With all the potential dangers from hackers on the Internet, Bermuda's Electronic Transactions Act and the associated Standard for Electronic Transactions badly need updating in favour of consumers.

What is needed is a requirement for all service providers, including ISPs and e-commerce companies, to report on breaches to their systems when consumer data is accessed by unauthorised persons.

This is the tactic taken by California's controversial SB 1386 law, a strategy that I agree with, despite the industry's protests against the legislation. Of course they would complain. The sordid history of the industry so far has to been to cover up such breaches of client data because it looks bad for the company. The result is their clients are exposed to identity theft and other sorts of misuse of that data.

A law that requires companies to inform the consumer of such breaches would allow people like you and I to take protective action, so that five years down the line we do not find ourselves being arrested, say in Canada, for having 20 unpaid speeding fines, or owing $200,000 to a bank we never heard about.

Bermuda's e-commerce law in its current form requires companies to establish the identities of their customers, to protect personal data and privacy, and to avoid abusive usage, such as sending out bulk e-mails or spam.

The legislation also requires businesses to "advertise truthfully", "deal fairly and openly with customers" and "settle complaints and disputes quickly and fairly". The legislation as it stands basically allows companies to make up their own standards, which, as long as they generally comply with the rules, will be accepted by Government as being in compliance with the law.

As some industry insiders have told me, the Bermuda Government really has no effective means of policing companies to see whether they breach the very general measures in the current e-commerce legislation. The legislation does not deal with what happens when a company exposes personal data on the Internet through its own mistake, or when a malicious person hacks into their system. Consumers should have the right to know if their personal data has been compromised. After all, you would want to know if someone has obtained your personal information through the fault of a company you have dealt with over the Internet. That knowledge allows you to take action to protect your self from that information being used, either by cancelling your credit card, or by ensuring that others do not use your personal data in the case of identity theft.

In California, the state government has taken action by implementing a new law requiring companies to notify their customers of computer security breaches. The law, which comes into effect on July 1, applies to any online business that has residents as customers, even if the company isn't based in the state.

Failure by a company to give notice to a consumer whose non-encrypted information is believed to have been compromised could give rise to civil liability and fines. A breach occurs if an individual's name is electronically accessed, along with key data such as an unencrypted social security number, a driver's licence number, an account number, a credit card number, a debit card number and other such vital information.

Now some may dispute that the state government will be able to apply the legislation to out of state e-commerce companies. But that argument misses the point. If I were a consumer in California I would not use an out-of-state company e-commerce company if it did not comply with the legislation. Companies would be shooting themselves in the proverbial foot if they did not do their best to please their consumers.

The opposition by the Investment Company Institute (ICI) is typical of industry concerns. The ICI says the law would add `significant new compliance costs', encourage security breaches by hackers and lax computer security procedures, and create havoc by "needlessly alarming the public by requiring a notice even when there has been no access to personal information". The statements are laughable in the least. The compliance costs are the costs of doing business. How such legislation would encourage security breaches or lax consumer security befuddles me. It would seem to do the opposite. And by the way, the public is already alarmed, and should be alarmed if their personal data has been compromised. I challenge any executive in any company to state they would not want to know if a stranger has accessed their personal data over the Internet. What you would want, you should also want for your clients.

Nigel Hickson, the Bermuda Government's e-commerce consultant, said that a meeting of the data protection committee this Monday (28 January) discussed amending the Electronic Commerce Act to implement better consumer protection. While the group is focusing on amending the act to comply with OECD data protection standards, he said the issue about informing the consumer of security breaches could also be discussed.

Such a law would be an advantage to the e-commerce sector.

By instilling better trust among consumers to use Internet sites and participate in e-commerce the companies would gain credibility. Everyone knows that security breaches do occur, whether on the Internet or elsewhere. A better-informed consumer is a better consumer. Or rather, a consumer who trusts a company to inform them that their personal data has been accessed will more likely be a client of that company.

Such a law would also ensure that companies take the best measures possible to protect that data, including the use of strong encryption systems, since they know they will get more than a slap on the hand if that data is accessed. As a separate but related comment companies should be required to report to Government on a confidential basis, all security breaches to their databases. This way the information can be aggregated and studied so companies can get a better handle on the problems, and learn from each other on how to stop the hackers.

The denial of service attack on the Internet over the weekend highlights the fact that many companies do not even bother to take even the most basic steps such as implementing the latest patches to their systems. That situation is bad for e-commerce and bad for companies.

@EDITRULE:

Tech Tattle deals with issues concerning technology. Contact Ahmed at editoroffshoreon.com