NCSC and ICO aim to offer more support to data breach victims
The National Cyber Security Centre (NCSC) and the Information Commissioner's Office (ICO) have sought to clarify the roles each organisation plays in assisting with data breaches and ensuring that businesses understand what support is on offer.
Speaking at the second day of the NCSC's annual CYBERUK conference, NCSC chief executive Ciaran Martin and ICO deputy commissioner James Dipple-Johnstone clarified the relationship between the two bodies.
They outlined their commitment to greater clarity of the separate roles and responsibilities both organisations have after a cyber incident, which should make it easier for a victim to deal with the right authority at the right time.
It was highlighted that the NCSC's role will be to engage directly with victims to determine the nature of the incident and offer free and confidential advice to help mitigate its impact in the immediate aftermath.
Meanwhile, the ICO will take the lead on ensuring affected companies mitigate the risks to individuals and conduct an effective investigation to establish the circumstances of the breach.
Mr Martin added: "This framework will enable both organisations to best serve the UK during data breaches, while respecting each other’s remits and responsibilities."
Both bodies will share anonymised data to help boost their understanding of risk. However, Mr Martin stressed the NCSC "will never pass specific information to a regulator without first seeking the consent of the victim". This should therefore give firms reassurance they will be able to seek advice without fear of regulatory action.
This pledge was welcomed by some in the industry, with Joseph Carson, chief security scientist at Thycotic, telling ITPro: "Ensuring that businesses have trust with the government agencies so they can work with the NCSC during an ongoing cyber incident when time is critical, knowing it is the businesses responsibility to report the incident to the ICO."
Mr Dipple-Johnstone also said it is essential organisations are clear on what to expect if they suffer a data breach, including what legal requirements they have to report the incident to the ICO, and what the potential implications will be if these rules are not followed.
Share This Post, Choose Your Platform!
With over 25 years in the business telecoms industry and an unrivalled reputation of delivering excellent, personal customer service, Arrow is one of very few companies in the UK able to provide a full telecoms, IT and energy consultancy and service proposition.
Savings through automation, scale, improved service. We’ve got that covered. But the true value comes with empathy, through empowerment, collaboration. It’s connecting people that drives us forward. It’s people that make tomorrow happen.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.