[BreachExchange] NCSC and ICO pledge to support data breach victims

[Destry Winant]

https://www.computerweekly.com/news/252462242/NCSC-and-ICO-pledge-to-support-data-breach-victims

The National Cyber Security Centre (NCSC) and the Information
Commissioner’s Office (ICO) say greater clarity of roles will better
align responses to attacks, and have agreed a framework for
collaboration in a memorandum of understanding.

The agreement outlines the separate roles and responsibilities each
organisation has after a cyber incident, making it easier for a victim
to deal with the right organisation at the right time.

Ciaran Martin, CEO of the NCSC, said the NCSC will engage directly
with victims to understand the nature of the incident and provide free
and confidential advice to help mitigate its impact in the immediate
aftermath.

The NCSC will encourage impacted organisations to meet their
requirements under General Data Protection Regulation (GDPR) and the
Network and Information Systems (NIS) Directive, while reassuring
organisations that the NCSC will not share information reported to
them on a confidential basis with the ICO without first seeking the
consent of the organisation concerned.

Martin said the NCSC will also help the ICO expand their GDPR guidance
as it relates to cyber incidents.

James Dipple-Johnstone, ICO deputy commissioner, operations said the
ICO will focus its early stage engagement to the vital steps required
to help ensure affected organisations mitigate risks to individuals
and stand up an effective investigation.

The ICO will also establish circumstances of the incident, making sure
that organisations have adequately protected any personal data put at
risk and in circumstances of high risk to individuals organisations
have properly met their legal responsibilities.

Both organisations have committed to share anonymised and aggregated
information with each other to assist with their respective
understanding of the risk.

They have also committed to amplify each other’s messages to promote
consistent, high-quality advice to ensure the UK is secure and
resilient to cyber threats.

Martin said the framework will enable both organisations to best serve
the UK during data breaches, while respecting each other’s remits and
responsibilities.

“The development of this understanding is as a result of a
constructive working relationship between our organisations, and we
remain committed to an open dialogue on strategic issues,” he said.

“While it’s right that we work closely together, the NCSC will never
pass specific information to a regulator without first seeking the
consent of the victim.”

Dipple-Johnstone said it is important that UK organisations understand
what to expect if they suffer a cyber security breach.

“The NCSC has an important role to play in keeping UK organisation
safe online, while our role reflects the impact cyber incidents have
on the people whose personal data is lost, stolen or compromised,” he
said.

“Organisations need to be clear on the legal requirements when to
report these breaches to the ICO, and the potential implications,
including sizeable fines, if these requirements aren’t followed.”

Speaking at the CyberUK 2019 conference in Glasgow, Dipple-Johnstone
said the ICO will encourage organisations that report breaches to
report the incident directly to the NCSC where the ICO feels the
organisation could benefit from an NCSC response.

“It is a criminal offence for ICO members of staff to disclose any
information without certain strict criteria being met, so
organisations can report breaches to us without any fear of
proprietary information getting out because there are those checks and
balances in place.”

The NCSC said it will seek to forge similar enhanced clarity on its
working relationship with law enforcement colleagues who are at the
core of the response to malicious data breach incidents.