Banks have reacted with scepticism to calls for US-style laws that would force them to inform customers whenever their personal banking data was lost or stolen by hackers.
Banking officials told the House of Lords Science and Technology Committee that such laws could deter the public from using the internet for e-commerce by feeding anxiety about security.
Many US states have introduced laws that require companies to alert their customers if personal data is stolen, following pioneering legislation introduced in California.
But Colin Whittaker, head of security at the Association for Payment Clearing Services (Apacs), which represents UK banks, told the Lords committee that the laws had unintended consequences.
“One consequence is increased levels of anxiety, because there is no ability to assess the level or risk of fraud,” he said. As a result, banks are forced to disclose breaches that pose little risk to the public, knocking customers’ confidence in internet banking unnecessarily, he warned.
Matthew Premble, security manager at the Royal Bank of Scotland, who represented the Anti-Phishing Working Group at a committee hearing last week, agreed.
“There are a large number of things reported, such as laptop thefts, where there is a low risk of compromise,” he said.
Apacs also rejected calls from committee members to make public the cost of phishing attacks to individual banks.
Science committee member Lord Paul said the committee had been told that most of the attacks were targeted against one bank, and the public had a right to know which banks were most secure.
But Apacs argued that it should be up to individual banks whether to disclose their losses.
“There is no evidence that any one bank is any worse than any of the others. Some banks are attacked more, but that changes over time,” said Whittaker.
He told the committee that banks had not suffered any losses of confidential customer data over the past 12 months. However, credit card company Visa disclosed that there had been 1,000 breaches of customer data, largely through problems at merchants.
The number of phishing sites increased from 312 in the first six months of 2005 to 5,059 in the first six months of 2006, the committee heard. Associated losses rose from £14.8m to £22.5m over the period.
Comment on this article: [email protected]