Should software companies be liable for data breaches?

Holding software companies, ISPs and financial institutions liable for public and private sector data breaches could help prevent them, according to an internet public policy expert.

Speaking at ENISA's annual security conference in Greece, Ian Brown, a senior research fellow at the Oxford Internet Institute, said that holding them liable could help prevent data breaches better than direct spending on government intervention.

But Brown admitted such a rule would be politically difficult to enforce. Last year, the immediate response by the UK government to a House of Lords report recommending a new data-breach law on liability was a firm no'.

Brown said: "They didn't give a reason why. I imagine part of the reason - and I'm not being super-cynical here - was that behind the scenes there were software companies, ISPs and banks that are influential within government."

He said that security breach notification laws were a step in the right direction, at least forcing firms to be transparent when things went wrong.

"I think there are some government MPs who would still like to move in that direction, and I think that would be a positive thing," he added.