natali_mis - stock.adobe.com
The National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO) say greater clarity of roles will better align responses to attacks, and have agreed a framework for collaboration in a memorandum of understanding.
The agreement outlines the separate roles and responsibilities each organisation has after a cyber incident, making it easier for a victim to deal with the right organisation at the right time.
Ciaran Martin, CEO of the NCSC, said the NCSC will engage directly with victims to understand the nature of the incident and provide free and confidential advice to help mitigate its impact in the immediate aftermath.
The NCSC will encourage impacted organisations to meet their requirements under General Data Protection Regulation (GDPR) and the Network and Information Systems (NIS) Directive, while reassuring organisations that the NCSC will not share information reported to them on a confidential basis with the ICO without first seeking the consent of the organisation concerned.
Martin said the NCSC will also help the ICO expand their GDPR guidance as it relates to cyber incidents.
James Dipple-Johnstone, ICO deputy commissioner, operations said the ICO will focus its early stage engagement to the vital steps required to help ensure affected organisations mitigate risks to individuals and stand up an effective investigation.
The ICO will also establish circumstances of the incident, making sure that organisations have adequately protected any personal data put at risk and in circumstances of high risk to individuals organisations have properly met their legal responsibilities.
Both organisations have committed to share anonymised and aggregated information with each other to assist with their respective understanding of the risk.
They have also committed to amplify each other’s messages to promote consistent, high-quality advice to ensure the UK is secure and resilient to cyber threats.
Martin said the framework will enable both organisations to best serve the UK during data breaches, while respecting each other’s remits and responsibilities.
“The development of this understanding is as a result of a constructive working relationship between our organisations, and we remain committed to an open dialogue on strategic issues,” he said.
“While it’s right that we work closely together, the NCSC will never pass specific information to a regulator without first seeking the consent of the victim.”
Dipple-Johnstone said it is important that UK organisations understand what to expect if they suffer a cyber security breach.
“The NCSC has an important role to play in keeping UK organisation safe online, while our role reflects the impact cyber incidents have on the people whose personal data is lost, stolen or compromised,” he said.
“Organisations need to be clear on the legal requirements when to report these breaches to the ICO, and the potential implications, including sizeable fines, if these requirements aren’t followed.”
Speaking at the CyberUK 2019 conference in Glasgow, Dipple-Johnstone said the ICO will encourage organisations that report breaches to report the incident directly to the NCSC where the ICO feels the organisation could benefit from an NCSC response.
“It is a criminal offence for ICO members of staff to disclose any information without certain strict criteria being met, so organisations can report breaches to us without any fear of proprietary information getting out because there are those checks and balances in place.”
The NCSC said it will seek to forge similar enhanced clarity on its working relationship with law enforcement colleagues who are at the core of the response to malicious data breach incidents.