The UK’s National Cyber Security Centre and Information Commissioner’s Office used CYBERUK to provide clarification of their respective roles and how they intend to work together in combating the increasing risk associated with cyber incidents.
The NCSC is part of GCHQ with a broad remit to make the UK the safest place to live and work online, through the provision of effective responses to minimise the harm of cyber incidents and the gathering of intelligence to better protect against such incidents in the future. NCSC is focussed on the security aspect of cyber incidents from a systemic perspective, to help in the fight against cyber-crime. It is important to this work that companies feel that they can openly engage with the NCSC when they experience a cyber incident.
The ICO, on the other hand, is focused on the affect cyber incidents have on the people whose data may have been compromised, with security standards forming just part of that consideration. This is consistent with its remit as regulator. Therefore, whilst ICO may get involved in initial steps to mitigate the effect of a cyber incident on individuals, its main focus is investigating whether there may have been a personal data breach.
In light of their different primary responsibilities, the NCSC has now confirmed that it will not share with ICO information about a cyber incident that has been provided to it on a confidential basis. This public statement is no doubt driven by the desire to encourage organisations to report cyber incidents to the NCSC, to facilitate its work in examining and combating the ever-changing approaches being used by cyber criminals. Following the introduction of the GDPR last year and ICO’s increased enforcement powers, organisations may be reluctant to notify a cyber incident to another government body if that would invite additional scrutiny from a regulator, even where the organisation has concluded the incident did not require a notification to the ICO. As an additional sweetener, the NCSC offers victims of cyber-attacks help and assistance in the aftermath of a breach.
The NCSC and ICO have sought to ensure that organisations have greater clarity over which is the right body to deal with, and when. A cyber-attack will not always give rise to an obligation to notify the ICO. However, where it does, it is important to recognise that whether or not an organisation has notified the NCSC does not change its reporting obligations to ICO under the GDPR.
It is timely to see this statement, being in the same month that the UK Government announced its Online Harms White paper setting out its plans for a world-leading package of measures to keep UK users safe online and shortly before DCMS announced its plans to introduce mandatory security labelling for IoT devices see Giles Pratt's recent post here. These measures taken together are directed at the UK Government’s innovation strategy, which is a key priority in its broader industrial strategy. It is recognition that data security is an essential underpinning of that strategy.