Out-Law News 2 min. read
23 May 2013, 3:06 pm
The Department of Business, Innovation and Skills (BIS) has said that it will use the information it gathers to inform its assessment of the potential impact that proposed new EU cyber security and breach notification laws would have in the UK. BIS' 'call for evidence' (21-page / 176KB PDF) has been issued in relation to the draft Network and Information Security (NIS) Directive which the European Commission first published in February.
Under the NIS Directive a range of businesses across the financial services, energy and technology sectors, such as banks, energy companies, platforms for online trade and cloud computing providers, would be among those that would have to notify regulators of "significant" cyber security incidents that they experience.
The businesses required to adhere to the proposed Directive could potentially face sanctions for not having in place sufficiently secure systems and for failures to notify regulators of significant cyber breach cases affecting them.
The Commission said that it was seeking to expand the existing security breach notification regime that operates in the telecoms sector in order to better protect firms from NIS risks and incidents.
Under the Commission's proposals not all breaches reported to the regulators would necessarily be conveyed to the public, but regulators would be required to determine on a case-by-case whether it was in the public interest to inform them. The regulators would be obliged to share information with one another on cyber security risks in accordance with the proposed framework. A separate notification regime for cases involving breaches of personal data would operate under new EU data protection laws that have been proposed.
The Government said that it broadly supports the Commission's plans, but it said that it wants to avoid "unnecessary burdens" being place on businesses or the public sector.
"The UK shares the Commission's desire to improve levels of network and information security across the EU," BIS said in its 'call for evidence' document. "We want to ensure that the internal market is a safe place to do business and that Member States know who to contact in the case of a cyber incident and can effectively work together."
"The UK is supportive of the broad objectives the Directive is seeking to achieve, however we will need to ensure that the proposals create the right incentives for the private sector to share information, best practice and good governance," it added. "The UK Government is preparing an initial impact assessment on the potential effects of the Directive in the UK and is launching this call for evidence to gather data to inform the evidence base for this assessment."
Among the information that the Government is seeking is details about when firms consider that a "network or information breach" constitutes a cyber security 'incident'. It also wants to find out whether respondents are obliged to report such incidents to regulators currently or whether or not they voluntarily report them.
In addition, the Government wants to find out how many cyber security incidents companies have reported in the past financial year as well as detail on the types of incidents that occurred. Respondents are also encouraged to detail any differential between the number of incidents experienced and the number businesses reported, as well as the average cost incurred for dealing with the incidents.
Organisations are also encouraged to provide their views on what they perceive would be the consequences to their business in complying with the proposed new Directive, as well as any potential benefits they think the new regime could provide.
Companies wishing to respond to the call for evidence have to do so by Friday 21 June.
