There are less than 100 days to go until the Protection of Personal Information Act, 2013 ("POPIA") will require mandatory data breach notifications (both to the Information Regulator and, in almost all instances, the affected data subjects) for all responsible parties that process personal information.
If your organisation is faced with a cyber-incident or data breach, it is imperative that you have a clear, effective and robust plan on hand to deal with these incidents.
Experian recently released its Data Breach Response Guide 2020-2021 . The guide indicates that:
- During the first nine months of 2020, there was a 30% decrease in the number of data breaches reported, compared to the previous year. This is largely attributed to more organisations putting in place data breach response plans and advocates that organisations put measures in place to "greatly minimize the damage and disruption" to organisations arising out of cyber-incidents.
- Cyber-attacks are increasing, due to the fact that previously compromised information gets put to use for "ransomware, phishing and brute force attacks. In some cases, cybercriminals deliberately targeted individuals, organisations and municipalities that are already strained by the pandemic."
What is a data breach under POPIA?
Section 22 sets out that security compromises (data breaches) occur anytime there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person (which in turn triggers the comprehensive, mandatory data breach reporting obligations of the responsible party as soon as reasonably possible).
This can mean that a variety of incidents, both intentional and unintentional, can constitute a data breach under POPIA. The European Data Protection Board ("EDPB"), in January 2021, released its guidelines (for public consultation) on "Examples of Data Breach Notification" under the General Data Protection Regulation (GDPR), and some examples provided by the EDPB are equally applicable to possible examples of breaches under POPIA:
- Ransomware (with or without data (personal information) exfiltration)
- Exfiltration of data (personal information) by a former employee
- Accidental transmission of data (personal information) to a third party
- Stolen material (storing either encrypted or unencrypted data (personal information))
Costs and losses arising from data breaches:
IBM Security, in August 2020, announced the results of a study examining the financial impact of data breaches in South Africa, finding that, on average, these incidents cost organisations ZAR40.2-million per breach.
In addition, the Government of the United Kingdom recently released its statistics on cyber security breaches survey 2021 and found that:
"Among the 39 per cent of businesses and 26 per cent of charities that identify breaches or attacks, one in five (21% and 18% respectively) end up losing money, data or other assets. One-third of businesses (35%) and four in ten charities (40%) report being negatively impacted regardless, for example because they require new post-breach measures, have staff time diverted or suffer wider business disruption."
How does my organisation respond to a data breach?
If your organisation is faced with a cyber-incident or data breach, it is imperative that you have a clear, effective and robust plan on hand to deal with these incidents. Having a clear, readily-accessible incident response plan available to implement immediately upon becoming aware of any cyber-incident or data breach is vital.
It is also important to take legal advice in order to preserve legal privilege, implement periodic dry-runs, training, awareness and testing of any incident response plan to ensure that your incident response plan is effective. This will facilitate and enable your organisation to comply with its obligations under POPIA, navigate the aftermath of cyber-incidents and data breaches and mitigate any possible liabilities faced by your organisation.
In addition, the UK survey findings "highlight that a minority of organisations overall have taken actions in the following areas - although they are far more common among medium and large businesses:
- taking out some form of cyber insurance (43% of businesses and 29% of charities) - this is up from 32 per cent for businesses in 2020
- undertaking cyber security risk assessments (34% and 32%)
- testing staff, such as through mock phishing exercises (20% and 14%)
- carrying out cyber security vulnerability audits (15% and 12%)
- reviewing cyber security risks posed by suppliers (12% and 8%)."
Bearing in mind the potentially enormous losses that businesses can face due to cyber-attacks, it is imperative for organisations to plan and to take such steps as are appropriate for managing and mitigating the impact of a cyber-event. This will include taking appropriate legal advice, implementing proactive, protective policies and procedures, and purchasing specific or tailored cyber-insurance policies intended to cover losses associated with data breaches or cyber-attacks. These losses include network or business interruption losses, third party liability losses, cyber extortion/ransomware demands and the costs of the appointment of various professionals such as forensic services and legal assistance.
ENSafrica provides comprehensive and full-service cyber, data privacy and data-breach advice and assistance, including the preparation of practical and comprehensive incident response plans tailor-made to your organisation, data breach readiness coaching, all aspects of post-breach services to assist with breach-response and mitigation of liability, breach notifications and regulatory investigations, and complex litigation matters involving data-breaches. We also provide comprehensive coverage advice to clients in relation to cyber insurance policies
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.