Specific data breach roles outlined by heads of NCSC and ICO at key cyber conference

The victims of cyber incidents stand to benefit from an improved approach towards breaches between the UK’s technical authority for cyber threats (the National Cyber Security Centre) and its independent authority for data protection (the Information Commissioner’s Office).

Speaking on the second day of CYBERUK, the National Cyber Security Centre’s (NCSC) Annual Conference held this year in Glasgow, CEO Ciaran Martin and James Dipple-Johnstone, deputy commissioner at the Information Commissioner’s Office (ICO), duly outlined the understanding that has been forged between the two key organisations.

The NCSC manages cyber incidents of national importance to reduce harm caused to victims and to the UK, helps with managing the response and learns important lessons in order to help deter future attacks.

The ICO is the independent regulator for the monitoring and enforcement of the General Data Protection Regulation (GDPR) and the competent authority for Digital Service Providers under the NIS Directive, meaning that breached organisations should notify them of incidents, co-operate and take remedial action.

Among the commitments outlined at conference were a greater clarity of the separate roles and responsibilities each organisation has after a cyber incident, making it easier for a victim to deal with the right authority/organisation and at the right time.

Specifics of the commitment

Going forward, the NCSC will:

*freely engage directly with victims to understand the nature of the incident and provide free and confidential advice to help mitigate its impact in the immediate aftermath

*encourage impacted organisations to meet their requirements under the GDPR and the NIS Directive, while reassuring organisations that the NCSC will not share information reported to them on a confidential basis with the ICO without first seeking the consent of the organisation concerned

*help the ICO expand its GDPR guidance as it relates to cyber incidents

For its part, the ICO will:

*focus its early stage engagement to the vital steps required to help ensure impacted organisations mitigate risks to individuals and stand up an effective investigation

*establish the circumstances of the incident, making sure that organisations have adequately protected any personal data put at risk and ensure that, in circumstances of high risk to individuals, organisations have properly met their legal responsibilities

Further, both organisations have also agreed to:

*share anonymised and aggregated information with each other to assist with their respective understanding of the risk

*commit to amplify each other’s messages to promote consistent and high quality advice to ensure the UK is secure and resilient to cyber threats

Development of understanding

Ciaran Martin said: “This framework will enable both organisations to best serve the UK during data breaches, while respecting each other’s remits and responsibilities. The development of this understanding is the end result of a constructive working relationship between our organisations, and we remain committed to an open dialogue on strategic issues. While it’s right that we work closely together, the NCSC will never pass specific information to a regulator without first seeking the consent of the victim.”

James Dipple-Johnstone replied: “It’s important that organisations understand what to expect if they suffer a cyber security breach. The NCSC has an important role to play in keeping UK organisations safe online, while our role reflects the impact cyber incidents have on the people whose personal data is lost, stolen or compromised. Organisations need to be clear on the legal requirements about when to report these breaches to the ICO, and realise the potential implications, including sizeable fines, if these requirements are not followed.”

The NCSC will seek to forge similar enhanced clarity on its working relationship with law enforcement colleagues who are at the core of the response to malicious data breach incidents.

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts