Data-breaches: some valuable lessons learned and handy tips
With the proclamation of the commencement date of the Protection of Personal Information, 2013 ("POPIA") expected imminently, the extensive data breach notification obligations imposed on organisations in terms of POPIA are of significant importance. On the occurrence of a data breach, organisations are required to notify the Information Regulator and the data subject(s) whose information has been breached, at a bare minimum, of the following:
- the identity of the party who accessed/acquired the data (if known);
- the possible consequences/effect of the breach;
- the measures taken (or proposed to be taken) by an organisation to remedy the breach; and
- the measures the data subject (whose information has been breached) should take to mitigate any possible adverse effects of the breach.
While data breach notifications to the Information Regulator are currently voluntary (and while there will be a grace period of 12 months from the commencement of POPIA for organisations to comply), some valuable lessons can be learned from jurisdictions where data breach reporting is already mandatory.
Data breach notifications became mandatory in Canada on 1 November 2018. Marking a year on from this date, the Office of the Privacy Commissioner of Canada published some key lessons learned and gave some tips, some of which we set out below, which are useful and relevant to organisations in South Africa:
- while data breaches arose out of a variety of causes (including loss, theft and accidental disclosure), the majority of reported data breaches arose from unauthorised access to data (by "snooping" employees as well as external parties);
- organisations should take steps to fully understand what type of personal information they have, how the organisation gathers personal information, where it is stored, who has access to it and what they do with it;
- as there has been a significant increase in the number of reported data breaches, this serves as a reminder to organisations to carefully consider the safeguards they have in place to protect personal information;
- risk and vulnerability assessments should be carried out regularly by organisations in order to identify technical vulnerabilities, to check whether third parties who collect personal information on their behalf have sufficient protections in place, as well as to ensure that employees are aware of their privacy obligations and risks; and
- be aware of breaches in your industry – as similar methods are usually used by hackers, being aware of other incidents could prevent your business from being a victim.
Having a comprehensive cyber insurance policy in place can greatly assist an organisation that suffers a data breach – cyber insurance coverage typically covers the costs incurred during the notification process, which process should ideally include the advices and assistance of a legal representative in preparing the notification to the Information Regulator, in order to ensure compliance with the statutory notification obligation.
POPIA in brief
Condition 7: security measures
The responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to, or unauthorised destruction of personal information; and unlawful access to or processing of personal information. The organisation must have due regard to generally accepted information practices and procedures which may apply to it generally or may be required in terms of specific industry or professional rules and regulations.
Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify the Regulator; and the data subject, unless the identity of such data subject cannot be established or if a public body responsible for the prevention or the detection or investigation of offences or the Regulator determines that notification will impede a criminal investigation by the public body concerned.
The notification referred to above must be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party's information system.
GDPR: article 5(1)(f)
Personal data must be processed in a manner that ensures appropriate security of the data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (the 'integrity and confidentiality' principle).
To view the full article, please click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.