of MessageLabs (albeit one in their own commercial interest), was that the threat could only be countered by "Internet-level filtering" (Q 464), screening out the Trojans before they reached end-users.

5.21.  Notwithstanding what we have just said about Trojans, there are many simple steps that businesses using the Internet could take to improve security for their customers. Security measures have to be proportionate to the risk, and need not be over-complicated or burdensome. Furthermore, online security must be seen within the context of general security. As Bruce Schneier commented, "I have a computer at home that has no password, because I consider it is in the secure perimeter of my home. It is different from a laptop computer, which is right now in my hotel room. There is a very different set of security assumptions going on there" (Q 555).

5.22.  Some of the major security lapses of recent times have come about not because of the actions of online criminals, but because of simple carelessness, such as the loss of laptops. In the case of the laptop lost by Nationwide Building Society in 2006 not only were the data of 11 million customers stored on the laptop in unencrypted form, but, according to the judgment delivered by the Financial Services Authority (FSA) in February 2007, when the laptop was stolen Nationwide was unaware what data it contained and took no action for three weeks.[20]

Incentives

5.23.  If businesses and financial institutions are to take the sorts of measures outlined above, if the market is to deliver, they will need to show commitment at the highest level. This leads us to the question of incentives.

5.24.  Are the banks in particular sufficiently committed to the security of customers to invest in appropriate technical and other measures to protect them? The response from APACS, the trade association representing the payments industry, was discouraging. In Colin Whittaker's words, "it is not so much that the banks themselves or the banks' systems are insecure because those banks are not being attacked; it is their customers that are being attacked unfortunately" (Q 120). This demonstrates extraordinary complacency. The banks make profits because they are deemed to be a safe repository for their customers' money, and inevitably that money, not the banks' own, is the target of criminals. APACS might as reasonably claim that a bank which left its doors open and dispensed with safes was not insecure because "it is their customers that are being attacked".

5.25.  Incentives are needed to overcome this complacency. They are currently lacking, because the banks in particular are able to offload risks onto customers and merchants. The legal background was helpfully explained to us by Nicholas Bohm. He drew attention first to the common law principle that "if someone seeks to hold me to a bargain which he says I made and I say I did not make it, it was someone pretending to be me, he has to prove it was me in order to prove his case and if he cannot prove it was me then he stands the resulting loss". This principle has been buttressed by statute law in certain areas—for example, the Bills of Exchange Act 1882 specified that if a bank honoured a forged cheque the bank, not the customer upon whose account the cheque was drawn, would be liable (Q 352).

5.26.  No such statutory codification has been applied to the world of online banking. Instead, customers must fall back on the common law principle, which Nicholas Bohm interpreted in this context as signifying that "those who deploy security systems for the purpose of checking that the customer is the one making the transaction are the ones who should stand the risk of it failing". Mr Bohm concluded that he "would like to see the banking system Ombudsman, the Office of Fair Trading and anybody else concerned with unfair contract terms encouraged to take a robust line" (Q 352). However, in practice this has yet to happen, and the banks do not formally accept liability for losses incurred when customers are impersonated by criminals who have stolen account details. At present the banks generally meet such losses, but they are under no obligation to do so, and as losses rise, the temptation for the banks to disclaim liability will grow.

5.27.  When these points were put to the Minister, Margaret Hodge MP, her response was as follows: "There will be some circumstances where we could put in primary legislation and there could be other circumstances where it is consumer behaviour rather than the banks which is at fault … and it is difficult to get those parameters right. What … we are trying to do all the time, is to try and improve the abuse of fraud by authentication schemes and working with the banks in that regard. We can go with the heavy hand of the law rather than the more self-regulatory route down which we are tending to travel and it is a matter of judgment for this Committee which it thinks is more appropriate" (Q 864).

5.28.  The Minister's comments are deeply disappointing. There is a time to rely on the invisible hand of the market, and a time to give out signals to the market that, in order to offer proper protection to consumers, it should move in a particular direction. As Bruce Schneier commented, "I do not think that 'difficult' is a reason not to try" (Q 539). In marked contrast to the position in the United Kingdom, in the United States Regulation E of the Federal Reserve Board makes banks liable for all but the first $50 of any loss incurred as a result of an unauthorised electronic fund transfer, as long as the victim notifies the bank in timely fashion. Naturally, in the case of first party fraud—when a customer disavows a transaction dishonestly—the bank can recover its money and prosecute through the courts.

5.29.  However, bringing online banking into line with the rules applying to forged cheques would affect only one part of the business world. A more fundamental change, raising the profile of online security across the board, is required. A key issue is the fact that businesses are not currently required to report or publicise security breaches. The problems this creates were described in scathing terms by the FIPR:

"A company whose systems have been compromised has every incentive to keep quiet about it, and will probably receive legal advice against notifying affected individuals … Thus security breaches affecting the individual are typically detected when the individual complains of fraud. Such complaints are often met with hostility or denial by financial institutions, or with a demand that the customer explain how the dispute might have arisen" (p 210).

5.30.  The state of affairs described by the FIPR is self-defeating. For instance, in 2005-06 hackers, exploiting vulnerabilities in WiFi systems, stole the details of over 45 million payment cards from retailer TKMaxx. Although the company disclosed this massive security breach, it was, under United Kingdom law, under no obligation so to do—and no doubt many smaller but otherwise comparable breaches have gone unreported. Still less was the company obliged to take steps to inform the individual customers concerned. These customers, if informed of the breach, might have been persuaded to examine credit card and bank statements more closely, so identifying minor frauds or thefts they would otherwise have missed. Moreover, the fact of disclosure would have given them evidence to support a prime facie case that they had been victims of fraud.

5.31.  Thus the absence of a duty of disclosure reduces the likelihood that customers will identify, complain of and provide proof of fraud; it also, since such complaints are in turn the most likely means of prompting disclosure, leads to a vicious circle of under-reporting. As the FIPR concluded, the absence of a duty of disclosure is a key reason why "we have no really dependable statistics" regarding the incidence of online fraud. A unified, centralised reporting system for security breaches would be a key element of any legislation, which would yield huge benefits for researchers in the field.

5.32.  The position in the United States stands in marked contrast to that in the United Kingdom. While there are no federal data security breach laws currently in place, state laws, introduced first in California, now apply in 35 states. When we visited the Federal Trade Commission, officials were emphatic that these laws had had a marked impact, driving numerous investigations, and leading in the Choicepoint case to the company paying $10 million in civil penalties for security breaches and $5 million in redress to customers. Both the prospect of tough penalties, and, more importantly, the prospects of public embarrassment and loss of share value, provide strong incentives to companies to prioritise data security at the highest level.

5.33.  Moreover, when we visited the FBI in California, we were told of another beneficial side-effect of security breach notification laws. Whereas in the past companies would often conceal attacks on their systems so as not to damage their reputation, now, since individuals had to be informed anyway, they were far more willing to report such events to law enforcement.

5.34.  In contrast, in this country, despite the principles embodied in the Data Protection Act 1998, there is no practical incentive for those holding customer data to take steps to protect it—other than in the exceptional circumstances that they are already subject to an enforcement notice from the ICO, and are thus at risk of prosecution and a £5,000 fine. Phil Jones, of the ICO, put the prevailing situation in a nutshell: "however irresponsibly the data controller behaves he does not commit an offence" (Q 366).

5.35.  The laws pertaining in the United States are far from perfect—and the diversity across the states is a significant handicap. As Dr Chris Hoofnagle, a lawyer working at the CITRIS research institute, told us, different definitions of what constituted a security breach, and differences in requirements as far as demonstrating potential harm, and in reporting requirements, to some extent undermined their effectiveness, as well as the reliability of the data generated. There were also specific problems with letters that did not make it clear what steps individuals might take when their data had been stolen—indeed, in some cases notification and advice were so buried in advertising that recipients might well miss them altogether. A federal law is currently under consideration, which aims to correct these inconsistencies and deficiencies.

5.36.  In addition, Bruce Schneier suggested to us that while the laws had done "a lot of good", they might also have "outlived their usefulness". The key to the value of data security breach notification, in his view, was the "public shaming" of offenders. But this relied on publicity, and the publicity was attenuated over time—"it is no longer news when someone's innovation is stolen. It happens too often". A related risk was that individuals would be overwhelmed by breach notifications, and, lacking the information to enable them to assess the actual risks, would quickly lose interest. Nevertheless, he concluded that "I think that it should still be done, because forcing companies to go public with the information is very valuable—to researchers, to policymakers" (Q 547).

5.37.  The position of the Government was lukewarm. Margaret Hodge described security breach notification as "an enticing bit of legislation", but then focused on "the difficulty of framing that intent in a practical way because you would have to decide what breaches would you report precisely, what is the trigger for a report, those sorts of issues, and you do not want to end up in a situation where people either become really blasé about it because they get so many reports of breaches or they become so scared that they do not take advantage of the new information communication technology … The devil is in the detail" (Q 849).

5.38.  We fully acknowledge the Minister's points—it is essential, in particular, that any obligation to disclose security breaches should set a sensible threshold in terms of the potential risk to those affected. For instance, if a laptop is lost, but the data are securely encrypted, or if the laptop was contained in the boot of a car that has driven off a bridge into a deep river, the risk of data breach may be minimal. The detail must be got right. But we believe that the United Kingdom is now ideally placed to learn from the successes and failures of the many state laws in force in the United States and get this detail right, establishing a workable and effective legislative framework.

5.39.  However, we find it alarming that the Minister appeared to regard with equanimity a situation in which security breaches were so common that if companies were to be obliged to inform individuals of security breaches affecting their personal data, these individuals would respond either with bored indifference or fear. In the Foreword to his latest Annual Report, the Information Commissioner noted that "The roll call of banks, retailers, government departments, public bodies and other organisations which have admitted serious security lapses is frankly horrifying"[21]. The evidence heard in this inquiry fully bears out this description. The sheer volume of breaches must not be used as an excuse for inaction.

5.40.  Mrs Hodge also drew attention to proposals emerging from the European Commission on data breach notification in the context of its new Regulatory Framework for Electronic Communications. However, as the title of this initiative implies, the Commission's proposals would place requirements solely on companies in the communications sector. They would thus omit the many businesses in banking and financial services, retailing and elsewhere, that hold confidential personal data.

5.41.  The reason for this limitation appears to be bureaucratic rather than reasoned. As Achim Klabunde, of the Directorate General Information Society, said when asked why the proposals were limited to the communications sector, companies in other sectors, such as payment services, were outside his "organisational competence" (Q 910). In other words, DG Information Society has no authority to initiate proposals covering, for instance, the payment services industry. This is an inescapable fact, and inevitably means that the laws currently proposed in Brussels will have little impact in raising the incentives for business to take the necessary steps to protect personal Internet security.

The enforcement regime

5.42.  We have outlined above the role of the Information Commissioner's Office (ICO) in enforcing the statutory provisions that protect the security of personal data online. In a previous chapter we have also outlined the very limited remit of the communications industry regulator, Ofcom, with regard to Internet Service Providers.

5.43.  An extra layer of regulation is provided by the Financial Services Authority (FSA), which regulates the banks and the rest of the financial services sector. Its task, set out in the Financial Services and Markets Act 2000, is to ensure that regulated companies in the sector meet the "threshold conditions" set out in Schedule 6 of the Act: in the words of the FSA, this includes "assessing whether their systems and controls are adequate to prevent them being used for purposes connected with financial crime, including fraud; it also includes the adequacy of their information security measures" (p 54).

5.44.  In the field of Internet trading, the Office of Fair Trading (OFT) has a general responsibility to regulate the advertising industry. Spam, insofar as it contains misleading advertising, falls under the remit of the OFT, which also co-ordinates international action on spam through the London Action Plan. However, Mike Haley of the OFT conceded that the enforcement mechanisms were too clumsy to deal with the fast-moving and globalised market for spam:

"Our powers are still based on the offline world of knowing where a trader is, being able to go and speak to him, have premises inspected and then take action appropriately. If we know a spamming campaign is coming over the weekend … we have to go and apply for a court order and the spam would have been sent out to millions of people before we had even had a chance to move. So I think there is a need to look at not just the international infrastructure but also for adequate powers and sanctions to apply in a fast-moving environment" (Q 429).

5.45.  Finally, enforcement with regard to specific online scams is the responsibility of Local Trading Standards Services (LTSS). A recent OFT report acknowledges that the priority afforded to online frauds is variable; that no specific requirements relating to the Internet are contained within the National Performance Framework for LTSS; and that enforcement was generally "reactive to complaints".[22]

5.46.  There are thus many divisions of responsibility and apparent overlaps. On there one hand there is, as the Minister Margaret Hodge MP told us, a "crude division of labour" between Ofcom and the ICO: "Ofcom regulates the industry—it is a bit too crude to put it like this, but I will say it anyway—and the Information Commissioner will look after the interests of the individual" (Q 865). On the other hand, while the ICO has a general duty to enforce the data protection principles, including the seventh principle, that "appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data", in the vital financial services sector the FSA also has responsibility for assessing such systems and controls.

5.47.  What this complicated division of responsibility between regulatory and enforcement bodies demonstrates is that the online world, as a medium that offers a constantly expanding range of uses to business, has no dedicated regulator. Instead, discrete areas of activity, such as advertising or banking, are regulated, with the divisions of responsibility between regulators being modelled on the offline world.

5.48.  The only enforcement agency with a general responsibility for personal Internet security, insofar as it relates to the security of personal data, is the ICO. However, of all the regulatory authorities, the ICO's enforcement powers appear currently to be the weakest. As Phil Jones of the ICO told us, "what we do have is the power to issue a formal enforcement notice, which puts an organisation on notice to amend their practices. If they are actually in breach of the notice, at that stage it is a criminal offence but not before" (Q 365).

5.49.  As a result, when the ICO found in March 2007 that 11 banks and other financial institutions had breached data protection principles by discarding personal information in waste bins, it was able only to require the companies "to sign a formal undertaking to comply with the Principles of the Data Protection Act." Further breaches "could result in prosecution"—with the maximum fine on summary conviction currently standing at just £5,000.[23] In summary, the Society for Computers and Law (SCL) concluded that the seventh data protection principle was "not rigorously enforced" (p 128).

5.50.  In marked contrast, in February 2007, following the 2006 loss of a laptop containing confidential customer information (already referred to above, paragraph 5.22), the FSA fined the Nationwide Building Society £980,000 for "failing to have effective systems and controls to manage its information security risks".[24]

5.51.  In late 2006 the Department for Constitutional Affairs (now the Ministry for Justice) launched a consultation on increasing the maximum penalty available to the courts for wilful misuse of personal data to six months' imprisonment.[25] The Home Office Minister, Vernon Coaker MP, confirmed that following this consultation "the Government is now looking at is a vehicle to actually look at increasing some of the penalties available for the misuse of data" (Q 876).

5.52.  However, the 2006 consultation does not contain any proposals to change the cumbersome enforcement regime, including the requirement that offenders first sign undertakings to comply with the Data Protection Principles with legal action only possible if further breaches occur. Mrs Hodge told us that "the advice to us from the Information Commissioner is that speed is more important to him. At the moment the investigations just take too long and I think if he would prioritise any issue he would go for speed more than fine levels" (Q 878). However, we are not aware of any measures planned which might meet the concern of the SCL, that "the resources made available to the [ICO] continue to be inadequate" (p 128).

Conclusions and Recommendations

5.53.  The steps currently being taken by many businesses trading over the Internet to protect their customer's personal information are inadequate. The refusal of the financial services sector in particular to accept responsibility for the security of personal information is disturbing, and is compounded by apparent indifference at Government level. Governments and legislators are not in position to prescribe the security precautions that should be taken; however, they do have a responsibility to ensure that the right incentives are in place to persuade businesses to take the necessary steps to act proportionately to protect personal data.

5.54.  We therefore recommend that the Government introduce legislation, consistent with the principles enshrined in common law and, with regard to cheques, in the Bills of Exchange Act 1882, to establish the principle that banks should be held liable for losses incurred as a result of electronic fraud.

5.55.  We further believe that a data security breach notification law would be among the most important advances that the United Kingdom could make in promoting personal Internet security. We recommend that the Government, without waiting for action at European Commission level, accept the principle of such a law, and begin consultation on its scope as a matter of urgency.

5.56.  We recommend that a data security breach notification law should incorporate the following key elements:

• Workable definitions of data security breaches, covering both a threshold for the sensitivity of the data lost, and criteria for the accessibility of that data;
• A mandatory and uniform central reporting system;
• Clear rules on form and content of notification letters, which must state clearly the nature of the breach and provide advice on the steps that individuals should take to deal with it.

18   This fell to 44.9 percent in 2006. Back

19   See http://www.lloydstsb.com/security/phishing.asp.  Back

20   See http://www.fsa.gov.uk/pubs/final/nbs.pdf.  Back

21   Information Commissioner's Office, Annual Report 2006/07, 10 July 2007 (HC646), p 7. Back

22   See Internet Shopping: an OFT Market Study, June 2007, p 101: http://www.oft.gov.uk/shared_oft/reports/consumer_protection/oft921.pdf. Back

23   ICO press release: http://www.ico.gov.uk/upload/documents/pressreleases/2007/banks_in_unacceptable_data_protection_breach.pdf.  Back

24   FSA press release: http://www.fsa.gov.uk/pages/Library/Communication/PR/2007/021.shtml.  Back

25   See http://www.dca.gov.uk/consult/misuse_data/consultation0906.pdf.  Back