"Don't hold us liable for breaches", industry tells MPs

Holding security vendors liable to breaches suffered by customers would be very difficult, according to experts within the industry.

Following the publication of a report by the House of Lords' Science and Technology Committee, reported by IT PRO last week, MPs said that if individual users are to be protected from threats then the IT industry must do more to protect customers. One of its recommendations was to make vendors liable for security breaches.

But Greg Day, security analyst at anti-virus company McAfee said that it was up to businesses to ensure that security products were correctly configured.

"It would be very difficult to hold vendors responsible for breaches, as it really comes down to how solutions are implemented. You would have to ask, 'Did they have it configured correctly, updated and maintained?'" said Day. "Every business has different IT security requirements depending on their business and IT footprint. A security vendor supplies businesses with the tools, but it is down the business to use them correctly."

IT security company Symantec was also cold on the idea of making it, and others in the industry, liable for breaches. Ilias Chantzos, senior principal government relations analyst at the company said that such an approach does not take into account the complexity of the IT industry. He suggested alternative legislation to lawbreakers.

"The introduction of new legislation should deal with malicious behaviour, such as the buying and selling of botnets," said Chantzos. "An approach along the line suggested in the report on the issue of liability could result in the opposite effect and risk reducing consumer choice and end users' security and privacy."

Geoff Haggart, EMEA senior vice president of web filtering company Websense said that both the government and business must accept a duty to protect the public if confidence in the internet is to be maintained.

"A central system for the reporting of e-crime should definitely be considered. In addition, the US companies are legally bound to notify their customers if their data has been breached - yet currently the British public is protected by no such legislation. Their should be greater debate about the value of implanting similar laws here," said Haggart.

He said the report would "spur the security vendor community to greater efforts to protect consumers from security threats".

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.