NCSC will no longer flag security breaches to data regulator
UK cyber agency wants companies to seek security advice without the fear of fines
The National Cyber Security Centre (NCSC) will not automatically share information relating to companies that suffer data breaches with the UK's data regulator.
The cyber security agency's chief executive Ciaran Martin said that the framework would help both the NCSC and the Information Commissioner's Office best serve the UK during data breaches, while at the same time respect each other's remits and responsibilities to business.
The agreement, which has been agreed upon by the ICO, means that companies that are subject to data breaches will be offered confidentiality, specifically from the ICO, should they seek advice from the NCSC. The hope is that this will encourage companies to come forward to discuss the nature of a data breach, those which may otherwise be put off by the fear of regulatory action.
"The development of this understanding is as a result of a constructive working relationship between our organisations and we remain committed to an open dialogue on strategic issues," he said.
"While it's right that we work closely together, the NCSC will never pass specific information to a regulator without first seeking the consent of the victim."
As part of this new arrangement, the NCSC will engage directly with victims to understand the nature of the incident and provide free and, crucially, confidential advice. It will also encourage impacted organisations to comply with the GDPR, but it will not report information to the ICO without first seeking consent from the victim.
"This is hugely important and the right steps that both the NCSC and ICO have taken," said Joseph Carson, chief security scientist at Thycotic. "Ensuring that businesses have trust with the government agencies so they can work with the NCSC during an ongoing cyber incident when time is critical knowing it is the businesses responsibility to report the incident to the ICO.
During a cyber breach, working with the NCSC can help the business potentially recover quickly and ensure it can be investigated giving the business time to identify whether or not they are required to report the incident to the ICO."
While the NCSC's role is to manage cyber incidents of national importance and advise businesses of best security practices, it also offers guidance on remedial steps after an incident. The ICO, on the other hand, is the independent regulator for the monitoring and enforcement of the General Data Protection Regulation (GDPR). Under the legislation, organisations that suffer breaches of data are required to notify the ICO of incidents, cooperate and take remedial action.
It represents a particularly unusual arrangement between two national agencies, with the NCSC potentially being made aware of a major cyber incident before any other government office, and having no legal obligation to report that to the ICO.
What's more, despite encouragement from the NCSC to report a breach, the agreement could provide further protections to those companies seeking to avoid large fines from an ICO investigation - fines which would only surface if the company has been negligent with the processing of user data. Therefore there's a risk that by trying to encourage companies to come forward confidentially the NCSC could find itself impeding the work of the ICO.
What you need to know about migrating to SAP S/4HANA
Factors to assess how and when to begin migrationDownload now
Your enterprise cloud solutions guide
Infrastructure designed to meet your company's IT needs for next-generation cloud applicationsDownload now
Testing for compliance just became easier
How you can use technology to ensure compliance in your organisationDownload now
Best practices for implementing security awareness training
How to develop a security awareness programme that will actually change behaviourDownload now