If you think your organisation has never experienced a data breach, it may be time to reconsider: it has likely happened on several occasions without you even being aware of it. According to The State of Email Security Report 2019 - South Africa, key findings over the preceding 12 months include that 94% of organisations experienced phishing attacks, 88% experienced email-based spoofing of business partners or vendors and 73% of victims of impersonation or other attacks faced a direct resulting loss.
Once the Protection of Personal Information Act 4 of 2013 ("POPI") comes into force there will be an obligation on all organisations to report data breaches and currently, the office of the Information Regulator is receptive to voluntary notifications of breaches. In addition, certain bodies such as the South African Reserve Bank ("SARB") have imposed strict requirements to notify the SARB in the event of material information technology and cyber incidents. See our previous article in this regard.
In terms of section 22 of POPI, where there are reasonable grounds to believe that the personal information of a data subject (i.e. natural or juristic person) has been accessed or acquired by any unauthorised person, the organisation must notify the Information Regulator and the data subject, unless the identity of such data subject cannot be established.
The notification must be made as soon as reasonably possible after the discovery of the data breach, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the organisation's information system.
The notification to the data subject must be in writing and communicated in a prescribed manner. It may only be delayed if a public body responsible for the prevention, detection or investigation of offenses or the Information Regulator determines that notification will impede a criminal investigation by that public body.
The notification must be made in writing and provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise, including all of the following a description of the possible consequences of the security compromise.
In terms of article 33 of the European Union General Data Protection Regulation ("GDPR") (which has been in force since May 2018) certain South African entities must notify supervisory authorities in the European Union of a personal data breach. Such notification must include prescribed details and be made without undue delay and, where feasible, not later than 72 hours after having become aware of it. Any notification made after 72 hours must be accompanied by reasons for the delay.
Section 2(b) of POPI provides that one of the purposes of POPI is to regulate the manner in which personal information may be processed, by establishing conditions, in harmony with international standards that prescribe the minimum threshold requirements for the lawful processing of personal information. In addition, the preamble of POPI stipulates that the objectives of the Act includes the "regulation, in harmony with international standards, of the processing of personal information by public and private bodies..."
It is therefore likely that the reference to "as soon as reasonably possible" in respect of breach notifications under POPI would be interpreted against the GDPR benchmark of 72 hours.
The reporting process (and any associated liability) can be costly to an organisation. The IBM's 2019 Cost of a Data Breach Report, indicated that, in South Africa, costs arising out of data breaches averaged a total cost of R43.3-million. It is important to make sure that your organisation has adequate insurance cover. According to the 2019 Best Market Segment Report in the USA, there were more than 12 million first-party insurance claims for costs associated with breach notifications, credit monitoring for customers and business interruption costs. Apart from the direct impact of a data breach being costly, the indirect costs in dealing with a data breach can be astronomical. A good example of this is the Equifax case, where the costs of dealing with a major data breach exceeded USD2-billion.
As cyber threats continue to rise, it is imperative that your business is well protected and that the organisation is in a position to deal with a breach and its consequences. It goes without saying that an incident response plan is a must have for any organisation. What is clear is that there will be no time for panic after a data breach. It will be important to be prepared for a data breach and to adopt a problem-solving attitude in order to respond to the breach in a logical and organised way.
POPI, PAIA, GDPR and Information Officer training
ENSafrica's data protection and regulatory experts, Era Gunning and Ridwaan Boda, will be hosting a one-day seminar in Cape Town, Durban and Johannesburg in October and November 2019. This training will focus on practical compliance with POPI, the POPI Regulations, the Promotion of Access to Information Act ("PAIA"), as well as the EU General Data Protection Regulation ("GDPR"). The seminar covers the general application of POPI and sets out practical steps in order to start implementing POPI/PAIA/GDPR compliance in the organisation. For more information on this training, please click here.
Cyber Breach Training for Financial Services Providers
In order to assist financial services providers in the preparation of their Cyber Incident Response Plans, ENSafrica's POPI experts, Era Gunning and Ridwaan Boda, and cyber insurance expert, Nicole Gabryk, are offering half-day in-house training sessions focusing on regulatory and practical compliance with the security provisions in POPI. For more information on this training, please click here.
High-level training on the rapidly-changing financial regulatory landscape in South Africa
Various ENSafrica specialists join forces to provide a 2 to 3 hour high-level overview to the board (or other stakeholders) of financial services providers on the dramatic overhaul of the financial regulatory landscape. For more information on this training, please click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.