Incentives
5.23. If businesses and financial institutions
are to take the sorts of measures outlined above, if the market
is to deliver, they will need to show commitment at the highest
level. This leads us to the question of incentives.
5.24. Are the banks in particular sufficiently
committed to the security of customers to invest in appropriate
technical and other measures to protect them? The response from
APACS, the trade association representing the payments industry,
was discouraging. In Colin Whittaker's words, "it is not
so much that the banks themselves or the banks' systems are insecure
because those banks are not being attacked; it is their customers
that are being attacked unfortunately" (Q 120). This
demonstrates extraordinary complacency. The banks make profits
because they are deemed to be a safe repository for their customers'
money, and inevitably that money, not the banks' own, is the target
of criminals. APACS might as reasonably claim that a bank which
left its doors open and dispensed with safes was not insecure
because "it is their customers that are being attacked".
5.25. Incentives are needed to overcome this
complacency. They are currently lacking, because the banks in
particular are able to offload risks onto customers and merchants.
The legal background was helpfully explained to us by Nicholas
Bohm. He drew attention first to the common law principle that
"if someone seeks to hold me to a bargain which he says I
made and I say I did not make it, it was someone pretending to
be me, he has to prove it was me in order to prove his case and
if he cannot prove it was me then he stands the resulting loss".
This principle has been buttressed by statute law in certain areasfor
example, the Bills of Exchange Act 1882 specified that if a bank
honoured a forged cheque the bank, not the customer upon whose
account the cheque was drawn, would be liable (Q 352).
5.26. No such statutory codification has been
applied to the world of online banking. Instead, customers must
fall back on the common law principle, which Nicholas Bohm interpreted
in this context as signifying that "those who deploy security
systems for the purpose of checking that the customer is the one
making the transaction are the ones who should stand the risk
of it failing". Mr Bohm concluded that he "would
like to see the banking system Ombudsman, the Office of Fair Trading
and anybody else concerned with unfair contract terms encouraged
to take a robust line" (Q 352). However, in practice
this has yet to happen, and the banks do not formally accept liability
for losses incurred when customers are impersonated by criminals
who have stolen account details. At present the banks generally
meet such losses, but they are under no obligation to do so, and
as losses rise, the temptation for the banks to disclaim liability
will grow.
5.27. When these points were put to the Minister,
Margaret Hodge MP, her response was as follows: "There
will be some circumstances where we could put in primary legislation
and there could be other circumstances where it is consumer behaviour
rather than the banks which is at fault
and it is difficult
to get those parameters right. What
we are trying to do
all the time, is to try and improve the abuse of fraud by authentication
schemes and working with the banks in that regard. We can go with
the heavy hand of the law rather than the more self-regulatory
route down which we are tending to travel and it is a matter of
judgment for this Committee which it thinks is more appropriate"
(Q 864).
5.28. The Minister's comments are deeply disappointing.
There is a time to rely on the invisible hand of the market, and
a time to give out signals to the market that, in order to offer
proper protection to consumers, it should move in a particular
direction. As Bruce Schneier commented, "I do not think that
'difficult' is a reason not to try" (Q 539). In marked
contrast to the position in the United Kingdom, in the United
States Regulation E of the Federal Reserve Board makes banks liable
for all but the first $50 of any loss incurred as a result of
an unauthorised electronic fund transfer, as long as the victim
notifies the bank in timely fashion. Naturally, in the case of
first party fraudwhen a customer disavows a transaction
dishonestlythe bank can recover its money and prosecute
through the courts.
5.29. However, bringing online banking into line
with the rules applying to forged cheques would affect only one
part of the business world. A more fundamental change, raising
the profile of online security across the board, is required.
A key issue is the fact that businesses are not currently required
to report or publicise security breaches. The problems this creates
were described in scathing terms by the FIPR:
"A company whose systems have been compromised
has every incentive to keep quiet about it, and will probably
receive legal advice against notifying affected individuals
Thus security breaches affecting the individual are typically
detected when the individual complains of fraud. Such complaints
are often met with hostility or denial by financial institutions,
or with a demand that the customer explain how the dispute might
have arisen" (p 210).
5.30. The state of affairs described by the FIPR
is self-defeating. For instance, in 2005-06 hackers, exploiting
vulnerabilities in WiFi systems, stole the details of over 45
million payment cards from retailer TKMaxx. Although the company
disclosed this massive security breach, it was, under United Kingdom
law, under no obligation so to doand no doubt many smaller
but otherwise comparable breaches have gone unreported. Still
less was the company obliged to take steps to inform the individual
customers concerned. These customers, if informed of the breach,
might have been persuaded to examine credit card and bank statements
more closely, so identifying minor frauds or thefts they would
otherwise have missed. Moreover, the fact of disclosure would
have given them evidence to support a prime facie case
that they had been victims of fraud.
5.31. Thus the absence of a duty of disclosure
reduces the likelihood that customers will identify, complain
of and provide proof of fraud; it also, since such complaints
are in turn the most likely means of prompting disclosure, leads
to a vicious circle of under-reporting. As the FIPR concluded,
the absence of a duty of disclosure is a key reason why "we
have no really dependable statistics" regarding the incidence
of online fraud. A unified, centralised reporting system for security
breaches would be a key element of any legislation, which would
yield huge benefits for researchers in the field.
5.32. The position in the United States stands
in marked contrast to that in the United Kingdom. While there
are no federal data security breach laws currently in place, state
laws, introduced first in California, now apply in 35 states.
When we visited the Federal Trade Commission, officials were emphatic
that these laws had had a marked impact, driving numerous investigations,
and leading in the Choicepoint case to the company paying $10
million in civil penalties for security breaches and $5 million
in redress to customers. Both the prospect of tough penalties,
and, more importantly, the prospects of public embarrassment and
loss of share value, provide strong incentives to companies to
prioritise data security at the highest level.
5.33. Moreover, when we visited the FBI in California,
we were told of another beneficial side-effect of security breach
notification laws. Whereas in the past companies would often conceal
attacks on their systems so as not to damage their reputation,
now, since individuals had to be informed anyway, they were far
more willing to report such events to law enforcement.
5.34. In contrast, in this country, despite the
principles embodied in the Data Protection Act 1998, there is
no practical incentive for those holding customer data to take
steps to protect itother than in the exceptional circumstances
that they are already subject to an enforcement notice from the
ICO, and are thus at risk of prosecution and a £5,000 fine.
Phil Jones, of the ICO, put the prevailing situation in a nutshell:
"however irresponsibly the data controller behaves he does
not commit an offence" (Q 366).
5.35. The laws pertaining in the United States
are far from perfectand the diversity across the states
is a significant handicap. As Dr Chris Hoofnagle, a lawyer
working at the CITRIS research institute, told us, different definitions
of what constituted a security breach, and differences in requirements
as far as demonstrating potential harm, and in reporting requirements,
to some extent undermined their effectiveness, as well as the
reliability of the data generated. There were also specific problems
with letters that did not make it clear what steps individuals
might take when their data had been stolenindeed, in some
cases notification and advice were so buried in advertising that
recipients might well miss them altogether. A federal law is currently
under consideration, which aims to correct these inconsistencies
and deficiencies.
5.36. In addition, Bruce Schneier suggested to
us that while the laws had done "a lot of good", they
might also have "outlived their usefulness". The key
to the value of data security breach notification, in his view,
was the "public shaming" of offenders. But this relied
on publicity, and the publicity was attenuated over time"it
is no longer news when someone's innovation is stolen. It happens
too often". A related risk was that individuals would be
overwhelmed by breach notifications, and, lacking the information
to enable them to assess the actual risks, would quickly lose
interest. Nevertheless, he concluded that "I think that it
should still be done, because forcing companies to go public with
the information is very valuableto researchers, to policymakers"
(Q 547).
5.37. The position of the Government was lukewarm.
Margaret Hodge described security breach notification as "an
enticing bit of legislation", but then focused on "the
difficulty of framing that intent in a practical way because you
would have to decide what breaches would you report precisely,
what is the trigger for a report, those sorts of issues, and you
do not want to end up in a situation where people either become
really blasé about it because they get so many reports
of breaches or they become so scared that they do not take advantage
of the new information communication technology
The devil
is in the detail" (Q 849).
5.38. We fully acknowledge the Minister's pointsit
is essential, in particular, that any obligation to disclose security
breaches should set a sensible threshold in terms of the potential
risk to those affected. For instance, if a laptop is lost, but
the data are securely encrypted, or if the laptop was contained
in the boot of a car that has driven off a bridge into a deep
river, the risk of data breach may be minimal. The detail must
be got right. But we believe that the United Kingdom is now ideally
placed to learn from the successes and failures of the many state
laws in force in the United States and get this detail right,
establishing a workable and effective legislative framework.
5.39. However, we find it alarming that the Minister
appeared to regard with equanimity a situation in which security
breaches were so common that if companies were to be obliged to
inform individuals of security breaches affecting their personal
data, these individuals would respond either with bored indifference
or fear. In the Foreword to his latest Annual Report, the Information
Commissioner noted that "The roll call of banks, retailers,
government departments, public bodies and other organisations
which have admitted serious security lapses is frankly horrifying"[21].
The evidence heard in this inquiry fully bears out this description.
The sheer volume of breaches must not be used as an excuse for
inaction.
5.40. Mrs Hodge also drew attention to proposals
emerging from the European Commission on data breach notification
in the context of its new Regulatory Framework for Electronic
Communications. However, as the title of this initiative implies,
the Commission's proposals would place requirements solely on
companies in the communications sector. They would thus omit the
many businesses in banking and financial services, retailing and
elsewhere, that hold confidential personal data.
5.41. The reason for this limitation appears
to be bureaucratic rather than reasoned. As Achim Klabunde, of
the Directorate General Information Society, said when asked why
the proposals were limited to the communications sector, companies
in other sectors, such as payment services, were outside his "organisational
competence" (Q 910). In other words, DG Information
Society has no authority to initiate proposals covering, for instance,
the payment services industry. This is an inescapable fact, and
inevitably means that the laws currently proposed in Brussels
will have little impact in raising the incentives for business
to take the necessary steps to protect personal Internet security.
The enforcement regime
5.42. We have outlined above the role of the
Information Commissioner's Office (ICO) in enforcing the statutory
provisions that protect the security of personal data online.
In a previous chapter we have also outlined the very limited remit
of the communications industry regulator, Ofcom, with regard to
Internet Service Providers.
5.43. An extra layer of regulation is provided
by the Financial Services Authority (FSA), which regulates the
banks and the rest of the financial services sector. Its task,
set out in the Financial Services and Markets Act 2000, is to
ensure that regulated companies in the sector meet the "threshold
conditions" set out in Schedule 6 of the Act: in the words
of the FSA, this includes "assessing whether their systems
and controls are adequate to prevent them being used for purposes
connected with financial crime, including fraud; it also includes
the adequacy of their information security measures" (p 54).
5.44. In the field of Internet trading, the Office
of Fair Trading (OFT) has a general responsibility to regulate
the advertising industry. Spam, insofar as it contains misleading
advertising, falls under the remit of the OFT, which also co-ordinates
international action on spam through the London Action Plan. However,
Mike Haley of the OFT conceded that the enforcement mechanisms
were too clumsy to deal with the fast-moving and globalised market
for spam:
"Our powers are still based on the offline world
of knowing where a trader is, being able to go and speak to him,
have premises inspected and then take action appropriately. If
we know a spamming campaign is coming over the weekend
we have to go and apply for a court order and the spam would have
been sent out to millions of people before we had even had a chance
to move. So I think there is a need to look at not just the international
infrastructure but also for adequate powers and sanctions to apply
in a fast-moving environment" (Q 429).
5.45. Finally, enforcement with regard to specific
online scams is the responsibility of Local Trading Standards
Services (LTSS). A recent OFT report acknowledges that the priority
afforded to online frauds is variable; that no specific requirements
relating to the Internet are contained within the National Performance
Framework for LTSS; and that enforcement was generally "reactive
to complaints".[22]
5.46. There are thus many divisions of responsibility
and apparent overlaps. On there one hand there is, as the Minister
Margaret Hodge MP told us, a "crude division of labour"
between Ofcom and the ICO: "Ofcom regulates the industryit
is a bit too crude to put it like this, but I will say it anywayand
the Information Commissioner will look after the interests of
the individual" (Q 865). On the other hand, while the
ICO has a general duty to enforce the data protection principles,
including the seventh principle, that "appropriate technical
and organisational measures shall be taken against unauthorised
or unlawful processing of personal data", in the vital financial
services sector the FSA also has responsibility for assessing
such systems and controls.
5.47. What this complicated division of responsibility
between regulatory and enforcement bodies demonstrates is that
the online world, as a medium that offers a constantly expanding
range of uses to business, has no dedicated regulator. Instead,
discrete areas of activity, such as advertising or banking, are
regulated, with the divisions of responsibility between regulators
being modelled on the offline world.
5.48. The only enforcement agency with a general
responsibility for personal Internet security, insofar as it relates
to the security of personal data, is the ICO. However, of all
the regulatory authorities, the ICO's enforcement powers appear
currently to be the weakest. As Phil Jones of the ICO told us,
"what we do have is the power to issue a formal enforcement
notice, which puts an organisation on notice to amend their practices.
If they are actually in breach of the notice, at that stage it
is a criminal offence but not before" (Q 365).
5.49. As a result, when the ICO found in March
2007 that 11 banks and other financial institutions had breached
data protection principles by discarding personal information
in waste bins, it was able only to require the companies "to
sign a formal undertaking to comply with the Principles of the
Data Protection Act." Further breaches "could result
in prosecution"with the maximum fine on summary conviction
currently standing at just £5,000.[23]
In summary, the Society for Computers and Law (SCL) concluded
that the seventh data protection principle was "not rigorously
enforced" (p 128).
5.50. In marked contrast, in February 2007, following
the 2006 loss of a laptop containing confidential customer information
(already referred to above, paragraph 5.22), the FSA fined the
Nationwide Building Society £980,000 for "failing to
have effective systems and controls to manage its information
security risks".[24]
5.51. In late 2006 the Department for Constitutional
Affairs (now the Ministry for Justice) launched a consultation
on increasing the maximum penalty available to the courts for
wilful misuse of personal data to six months' imprisonment.[25]
The Home Office Minister, Vernon Coaker MP, confirmed that
following this consultation "the Government is now looking
at is a vehicle to actually look at increasing some of the penalties
available for the misuse of data" (Q 876).
5.52. However, the 2006 consultation does not
contain any proposals to change the cumbersome enforcement regime,
including the requirement that offenders first sign undertakings
to comply with the Data Protection Principles with legal action
only possible if further breaches occur. Mrs Hodge told us
that "the advice to us from the Information Commissioner
is that speed is more important to him. At the moment the investigations
just take too long and I think if he would prioritise any issue
he would go for speed more than fine levels" (Q 878).
However, we are not aware of any measures planned which might
meet the concern of the SCL, that "the resources made available
to the [ICO] continue to be inadequate" (p 128).
Conclusions and Recommendations
5.53. The steps currently being taken by many
businesses trading over the Internet to protect their customer's
personal information are inadequate. The refusal of the financial
services sector in particular to accept responsibility for the
security of personal information is disturbing, and is compounded
by apparent indifference at Government level. Governments and
legislators are not in position to prescribe the security precautions
that should be taken; however, they do have a responsibility to
ensure that the right incentives are in place to persuade businesses
to take the necessary steps to act proportionately to protect
personal data.
5.54. We therefore recommend that the Government
introduce legislation, consistent with the principles enshrined
in common law and, with regard to cheques, in the Bills of Exchange
Act 1882, to establish the principle that banks should be held
liable for losses incurred as a result of electronic fraud.
5.55. We further believe that a data security
breach notification law would be among the most important advances
that the United Kingdom could make in promoting personal Internet
security. We recommend that the Government, without waiting for
action at European Commission level, accept the principle of such
a law, and begin consultation on its scope as a matter of urgency.
5.56. We recommend that a data security breach
notification law should incorporate the following key elements:
- Workable definitions of data
security breaches, covering both a threshold for the sensitivity
of the data lost, and criteria for the accessibility of that data;
- A mandatory and uniform central reporting
system;
- Clear rules on form and content of notification
letters, which must state clearly the nature of the breach and
provide advice on the steps that individuals should take to deal
with it.
5.57. We further recommend that the Government
examine as a matter of urgency the effectiveness of the Information
Commissioner's Office in enforcing good standards of data protection
across the business community. The Commissioner is currently handicapped
in his work by lack of resources; a cumbersome "two strike"
enforcement process; and inadequate penalties upon conviction.
The Government have expressed readiness to address the question
of penalties for one type of offence; we recommend that they reconsider
the tariffs for the whole of the data protection regime, while
also addressing resources and enforcement procedures as well.
These should include the power to conduct random audits of the
security measures in place in businesses and other organisations
holding personal data.
17 Directive 2002/58/EC of the European Parliament
and of the Council of 12 July 2002 concerning the processing of
personal data and the protection of privacy in the electronic
communications sector. Back
18
This fell to 44.9 percent in 2006. Back
19
See http://www.lloydstsb.com/security/phishing.asp. Back
20
See http://www.fsa.gov.uk/pubs/final/nbs.pdf. Back
21
Information Commissioner's Office, Annual Report 2006/07,
10 July 2007 (HC646), p 7. Back
22
See Internet Shopping: an OFT Market Study, June 2007,
p 101: http://www.oft.gov.uk/shared_oft/reports/consumer_protection/oft921.pdf. Back
23
ICO press release: http://www.ico.gov.uk/upload/documents/pressreleases/2007/banks_in_unacceptable_data_protection_breach.pdf.
Back
24
FSA press release: http://www.fsa.gov.uk/pages/Library/Communication/PR/2007/021.shtml.
Back
25
See http://www.dca.gov.uk/consult/misuse_data/consultation0906.pdf.
Back