Calls for business and law enforcement to take responsibility for individuals’ internet security are being met with scepticism from interest groups.

An influential House of Lords committee has recommended a series of measures designed to combat the ‘wild west’ reputation of the internet and shift accountability for online crimes such as fraud and identity theft.

‘The current assumption that end users should be responsible for security is inefficient and unrealistic,’ says the report published this month.

But industry representatives warn that many of the report’s recommendations might be unworkable.

Banks

A central proposal of the report is that financial institutions be made liable for personal losses online.

At the moment many banks bear the brunt of web fraud, but there is no legal requirement for them to do so and some leave customers to foot the bill. The banks are not keen to enshrine liability in law, maintaining it is unfair and leaves them open to fraudulent claims.

‘Banks are already doing a lot to protect consumers ­ introducing two-factor authentication, reporting phishing web sites and handling fraud reporting,’ said a senior source in the financial services industry.

‘Why should they be penalised for what will almost always be a user error?’

Business

The Lords committee also proposed a data breach notification law under which any business holding customers’ details would have to notify the public if that information is compromised.

Many US states already have similar requirements, but lobby groups such as the Confederation of British Industry (CBI) warn that such measures could damage UK business.

‘The proposal could impose a disproportionate burden on businesses already struggling to develop effective security practices in the complex world of internet commerce,’ said CBI head of e-business Jeremy Beale.

Law enforcers are also sceptical. Firms already contact the police when they lose data, and legislation could add to red tape, Serious Organised Crime Agency director general Bill Hughes told the committee.

But not everyone is against the plan. The concept has already had ‘qualified backing’ from the Information Commissioner earlier this year. And even some banks acknowledge the benefit to customers.

‘Breach notification is a measure for informing the public rather than helping law enforcement ­ but, given the state of UK data protection, it is a step in the right direction,’ said one major bank’s chief information security officer.

Software suppliers

Software vendors should also take more responsibility for the security of their customers, said the Lords committee.

But industry groups say proving liability would be impossible because it would have to be proved that the user had installed the product properly and downloaded all the necessary and relevant updates.

Any law would have to be so technical that it would quickly become obsolete, said Nick Kalisperas, practice director at IT trade association Intellect.

‘You could only legislate for a single point in time so it would be difficult to get anything workable,’ he said.

ISPs

ISPs are the other main industry to come under the Lords’ spotlight. ISPs should develop a BSI-approved kitemark for secure internet services, with a legislative obligation that they adhere to it, says the report.

There is some scope for ISPs to become involved in users’ security, but legislation forcing the removal of illegal content would undermine freedom of information online, said the Internet Services Providers Association (ISPA).

Even if service providers did start to take responsibility, most illegal content comes from overseas so the law would have limited effect, said ISPA.

Despite the defences of the status quo, the implications of internet security issues are too great to ignore.

Ultimately the success of the web relies on trust, said committee chairman Lord Broers.

‘The internet is increasingly perceived as a sort of wild west, outside the law,’ said Broers.

‘People are said to fear e-crime more than mugging. That needs to change, or confidence in the internet could be destroyed.’