On 10 August 2007, the House of Lords Science and Technology Committee in the U.K. published a report, "Personal Internet Security," recommending that the IT industry, retailers and government do more to protect people from online crime. The report suggests an incremental, escalating approach to regulating IT, including:

• Self-regulation, with vendors making their offerings more secure on their own
• The assumption of liability for negligence, despite packaging statements to the contrary

This would have the effect of imposing the same type of liability for negligence that virtually all non-IT vendors face in the marketplace.

The report concludes that “in the longer term, as the industry matures, a comprehensive framework of vendor liability and consumer protection should be introduced," but does not offer any such framework. The report is available in two parts at www.publications.parliament.uk/pa/ld200607/ldselect/ldsctech/165/165i.pdf and www.publications.parliament.uk/pa/ld200607/ldselect/ldsctech/165/165ii.pdf.

In "Childhood Ends: Liability and the IT Industry," (G00138877) Gartner warned that, as societal expectations regarding IT change, the likelihood of some form of regulation taking hold in the IT industry will grow. The U.K. report provides extensive documentation about the growing number of criminal activities worldwide that are being perpetrated via the Internet. In accordance with Gartner’s prediction, the U.K. report implied that some form of regulation would eventually evolve to avert an “economically disastrous" loss of public confidence in the Internet and the IT industry. Gartner research differs from the U.K. report in identifying where the trend is likely start. We believe it will likely start in the U.S. and spread to the European Union (EU).

• Regulators: As large buyers, governments can have a major impact in improving the quality of software. If you undertake regulation, use incentives such as specific requirements in government contracts. Regulations should be very targeted and specific, because wide-ranging, principles-based approaches could backfire.
• Vendors: Recognize that regulation is inevitable, but the future regulatory regime will be less onerous if the software industry demonstrates that it can improve consumer safety, increase software quality and regulate itself.
• IT customers: Recognize that the assumption of liability by vendors does not necessarily decrease your own liability. The more you modify software or put it to uses beyond the its intended purpose, the more liability you will assume. When making purchases, consider fitness for use of any software and the vendor's record of security improvements.

• "Childhood Ends: Liability and the IT Industry" — By 2015 in the U.S. and 2018 in the EU, software products and related services with potential for high-impact failures will be subject to external regulation or self-regulation. By Richard Hunter and others
• "Hype Cycle for Legal and Regulatory Information Governance, 2007" — Many different information technologies can complement strategies to improve information governance, which is emerging as a critical competency. By French Caldwell and others

(You may need to sign in or be a Gartner client to access the documents referenced in this First Take.)