E-crime Protection: Who Pays? Who Polices?

July 7, 2008

The House of Lords Science and Technology Committee published its follow-up report on Personal Internet Security on 8 July. It calls on the Government to do more to protect the public from e-crime.  The follow-up report renews the Committee’s calls for:

 *    legislation to establish the principle that banks be held responsible for losses incurred by electronic fraud
 *    procedures to be reviewed to allow the public to report e-crime directly to the police rather than having to go through their bank
 *    a data security breach notification law to be introduced.

On banks’ liability for losses incurred through e-crime, the Committee states that it is not satisfied with the Government’s position that the Banking Code offers enough protection for customers. The Committee received evidence that where a pin or password is used in an online fraud banks often refuse to refund customers claiming they must have been negligent or complicit in the fraud. The Committee were also told that the Financial Services Ombudsman and the courts do not offer an adequate method of redress for customers whose banks refuse to cover their losses, and that if banks were forced to accept liability for online fraud this would provide an incentive for them to improve the security of their online banking operations.

The Committee also repeats its call for the reporting procedure for online fraud to be re-examined. It points out that under the current arrangements, where the victims of fraud are required to report the crime to their banks rather than to the police in the first instance, banks may have a commercial incentive not to pass a report to the police.

The Committee is also concerned that under the current arrangements the police may refuse to accept a bank customer’s assertion that a fraud had been committed if their bank did not support their claim. The Committee were disappointed that the Government rejected its call for the reporting system to be changed in the Government’s original response but is encouraged that they have reflected further on the matter and have now undertaken to review the reporting procedure. The Committee will closely monitor developments on this issue.

The Committee also returns to its recommendations on the protection of personal data. It states that following the loss of sensitive data on two computer disks by HMRC the Government has at last started to take the risks seriously but expresses regret that ‘a level of indifference on the part of the Government has now been dispelled only as a result of recent incidents involving serious losses of personal data’.

The report calls on the Government to introduce a data security breach notification law which would require public and private sector organisations to inform the public about losses of their personal data as soon as they became aware of them. The Committee argues that such a law would have the twin benefits of increasing incentives on business to avoid data loss, and if a breach did occur giving individuals an early warning so they could reduce the risks to themselves.

The Committee states that it is pleased that the Government have taken on board some of the criticisms about their response to the Committee’s original report including a more positive attitude to kite-marking of websites and a code of conduct for ISPs.

Commenting, Lord Sutherland of Houndwood, Chairman of the Lords Science and Technology Committee, said:
‘We are pleased that the Government has taken on board more of the recommendations in our report than they did in their initial response. The catastrophic loss of data by HMRC in November 2007 seems to have concentrated minds on the importance of data protection both by Government and the private sector. However we are disappointed that they still will not accept that there should be legislation to establish the principle that banks should be liable for refunding the victims of online fraud. The result of being the victim of online fraud can be crippling for an individual who can find his entire savings or current account wiped out in an instant. The Banking Code does not offer enough protection. We believe that legislation would have the added advantage of encouraging the banks to be more proactive about improving the security of their online banking operations. It is also vital that the victims of e-crime can report crime directly to the police. If you were robbed in the street you would expect the police to recognise it as a crime and try to catch the person responsible. If you are a victim of online fraud, you should be entitled to the same protection.’

The report will be available online at www.parliament.uk/hlscience. The original report on Personal Internet Security is also available there.