U.K. Cybersecurity Agency Won't Tell Regulator About Breaches

U.K. Cybersecurity Agency Won't Tell Regulator About Breaches
Shutterstock

The U.K.’s cybersecurity agency said it won’t automatically share information about data breaches with the country’s data privacy regulator, according to Bloomberg.

The decision, which the National Cyber Security Centre and the Information Commissioner’s Office jointly announced, is designed to prevent new data privacy laws from having a chilling effect on businesses’ willingness to share information about cyber attacks with the government. The European Union’s General Data Protection Regulation allows national regulators such as the U.K.’s ICO to impose fines up to 4 percent of global revenue for data breaches.

The NCSC, which works with British industry to strengthen the defenses of the U.K.’s critical national infrastructure against cyberattacks, worried these large fines would deter companies from reporting hacks for fear the agency would inform the ICO. "While it’s right that we work closely together, the NCSC will never pass specific information to a regulator without first seeking the consent of the victim," Ciaran Martin, chief executive officer of NCSC, said in the statement.

The NCSC said it would continue to help victims of cyberattacks and provide free, confidential advice on how to mitigate breaches. James Dipple-Johnstone, deputy commissioner of the ICO, said in a statement that while the regulator had agreed to this "clarification of roles" with NCSC, companies and organizations still had a legal obligation to tell the regulator about data breaches or risk substantial penalties.

The new policy puts the NCSC in the potentially awkward position of knowing about violations of data privacy laws and withholding that information from other parts of government. The NCSC said that while it would not notify the ICO of breaches without permission, it would encourage organizations coming to the agency to comply with the law.

Dipple-Johnstone said that while NCSC’s primary focus was on helping organizations be resilient to cyberattacks, the ICO was more focused on protecting individuals’ data. The NCSC said it would seek to establish a similar arrangement about roles with U.K. law enforcement agencies that investigate cyberattacks.