Out-Law News 3 min. read

UK GDPR fines could be linked to NCSC engagement


Businesses found to have breached UK data protection laws when falling victim to cyber attacks could receive lower fines in respect of those infringements if they engage appropriately with the UK’s National Cyber Security Centre (NCSC), under a new agreement forged by the NCSC and the UK’s data protection authority.

The memorandum of understanding (MoU) (8-page / 313KB PDF) signed by the NCSC and Information Commissioner’s Office (ICO) commits the ICO to increasingly “recognise and incentivise appropriate engagement with the NCSC on cyber security matters in its approach to regulation”.

It said: “Specifically, the commissioner will publicise (on its website, in guidance, and in relevant press releases) that it looks favourably on victims of nationally significant cyber incidents who report to and engage with the NCSC and will consider whether it can be more specific on how such engagement might factor into its calculation of regulatory fines.”

Cyber risk experts Laura Gillespie and Stuart Davey of Pinsent Masons said businesses should factor the MoU into their cyber incident response plans.

“The MOU builds on the working relationships already in place,” Gillespie said. “The NCSC provides a range of tools to organisations in seeking to protect and prevent cyber incidents, which includes the Cyber Assessment Framework (CAF). What organisations will be keen to understand is how the use of the CAF may be viewed and followed by the ICO.”

“With the ICO to continue to recognise and incentivise appropriate engagement with the NCSC, organisations hit by cyber incidents will clearly need to consider appropriate engagement with law enforcement as part of their incident response plans,” she said.

Davey said the MoU was noteworthy in other respects too, including because it explicitly records that the NCSC will not share information from an organisation it is engaged with due to a cyber incident with the ICO unless it has the consent of the organisation to do so.

“Organisations dealing with a live cyber incident may take some comfort that they can rely upon the NCSC’s expertise without any disclosure being shared with the regulator,” he said.

Davey said the MoU also confirms the position as set out in the UK’s Network and Information Systems (NIS) Regulations 2018, whereby the ICO has certain obligations to make a report to the NCSC in its capacity as the UK’s Cyber Security Incident Response Team (CSIRT), and that the NCSC and ICO will consult each other before making any public communications about an incident.

He added: “The NCSC’s CAF is used by a number of regulators to assess compliance with the NIS Regulations 2018. It will be interesting to see whether the ICO intends to use the CAF to assess regulatory compliance, either as the regulator of ‘relevant digital service providers’ under NIS, or more broadly, including in relation to data protection regulation. Whilst the CAF is likely to be really useful for organisations to consider their own cyber posture, clear guidance would be expected from the ICO if it intends to use the CAF to assess compliance with regulatory obligations.”

Separately, the NCSC, together with the UK’s National Crime Agency (NCA), published a new paper which highlights the criminal ecosystem that underpins ransomware attacks.

Ransomware is a form of malicious software that criminals use to restrict business’ access to their own systems and data and entice a ransom payment in returning for restoring that access. The NCSC has recognised ransomware as the biggest cyber threat facing the UK, while data made public by the ICO shows an increase in ransomware-related personal data breach incidents in recent years.

Davey said the NCSC and NCA’s paper reemphasises the importance of good cyber regulatory oversight – including the role of the ICO under the UK General Data Protection Regulation (GDPR)

“Data leak sites became popular in the hope of pressuring victims that could face large fines under laws such as UK GDPR and the Data Protection Act 2018,” the NCSC and NCA said. “While the threat of leaking sensitive data (whether intellectual property or personal data) often carries real weight with victims, the victim can be liable for not protecting the data, regardless of whether it becomes public on the leak site.”

Davey said that it is important for businesses to understand the full implications involved in making a ransom payment, including the risks of breaching financial sanctions and how payment of an ransom demand will not help them avoid regulatory repercussions for the original incident.

The NCSC and NCA said: “While cyber crime exists in most countries around the world, the major threat to the UK emanates from the Russian-speaking community that have benefited from the larger OCGs (organised criminal gangs) helping shape the forums where these services are traded. Like other criminal services, ransomware has been adapting to this marketplace to become more accessible and scalable through groups selling ransomware as a service (RaaS). The resulting increase in criminals adopting ransomware and extortion tactics means that smaller criminal groups, working together, can make a large impact.”

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.