You are here
UK cybersecurity agency won't tell regulator about breaches
[LONDON] The UK's cybersecurity agency said it won't automatically share information about data breaches with the country's data privacy regulator.
The decision, which the National Cyber Security Centre (NCSC) and the Information Commissioner's Office (ICO) jointly announced Thursday, is designed to prevent new data privacy laws from having a chilling effect on businesses' willingness to share information about cyber attacks with the government.
The European Union's General Data Protection Regulation, which took effect in May 2018, allows national regulators such as the UK's ICO to impose fines up to four per cent of global revenue for data breaches.
The NCSC, which works with British industry to strengthen the defenses of the UK's critical national infrastructure against cyberattacks, worried these large fines would deter companies from reporting hacks for fear the agency would inform the ICO.
"While it's right that we work closely together, the NCSC will never pass specific information to a regulator without first seeking the consent of the victim," Ciaran Martin, chief executive officer of NCSC, said in the statement.
The NCSC said it would continue to help victims of cyberattacks and provide free, confidential advice on how to mitigate breaches.
James Dipple-Johnstone, deputy commissioner of the ICO, said in a statement that while the regulator had agreed to this "clarification of roles" with NCSC, companies and organisations still had a legal obligation to tell the regulator about data breaches or risk substantial penalties.
The new policy puts the NCSC in the potentially awkward position of knowing about violations of data privacy laws and withholding that information from other parts of government. The NCSC said that while it would not notify the ICO of breaches without permission, it would encourage organisations coming to the agency to comply with the law.
Since GDPR has been implemented, the NCSC has not seen any change in the number or size of breaches being reported to it, Paul Chichester, the agency's director of operations, said at a cybersecurity conference in Glasgow, Scotland, on Wednesday.
Mr Dipple-Johnstone said that while NCSC's primary focus was on helping organisations be resilient to cyberattacks, the ICO was more focused on protecting individuals' data.
The NCSC said it would seek to establish a similar arrangement about roles with UK law enforcement agencies that investigate cyberattacks.