ICO Notification Submitted? What Next? Other Bodies To Consider Notifying.
DAC Beachcroft
Show/Hide Tags

ICO Notification Submitted? What Next? Other Bodies To Consider Notifying.'s Tags

Tags related to this article

Download PDF Print page

ICO Notification Submitted? What Next? Other Bodies To Consider Notifying.

Published 24 junio 2021

In May’s edition of the Data and Cyber Bulletin we explored the key considerations for an organisation following a data breach. We noted the importance of notifying the ICO within 72 hours of an organisation becoming aware of a personal data breach. However, the ICO is not the only body to which an organisation can be obligated to notify following a data breach. Consequently, this month we will focus on the other organisations you may need to notify following a data breach, although we note this is not an exhaustive list.

1. Financial Conduct Authority (“FCA”)

Principle 11 of the FCA Handbook states that firms must disclose to the FCA anything relating to the firm of which the FCA would reasonably expect notice. It is established that material cyber incidents meet this threshold. A cyber incident is likely to be material if:

  • A significant amount of data is lost, or a firm’s availability and/or control of its IT systems is impacted;
  • A large proportion of customers are affected; or
  • The cyber attack results in unauthorised access to, or malicious software is found on, your firms information and communication systems.

Payment service providers should additionally note their obligations to make a notification following major operational or security incidents under the Payment Services Regulations 2017.

2. Prudential Regulation Authority (“PRA”)

The Bank of England regulates and supervises financial firms through the PRA. The PRA has eight Fundamental Rules which are similar to the FCA’s Principles for Businesses. Of particular note is Fundamental Rule 7 which mirrors Principle 11 of the FCA Handbook and obligates firms to be open and cooperative and disclose to the PRA matters of which the PRA would reasonably expect notice. As was considered above, if your firm is regulated by the PRA and has suffered from a cyber incident, assess whether the severity of incident is material enough that the PRA should be notified.

3. Action Fraud

If your organisation is the victim of a cyber incident perpetuated by a criminal, you should also consider reporting the breach to Action Fraud. Action Fraud is the UK’s national centre for reporting fraud and cybercrime. All reports are passed on for assessment by the National Fraud Intelligence Bureau who may then send them to police forces for investigation. Others may be sent to Action Fraud’s Prevention and Disruption Team where the fraud enabler i.e. a telephone number or website address, can be blocked to prevent other organisations from falling victims to the same cyber attack.

If you are in Scotland then reports should be made to Police Scotland.

4. National Cyber Security Centre (“NCSC”)

Cyber incidents may also need to be notified to the NCSC. The NCSC provides advice, guidance and support on cyber security and the management of cyber security incidents. The NCSC seeks to reduce the harm caused to victims of cyber attacks and uses the knowledge gained through notifications to update its guidance to help deter future attacks. It traditionally assists organisations with cyber incidents of national importance.

However, where there is a severe cyber incident, the NCSC may be able to:

  • Provide technical advice and guidance;
  • Use its knowledge of similar incidents to understand the data breach. This could include identifying the threat actor, its likely motive, any other organisations which may be targeted and if the compromise is likely to spread; or
  • Coordinate any cross-government response.

5. The Network and Information Systems Regulations 2018 (“NIS Regulations”)

If your organisation is an Operator of Essential Services, as defined under the NIS Regulations, then you should also consider whether you need to inform your Competent Authority of the cyber incident.

Overall, notifying organisations of a cyber incident is important for not only your organisation but also for the public and national authorities. It allows for the collection of data to understand cybersecurity trends, identify common weaknesses, common modes of attack and provide guidance to prevent similar attacks from occurring in the future.

Authors

< Back to articles

Related articles

ICO International Transfers Guidance Update

By Charlotte Halford, Holly Eastwood

Cyber Newsletter - November 2022

By Patrick Hill, Hans Allnutt, Eleanor Ludlam, Jade Kowalski, Charlotte Halford, Christopher Air

How Secure is Secure? What do recent ICO penalty notices tell us about GDPR security requirements?

By Hans Allnutt

NIS breaches, the national cybersecurity strategy and law enforcement engagement

By Eleanor Ludlam, Tom Evans

Cyber and Employment Law

By Eleanor Ludlam, Nicola Geary

Supply Chain Breaches

By Eleanor Ludlam, Charlotte Halford, Patrick Hill

Understanding Privacy-Enhancing Technologies (PETs)

By Rebecca Morgan, Johanna Lipponen

The EU Data Package

By Charlotte Halford, Christopher Air, Holly Eastwood

Update: US signs Executive Order establishing a new EU-US Data Privacy Framework

By Charlotte Halford, Holly Eastwood

UK Legislative Developments and the Impact on Cyber

By Eleanor Ludlam, Pavan Trivedi

Developments in Canadian Privacy Law

Recent Australian Cyber and Privacy Developments (July-September 2022)

American Data Privacy Protection Act (“ADPPA”): Is the U.S. Finally Getting Federal Data Privacy Protection?

Cyber Newsletter - September 2022

By Patrick Hill, Hans Allnutt, Eleanor Ludlam

Reminder: Use of UK International Data Transfer Agreement or UK Addendum mandatory from today 21 September

By Charlotte Halford

The Data Protection and Digital Information Bill: An Overview

By Jade Kowalski, Charlotte Halford, Christopher Air, Sophie Devlin, Eleanor Ludlam, Rebecca Morgan

Data And Cyber Bulletin - August 2022

By Patrick Hill, Hans Allnutt, Eleanor Ludlam

2022 ENISA Report Finds Ransomware Attacks Continue to Dominate the Global Cybersecurity Landscape

By Patrick Hill, Sonali Malhotra

A new Task Force report on Confronting Reality in Cyber Space has been published by the Council for Foreign Relations

By Hans Allnutt, Pavan Trivedi

Former NHS employee prosecuted and fined after illegally accessing patient records without a valid legal reason

By Sophie Devlin, Shanaka Wijetunge

This website uses cookies so that we can improve your experience. By continuing to use the site you are agreeing to our use of cookies. For more details please view our Cookies Policy.
DAC Beachcroft