On 8 August 2014, Ofcom published new guidance on how communication service and network providers should comply with the security measures brought into force in the UK, following revisions to the Communications Act 2003 (“CA 2003”) (made in response to changes to the European Communications Regulatory Framework). The new guidance replaces the previous guidance published by Ofcom in May 2011.
Historically, the security and reliability of networks and services were not fully addressed and formally regulated. However, on 25 May 2011, sections 105A – D were incorporated into CA 2003 (the “Network Security Requirements”), which imposed specific security and reliability requirements on providers of public communications networks and service (“CPs”). While Ofcom quickly released guidance in the same month, it has long been considered that an update would be required, due to the rapid growth and importance of communications networks and services (particularly with respect to online banking and shopping) and the accordingly increasing concerns around cyber security (as recently highlighted by the nude celebrity scandal).
Much of the focus on Ofcom’s latest guidance will relate to the obligations to notify Ofcom of a security breach. The Network Security Requirements specifically provided that CPs must notify Ofcom where there is “a breach of security which has a significant impact on the operation of a public electronic communications [network]/[service]”. However the Network Security Requirements do not specify a time frame in which such notice should be given.
Ofcom have attempted to clarify this by requiring CPs to give notice of “major incidents or incidents that are likely to generate media or political interest” within 24 hours of the incident commencing (note: not after the incident was identified). Other, less serious breaches (but presumably still resulting in a “significant impact”, given this is the notice requirement threshold under the Network Security Requirements), should be reported within a few days or, where there are a series of non-major breaches in a month, a batched incident report should be provided before the second Monday in the following month.
To further clarify what incidents should be reported, Ofcom have detailed qualitative and numerical thresholds. Should a security breach incident satisfy either threshold, the incident must be reported to Ofcom. Examples of what meets the qualitative threshold include those incidents that have been reported to other Government agencies/departments (e.g. the ICO) or have been reported in the media. The numerical thresholds relate to the number of end customers affected over certain periods of time. These thresholds differ depending on whether the incident affects communication with emergency services and general voice/data. For example, if a fixed network suffers an incident that, within a one hour period, affects the ability of 1,000 end customers to access emergency services, the incident must be reported. But if the same network suffers an incident in relation to general voice/data, 100,000 end customers would need to be affected over the same period for the notification requirement to be triggered.
The numerical thresholds in relation to general voice/data also differ between fixed networks and mobile networks. Interestingly, Ofcom has refused to publish exact threshold figures for mobile networks, stating that “due to the complexity of mobile networks and the inherent difficulty in determining the exact number of end customers affected by an incident, Ofcom has agreed a reporting process with each of the four UK mobile operators, which is based on their individual definition of a major service failure”.
The qualitative and numerical thresholds offer some clarity as to what incidents must be reported and while it may be clear to CPs what incidents are likely to generate media or political interest, Ofcom has not fully clarified what other incidents should be regarded as “major” breaches (and therefore require notification within 24 hours) and what incidents would be clarified as non-major (requiring notification only within a few days).
Standards of security
One of the key concerns of commentators, prior to the release of the updated Ofcom guidance, was how Ofcom would balance the necessity of having a standard approach to security against any disproportionate burden which may be placed on smaller public communications providers who are required to adopt the same approach to security and notification as the larger providers.
Ofcom appears to have considered this issue, at least in respect of the notification requirements (as discussed above). The numerical thresholds for both fixed and mobile networks in relation to voice/data are based on the percentage of total end user customers (rather than a fixed number applicable to all CPs regardless of size). Further, the qualitative thresholds, although not entirely subjective, may not apply as easily to the smaller CPs. For example, an incident may be regarded as significant to a small CP but not attract any media attention and therefore not require notification (provided the other qualitative and numerical thresholds are not met).
However, Ofcom’s guidance in relation to the standard of security measures to be adopted by CPs, does tend to be a “one-size-fits-all” approach. Whether or not this will impose additional costs on smaller public communication providers and therefore, distort competition in the market, remains to be seen. The guidance sets out what is expected of CPs in a range of areas including what measures are appropriate to manage risks to security and what steps are appropriate to protect network availability.
Other security regulations
The Guidance makes it clear from the outset that there is a potential overlap between the security and notification requirements under the Network Security Requirements and the requirements to protect the confidentiality of personal data in other regulations (such as the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended by the 2011 amendment regulations) (“PECA”)) and statute (such as the Data Protection Act 1998 (“DPA”)).
In acknowledging this overlap, Ofcom steps away from providing any guidance where personal data is involved, stating this remains a matter for the ICO. Therefore, CPs will need to be mindful of the minimum security measures they must have in place under the DPA, in respect of personal data. Further, where a security breach has occurred, which requires notification to Ofcom and also involves the processing of personal data, the relevant CP would need to notify Ofcom (as outlined above) and also notify the ICO in accordance with PECA. Failure to notify the ICO could result in a fine, regardless of whether or not Ofcom is notified.