Firms will no longer be able to report details of IT security attacks in confidence and directly to the UK’s specialist e-crime unit, as the launch of the Serious Organised Crime Agency (Soca) has meant the disappearance of the previous Confidentiality Charter.

The UK’s new agency against organised crime became operational this month. It amalgamates agencies including the National Criminal Intelligence Service and the National Hi-Tech Crime Unit (NHTCU) with investigators from Revenue & Customs and the Immigration Service. Soca’s top priorities are to combat the Class A drugs trade and immigration offences. IT crime is part of a longer list of lower-priority issues.

According to a Soca spokeswoman, while the old NHTCU is now part of Soca and has been rebranded as the E-Crime Unit, its functions will not change. However, there is no longer a Confidentiality Charter, which allowed firms to report computer attacks directly to the NHTCU with a guarantee of privacy. The charter was established because many firms were reluctant to report security breaches to the police, for fear of damage if the details became public.

“Now organisations reporting new IT crimes have to go to their local police station,” said the Soca spokeswoman, confirming that the Confidentiality Charter no longer exists.

A message at the address of the old NHTCU web site reads: “The NHTCU is no longer providing individual responses to enquiries either via this web site or direct email contacts. If you are a member of the public wishing to report a crime or criminal attempt, please contact your local police force.”

Security experts expressed concern over the changes. Joel Tobias, managing director of computer forensics specialist CY4OR, warned that as a new agency, Soca may initially struggle to deal with the levels of computer crime that it will face. He added that the dropping of the Confidentiality Charter could reduce reports to law enforcement agencies, as businesses try to protect their reputations.

Andrew Ross, technical services manager at Prolexic Technologies in Europe, a specialist in defences against distributed denial of service (DDoS) attacks, said that his firm’s customers had been encouraged by the charter to work with law enforcement agencies to pursue crooks. “These businesses are often nervous about portraying an insecure image to their customers, and also about provoking return attacks,” he added.

Ross said that directing firms to local police stations to report a computer crime is “a big backward step”. He added, “Can you imagine trying to explain to your local bobby that you have been under a 20 million packets per second UDP [or] SYN flood all weekend? He'd probably tell you to call the water board.” Ross warned that pushing such problems down to a local level risked crime reports being passed from one police branch to another and never actually being dealt with.

IT crime should also be viewed as different to other forms of organised crime, argued Ross. “The motivations differ - it's not always about money. DDoS is often committed for competitive advantage and censoring reasons as well as extortion,” he said. “The initial amounts of money discussed may not make the attack a ‘serious’ enough crime for it to fall into Soca's remit, but the repercussions for the targeted business could amount to a corporate death sentence.”

David Emm, senior technology consultant at antivirus specialist Kaspersky Lab, said that if it can retain its specialist focus on e-crime, Soca has the potential to do well in this area due to its far-reaching powers and resources. However, he said the handling of the switchover was not promising. “The NHTCU site had some great content and useful contacts but now it’s simply vanished,” Emm added. “The Soca site is not much more than a holding page, and does not replicate the NHTCU’s content.”

Emm also expressed concern over directing IT crime victims to local police forces. “Local police agencies won’t necessarily have in-depth IT skills, and are not as switched on to computer crime.”