Telecoms companies have 24 hours to report major security breaches or outages, says Ofcom

Out-Law News | 08 Aug 2014 | 3:43 pm | 3 min. read

The speed at which telecoms network and service providers must notify Ofcom of security incidents or outages depends on whether those incidents would be likely to draw media or political attention, the regulator has said.

Ofcom has published new guidance setting out practical steps telecoms network and service providers must take to comply with UK laws that require them to inform the regulator of certain security or outage incidents (27-page / 217KB PDF) they encounter. It said incidents likely to attract media or political scrutiny must be reported faster than other, less serious, incidents those companies record.

"Major incidents or incidents that are likely to generate media or political interest should be reported within 24 hours of commencing," Ofcom said. "Other incidents should ideally be reported within a few days of the incident commencing, or in batches where there are a significant number of ‘non major’ incidents."

Under the Communications Act, telecoms companies are subject to an overarching obligation to protect the security of the network or services they provide. They "must take technical and organisational measures appropriately to manage risks to the security of public electronic communications networks and public electronic communications services". This includes taking steps to ensure that the impact of any security incidents on customers is prevented or minimised.

Telecoms network providers are required to inform Ofcom if they suffer a breach of security that "has a significant impact on the operation" of their network or if there is a "reduction in the availability" of their network that has "a significant impact on the network". Telecoms service providers are also required to notify Ofcom if they suffer a security breach which has a significant impact on the operation of their service.

Ofcom's new guidance sets out more detail on the security measures telecoms providers must have in place. It also explained that "additional mitigations" may need to be implemented to ensure the protection of security in an outsourcing environment. Ofcom said the providers should discuss outsourcing plans that "may have significant security implications" so as to "minimise the risk of any future compliance concerns".

The guidance also sets out the criteria to which telecoms companies should refer to work out whether the obligation to report incidents to it is triggered by an incident they experience.

The criteria accounts for qualitative factors, such as whether incidents have been reported to other government agencies or are referenced in the media. 'Reportable incidents' also include those that are a reoccurrence of previous problems and those that the companies know could be linked to "loss of life".

Other reportable incidents can be determined by their impact on users of the networks or services and can be calculated in accordance with stipulated "numerical thresholds" set out in the guidance.

For fixed-line communication networks or service providers, for example, if at least 100,000 customers are affected by a security or outage incident for at least an hour that incident will have to be reported to Ofcom.

The regulator did not, though, disclose the specific numerical thresholds that apply to mobile network operators (MNOs) for triggering their breach reporting duties.

"Due to the complexity of mobile networks and the inherent difficulty in determining the exact number of end customers affected by an incident, Ofcom has agreed a reporting process with each of the four UK mobile operators which is based on their individual definitions of a major service failure (MSF)," Ofcom said.

"Network MSFs are incidents which have a significant impact on the network and are raised to senior management within the MNO. The exact details of an MNOs MSF criteria are commercially sensitive so will not be discussed here. The ultimate intention is to ensure reporting of mobile incidents which cause similar levels of customer disruption to those reportable on fixed networks," the guidance said.

Ofcom has the power to audit telecoms companies’ compliance with the security and resilience obligations and can issue fines of up to £2 million against companies that fall short of the standards set under the Act.

In its updated guidance, Ofcom suggested that companies that engage in an "effective and co-operative" manner with it would be less likely to fall subject to audits, which the companies must pay for. "We expect to use this power only in exceptional cases and that these will occur infrequently", it said.

The guidance outlines the type of information that telecoms companies need to include when submitting reports about security or reduced availability incidents they have experienced.

Among the details the incident reports should include are a brief summary of the incident, the time it occurred, its geographical impact, at least an estimation of the total number of customers affected and "details of action taken to manage and remedy the incident, and any measures taken to mitigate the risk of reoccurrence", it said.