NCSC will no longer flag security breaches to data regulator

A cyber attack depicted in binary code
(Image credit: Shutterstock)

The National Cyber Security Centre (NCSC) will not automatically share information relating to companies that suffer data breaches with the UK's data regulator.

The cyber security agency's chief executive Ciaran Martin said that the framework would help both the NCSC and the Information Commissioner's Office best serve the UK during data breaches, while at the same time respect each other's remits and responsibilities to business.

The agreement, which has been agreed upon by the ICO, means that companies that are subject to data breaches will be offered confidentiality, specifically from the ICO, should they seek advice from the NCSC. The hope is that this will encourage companies to come forward to discuss the nature of a data breach, those which may otherwise be put off by the fear of regulatory action.

"The development of this understanding is as a result of a constructive working relationship between our organisations and we remain committed to an open dialogue on strategic issues," he said.

"While it's right that we work closely together, the NCSC will never pass specific information to a regulator without first seeking the consent of the victim."

As part of this new arrangement, the NCSC will engage directly with victims to understand the nature of the incident and provide free and, crucially, confidential advice. It will also encourage impacted organisations to comply with the GDPR, but it will not report information to the ICO without first seeking consent from the victim.

"This is hugely important and the right steps that both the NCSC and ICO have taken," said Joseph Carson, chief security scientist at Thycotic. "Ensuring that businesses have trust with the government agencies so they can work with the NCSC during an ongoing cyber incident when time is critical knowing it is the businesses responsibility to report the incident to the ICO.

During a cyber breach, working with the NCSC can help the business potentially recover quickly and ensure it can be investigated giving the business time to identify whether or not they are required to report the incident to the ICO."

While the NCSC's role is to manage cyber incidents of national importance and advise businesses of best security practices, it also offers guidance on remedial steps after an incident. The ICO, on the other hand, is the independent regulator for the monitoring and enforcement of the General Data Protection Regulation (GDPR). Under the legislation, organisations that suffer breaches of data are required to notify the ICO of incidents, cooperate and take remedial action.

It represents a particularly unusual arrangement between two national agencies, with the NCSC potentially being made aware of a major cyber incident before any other government office, and having no legal obligation to report that to the ICO.

What's more, despite encouragement from the NCSC to report a breach, the agreement could provide further protections to those companies seeking to avoid large fines from an ICO investigation - fines which would only surface if the company has been negligent with the processing of user data. Therefore there's a risk that by trying to encourage companies to come forward confidentially the NCSC could find itself impeding the work of the ICO.

Bobby Hellard

Bobby Hellard is ITPro's Reviews Editor and has worked on CloudPro and ChannelPro since 2018. In his time at ITPro, Bobby has covered stories for all the major technology companies, such as Apple, Microsoft, Amazon and Facebook, and regularly attends industry-leading events such as AWS Re:Invent and Google Cloud Next.

Bobby mainly covers hardware reviews, but you will also recognise him as the face of many of our video reviews of laptops and smartphones.