Telecommunications (Security) Act 2021

4Informing others of security compromisesU.K.

(1)The Communications Act 2003 is amended as follows.

(2)After section 105I insert—

“105JDuty to inform users of risk of security compromise

(1)This section applies where there is a significant risk of a security compromise occurring in relation to a public electronic communications network or a public electronic communications service.

(2)The provider of the network or service must take such steps as are reasonable and proportionate for the purpose of bringing the relevant information, expressed in clear and plain language, to the attention of persons who use the network or service and may be adversely affected by the security compromise.

(3)The relevant information is—

(a)the existence of the risk of the security compromise occurring;

(b)the nature of the security compromise;

(c)the technical measures that it may be reasonably practicable for persons who use the network or service to take for the purposes of—

(i)preventing the security compromise adversely affecting them;

(ii)remedying or mitigating the adverse effect that the security compromise has on them; and

(d)the name and contact details of a person from whom further information may be obtained about the security compromise.

105KDuty to inform OFCOM of security compromise

(1)The provider of a public electronic communications network or a public electronic communications service must inform OFCOM as soon as reasonably practicable of—

(a)any security compromise that has a significant effect on the operation of the network or service;

(b)any security compromise within section 105A(2)(b) that puts any person in a position to be able to bring about a further security compromise that would have a significant effect on the operation of the network or service.

(2)In determining for the purposes of this section whether the effect that a security compromise has, or would have, on the operation of a network or service is significant, the following matters in particular are to be taken into account—

(a)the length of the period during which the operation of the network or service is or would be affected;

(b)the number of persons who use the network or service that are or would be affected by the effect on the operation of the network or service;

(c)the size and location of the geographical area within which persons who use the network or service are or would be affected by the effect on the operation of the network or service;

(d)the extent to which activities of persons who use the network or service are or would be affected by the effect on the operation of the network or service.

105LPowers of OFCOM to inform others of security compromise

(1)This section applies where OFCOM consider that—

(a)there is a risk of a security compromise occurring in relation to a public electronic communications network or public electronic communications service; or

(b)a security compromise has occurred in relation to a public electronic communications network or public electronic communications service.

(2)OFCOM must inform the Secretary of State of the risk of or (as the case may be) the occurrence of the security compromise if they consider that the security compromise could result in or has resulted in—

(a)a serious threat to the safety of the public, to public health or to national security;

(b)serious economic or operational problems for persons who are communications providers or persons who make associated facilities available; or

(c)serious economic or operational problems for persons who use electronic communications networks, electronic communications services or associated facilities.

(3)OFCOM may inform the Secretary of State of the risk of or (as the case may be) the occurrence of the security compromise in a case where the duty in subsection (2) does not arise.

(4)OFCOM may inform any of the following about the risk of or (as the case may be) the occurrence of the security compromise—

(a)any person who uses or has used the network or service;

(b)any communications provider;

(c)any person who makes associated facilities available;

(d)any overseas regulator;

(e)the European Union Agency for Cybersecurity.

(5)OFCOM may inform any person who uses or has used the network or service of the technical measures that may be taken by the person for the purposes of—

(a)preventing the security compromise adversely affecting them; or

(b)remedying or mitigating the adverse effect that the security compromise has on them.

(6)OFCOM may direct the provider of the network or service to take steps specified in the direction for the purposes of—

(a)informing persons who use or have used the network or service of the risk of or (as the case may be) the occurrence of the security compromise;

(b)informing persons who use or have used the network or service of the technical measures that may be taken by them for a purpose mentioned in subsection (5)(a) or (b).

(7)OFCOM may if they consider it to be in the public interest—

(a)inform the public of the risk of or (as the case may be) the occurrence of the security compromise;

(b)inform the public of the technical measures that may be taken by members of the public for a purpose mentioned in subsection (5)(a) or (b);

(c)direct the provider of the network or service to do anything that OFCOM could do under paragraph (a) or (b).

(8)It is the duty of the provider of the network or service to comply with a direction given under this section within such reasonable period as may be specified in the direction.

(9)In this section “overseas regulator” means a person who, under the law of a country or territory outside the United Kingdom, has functions in relation to public electronic communications networks or public electronic communications services that correspond to functions that OFCOM have in relation to such networks or services.”

(3)In section 393 (general restrictions on disclosure of information) in subsection (6) (exceptions) in paragraph (aza) for “or 25” substitute “, 25 or 105L”.