If you suffer a data breach, you may be the victim of a crime such as hacking; but you may also be treated as a criminal, by the data privacy regulator the ICO, and stung with a six-figure fine. That was addressed at the National Cyber Security Centre (NCSC) annual conference CYBERUK, in Glasgow, where NCSC Chief Executive Ciaran Martin and Information Commission Office (ICO) Deputy Commissioner James Dipple-Johnstone spoke.
The NCSC says it will;
engage with victims to understand the nature of the incident and provide free and confidential advice to help mitigate its impact in the immediate aftermath.
encourage affected organisations to meet their requirements under data protection law, the GDPR and the related NIS Directive covering networked and information services by essential sectors such as utilities, while reassuring organisations that the NCSC will not share information reported to them on a confidential basis with the ICO without first seeking the consent of the organisation concerned; and
help the ICO expand their GDPR guidance as it relates to cyber incidents.
For Martin’s speech visit the NCSC website.
Meanwhile, the ICO will;
focus its early stage engagement to the steps required to help ensure affected organisations mitigate risks to individuals and stand up an effective investigation.
establish circumstances of the incident, making sure that organisations have adequately protected any personal data put at risk and in circumstances of high risk to individuals organisations have properly met their legal responsibilities.
The two will share anonymised and aggregated information with each other to assist with their respective understanding of the risk; and commit to amplify each other’s messages to promote consistent, high quality advice to ensure the UK is secure and resilient to cyber threats.
Ciaran Martin said: “This framework will enable both organisations to best serve the UK during data breaches, while respecting each other’s remits and responsibilities. The development of this understanding is as a result of a constructive working relationship between our organisations, and we remain committed to an open dialogue on strategic issues.
“While it’s right that we work closely together, the NCSC will never pass specific information to a regulator without first seeking the consent of the victim.”
And James Dipple-Johnstone said: “It’s important organisations understand what to expect if they suffer a cyber security breach. The NCSC has an important role to play in keeping UK organisation safe online, while our role reflects the impact cyber incidents have on the people whose personal data is lost, stolen or compromised.
“Organisations need to be clear on the legal requirements when to report these breaches to the ICO, and the potential implications, including sizeable fines, if these requirements aren’t followed.”
Comment
Joseph Carson, chief security scientist at Thycotic said: “This is hugely important and the right steps that both the NCSC and ICO have taken. Ensuring that businesses have trust with the government agencies so they can work with the NCSC during an ongoing cyber incident when time is critical knowing it is the businesses responsibility to report the incident to the ICO. During a cyber breach working with the NCSC can help the business potentially recover quickly and ensure it can be investigated giving the business time to identify whether or not they are required to report the incident to the ICO.”
