U.K. cybersecurity agency won't tip regulator on breaches
(Bloomberg) --The U.K.’s cybersecurity agency said it won’t automatically share information about data breaches with the country’s data privacy regulator.
The decision, which the National Cyber Security Centre and the Information Commissioner’s Office jointly announced Thursday, is designed to prevent new data privacy laws from having a chilling effect on businesses’ willingness to share information about cyber attacks with the government.
The European Union’s General Data Protection Regulation, which took effect in May 2018, allows national regulators such as the U.K.’s ICO to impose fines up to 4 percent of global revenue for data breaches.
The NCSC, which works with British industry to strengthen the defenses of the U.K.’s critical national infrastructure against cyberattacks, worried these large fines would deter companies from reporting hacks for fear the agency would inform the ICO.
"While it’s right that we work closely together, the NCSC will never pass specific information to a regulator without first seeking the consent of the victim," Ciaran Martin, chief executive officer of NCSC, said in the statement.
The NCSC said it would continue to help victims of cyberattacks and provide free, confidential advice on how to mitigate breaches.
James Dipple-Johnstone, deputy commissioner of the ICO, said in a statement that while the regulator had agreed to this "clarification of roles" with NCSC, companies and organizations still had a legal obligation to tell the regulator about data breaches or risk substantial penalties.
The new policy puts the NCSC in the potentially awkward position of knowing about violations of data privacy laws and withholding that information from other parts of government. The NCSC said that while it would not notify the ICO of breaches without permission, it would encourage organizations coming to the agency to comply with the law.
Since GDPR has been implemented, the NCSC has not seen any change in the number or size of breaches being reported to it, Paul Chichester, the agency’s director of operations, said at a cybersecurity conference in Glasgow, Scotland, on Wednesday.
Dipple-Johnstone said that while NCSC’s primary focus was on helping organizations be resilient to cyberattacks, the ICO was more focused on protecting individuals’ data.
In a talk at the Cyber UK conference in Glasgow, Dipple-Johnstone said he also wanted to assure businesses that they could often inform the ICO of potential breaches without fear any commercially-sensitive information would be publicized.
The NCSC said it would seek to establish a similar arrangement about roles with U.K. law enforcement agencies that investigate cyberattacks.
Peter Goodman, head of the Derbyshire Constabulary, the local police for that English county, and the cybercrime lead for the U.K.’s National Police Chiefs Council, said at the Glasgow event that companies reporting cyberattacks to the police also need to not fear the police would automatically inform the data privacy regulator. Goodman also said that the police would never inform the ICO without permission.