NCSC will no longer flag security breaches to data regulator

UK cyber agency wants companies to seek security advice without the fear of fines

The National Cyber Security Centre (NCSC) will not automatically share information relating to companies that suffer data breaches with the UK's data regulator.

The cyber security agency's chief executive Ciaran Martin said that the framework would help both the NCSC and the Information Commissioner's Office best serve the UK during data breaches, while at the same time respect each other's remits and responsibilities to business.

Advertisement - Article continues below

The agreement, which has been agreed upon by the ICO, means that companies that are subject to data breaches will be offered confidentiality, specifically from the ICO, should they seek advice from the NCSC. The hope is that this will encourage companies to come forward to discuss the nature of a data breach, those which may otherwise be put off by the fear of regulatory action.

"The development of this understanding is as a result of a constructive working relationship between our organisations and we remain committed to an open dialogue on strategic issues," he said.

"While it's right that we work closely together, the NCSC will never pass specific information to a regulator without first seeking the consent of the victim."

As part of this new arrangement, the NCSC will engage directly with victims to understand the nature of the incident and provide free and, crucially, confidential advice. It will also encourage impacted organisations to comply with the GDPR, but it will not report information to the ICO without first seeking consent from the victim.

Advertisement - Article continues below
Advertisement - Article continues below

"This is hugely important and the right steps that both the NCSC and ICO have taken," said Joseph Carson, chief security scientist at Thycotic. "Ensuring that businesses have trust with the government agencies so they can work with the NCSC during an ongoing cyber incident when time is critical knowing it is the businesses responsibility to report the incident to the ICO.

During a cyber breach, working with the NCSC can help the business potentially recover quickly and ensure it can be investigated giving the business time to identify whether or not they are required to report the incident to the ICO."

While the NCSC's role is to manage cyber incidents of national importance and advise businesses of best security practices, it also offers guidance on remedial steps after an incident. The ICO, on the other hand, is the independent regulator for the monitoring and enforcement of the General Data Protection Regulation (GDPR). Under the legislation, organisations that suffer breaches of data are required to notify the ICO of incidents, cooperate and take remedial action.

Advertisement - Article continues below

It represents a particularly unusual arrangement between two national agencies, with the NCSC potentially being made aware of a major cyber incident before any other government office, and having no legal obligation to report that to the ICO.

What's more, despite encouragement from the NCSC to report a breach, the agreement could provide further protections to those companies seeking to avoid large fines from an ICO investigation - fines which would only surface if the company has been negligent with the processing of user data. Therefore there's a risk that by trying to encourage companies to come forward confidentially the NCSC could find itself impeding the work of the ICO.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now

Most Popular

Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020
Server & storage

Dell EMC PowerEdge R7525 review: An EPYC core density to make Intel weep

26 May 2020
Network & Internet

Intel releases Wi-Fi and Bluetooth driver updates for Windows 10

26 May 2020