Not a snitch. GQHC agency promises not to share breach information with watchdog unless victim gives permission
The National Cyber Security Centre (NCSC), part of GCHQ, has promised to not share data breach data with the Information Commissioner’s Office (ICO), unless given permission by the victim.
The commitment comes amid speculation that businesses are worried that if they informed the GCHQ agency of a cyber attack, they would in turn pass on any incriminating evidence to the data protection watchdog.
The intelligence services are seeking to work closer with commercial entities to help them combat rising cyber attacks. Earlier this week for example GCHQ said that it would begin sharing intelligence with British banks in an attempt to tackle fraud and cyber attacks.
The news that the NCSC would not pass breach information to the UK regulator was made at CyberUK, the government’s annual security conference.
The commitment came when NCSC chief executive Ciaran Martin was seeking to explain the data sharing relationship between his agency and the Information Commissioners Office.
“The development of this understanding is as a result of a constructive working relationship between our organisations, and we remain committed to an open dialogue on strategic issues,” he was quoted as saying by Computer Weekly. “While it’s right that we work closely together, the NCSC will never pass specific information to a regulator without first seeking the consent of the victim.”
But the NCSC and information watchdog did agree at the security conference to work together to improve support for data breach victims and enhance cyber guidance
But at least one security expert is concerned at the development.
“As laws and regulations delivered stringent security and privacy requirements over the years, the private and government sectors scrambled to ensure compliance,” said Fouad Khalil, VP of Compliance at SecurityScorecard.
“We witnessed exemptions over the years for different use cases and varying government entities, but the exemption window has dwindled down dramatically,” said Khalil. “We are at a milestone today where security and privacy are everyone’s responsibility.
“Being a practitioner with focus on continuous compliance and a security professional focused on protecting what’s important, makes me a strong proponent of ‘no exemptions allowed for anyone or any entity,’” he said. “We have to always be diligent with continuous oversight over risks to the security and privacy of personal data.”
And Khalil was clear he thinks the NCSC and ICO decision is not a good one.
“When we witness scenarios such as the UK’s cybersecurity agency will not automatically share information about data breaches with the country’s data privacy regulator it concerns me as a professional and as a data subject,” said Khalil.
“Their reasoning is to prevent new data privacy laws from having a chilling effect on businesses’ willingness to share information about cyber attacks with the government,” he added. “This reasoning is contradictory to the root cause for having privacy laws in the first place – to ensure everyone’s personal information is protected and there are laws that force that.”
“We should not have to draw the line now between government entities on who should comply or who should not,” he concluded. “Companies experiencing a breach and not reporting in fear of getting fined is the behaviour we are trying to eliminate. We can be compliant with laws and regulation and yet maintain a solid security posture that does not increase the level of risk we face every day. If the NCSC relies on breach data to ensure ongoing critical infrastructure protection, their risk management strategies need to be revisited.”
Do you know all about security? Try our quiz!