The events in 2020 have impacted the way businesses work. They have led to an increase in remote working, which consequently has led to an increase in data breaches. This is due to businesses and consumers relying on the internet more often to conclude transactions and access data remotely. The most recent and largest breach in South Africa was when the details of close to 24 million consumers, held by the credit bureau Experian, landed in the hands of an unauthorised ‘fraudster’. The Information Regulator is concerned that the increase in these breaches may be as a result of cybercriminals knowing that there is no recourse in South Africa as we are still in the one-year grace period before businesses will need to be compliant with the POPI Act 4 of 2013, with effect from 1 July 2021.
Because of this increase in data breaches, fear of being the next victim of a data breach has increased among businesses. Many businesses have started to question whether they have enough security measures and controls in place to protect their business’ management information as well as their client’s personal information from a possible data breach.
Condition 1 of the POPI Act addresses Accountability. This condition requires that the responsible party (ie. the person who determines the purpose of and means for processing personal information) must ensure that the conditions for lawful processing are complied with. Specifically, at the time of determining the purpose of using/processing the personal information (e.g. application for life insurance), the means of the processing (e.g. obtaining an ID document and gathering health/medical information) and during the processing itself (e.g. entering the client’s information onto a product provider online system or an internal CRM system). It is one of the duties of the Information Officer to oversee that the business, as a whole, is structured in a manner to ensure the security, integrity and confidentiality of the personal information in its possession or under its control. This is ensured by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to, or unauthorised destruction of personal information, and unlawful access to or processing of personal information.
We have also seen how the Information Regulator has followed up on the data breaches that were recently widely publicised (eg. relating to Liberty and Experian) to ensure that client’s personal information is secured and not compromised any further e.g. determining what data was taken by the unauthorised party and where it has gone. The Information Regulator also requested further information from the business about how the breach occurred. This is to establish the circumstances relating to the data breach. Therefore, we can expect the Information Regulator to investigate what these businesses had done to prevent this breach from taking place in the first place e.g. assessing business processes and day-to-day habits (such as embedding data privacy practices into their day to day operations, identifying where possible security risks might occur and subsequently putting processes in place to manage these security risks. The Information Regulator also assesses where in the business a possible breach may occur, for example, whether the business has considered encrypting emails with sensitive information (e.g. financials, or health-related documentation) as a preventative measure.
In the case of Experian, the Information Regulator met with Experian to clarify the circumstances around the breach. They recommended interventions to comply with the POPI Act which include generally accepted information security practices and remained involved to ensure that Experian’s legal obligations, specifically in relation to data subject notification were complied with.
Businesses are witnessing the negative effects that data breaches have had on the reputation and sustainability of businesses. Those businesses affected by breaches have spent a lot of time in consultation with the Information Regulator. They have also had to spend time having to communicate with affected clients in an attempt to reassure them, manage their own reputational risk and having to spend large sums of money in the hope of repairing any damage done. For example, Postbank needed to replace almost 12 million bank cards after falling victim to a security breach which reportedly cost up to R1 billion. According to the IBM Security 2020 Cost of a Data Breach Report conducted by Ponemon Institute, on average, incidents cost South African companies R40.2 million per breach. They sampled 524 organisations for this study, with 19 of them from South Africa. The largest sectors represented in the study were financial, professional services, industrial and technology. The number of compromised records linked to the breaches included in the study ranged from 3 400 to 99 730.
Looking at how data breaches have impacted other businesses, consider asking yourself the following questions:
- Has my business implemented the adequate security measures and controls to protect itself from a possible data breach?
- Have my employees been equipped and trained to be aware of risks which could lead to possible data breaches?
- How far am I in terms of being POPI compliant to meet the deadline of 1 July 2021?
In this newsletter we look at ways to minimise the possibility of a data breach in your business with proper data privacy management. Managing data privacy interrelates with POPI compliance and business practices which support these concepts often lead to business sustainability and profitable opportunities, which are discussed in more detail below.
A compromise or breach of data could lead to a breakdown of trust, which could impact client retention. According to a survey by Gemalto, cited in an article by BusinessTech, nearly two-thirds of people indicated that they were likely to end their relationship with a business if their personal information had been exposed.
This is a sobering thought – would your business be able to operate sustainably if two-thirds of your clients left? Security safeguards protect the business against data breaches and therefore protect the business’ reputation. A business that has a reputation for protecting its client’s personal information may be presented with business opportunities. For example, experiencing an increase in business partners such as product suppliers which, in turn, increases the scope of product solutions to be offered because they have a sense of comfort that they are dealing with a reputable FSP. In turn, this may also lead to client referrals.
Preventing a breach from occurring is more viable and less damaging than trying to contain one. The financial costs related to a data breach can be excessive (refer to the Postbank case above). That’s why the main aim of data privacy management is prevention.
According to the IBM study, in South Africa the three root causes of data breaches are:
- malicious or criminal attack (48 percent),
- human error (26 percent) and
- system glitches (26 percent)
They therefore advise that it is in the business’ best interest to implement measures that allow the business to reduce the time it takes to investigate, isolate, contain and respond to the damage. This in turn reduces the financial and negative impact on the business’ brand.
We also recommend that as a business you implement training and awareness about data security and also provide ongoing training to ensure employees are aware of current trends in cybercriminal tactics. Employee contracts should include POPI compliance clauses to require employees to adhere to the business’ policies and procedures relating to POPI. To quickly identify or even prevent a breach one needs to recognise or become aware of the breach and as mentioned earlier, the sooner the better. To strengthen security awareness in your business, all employees should understand their responsibilities in terms of the POPI Act, e.g. being certain about who has access to specific personal information, who needs to give consent to process that information, and what personal information needs to be collected. The POPI Act stipulates that before processing personal information one needs to obtain consent from the data subject (ie. the person whose data you are processing), one should only process information for a specific purpose, and this information should not be excessive. Therefore, once the business has processed a client’s information (with their consent), the business needs to protect this data from being accessed by unauthorised parties. The practices mentioned above such as ongoing training and awareness are examples of some measures that can be taken and will alert the business that it is being targeted and prevent unauthorised access to data in the business’ possession. For example, noticing an increase in requests from attorneys to access various client’s details without express client consent. If employees are trained correctly, they will prevent a possible breach by thinking twice before sending the information to the attorney. They will also alert the business owner who can manage this appropriately before a possible breach occurs.
It is required that businesses review or implement, should you not have one in place, a written contract between the business and operators when outsourcing processing functions. The contract should ensure that the operator establishes and maintains any security measures agreed upon. The operator should also be aware of their responsibility to immediately notify the business of a possible breach, as required by the POPI Act. Examples of such agreements are those with product suppliers, IT services or accountants.
It is very clear from the research mentioned in this newsletter that data protection is becoming increasingly important to clients. What is also obvious is that a data breach has many negative consequences and the costs to recover from a breach may damage a business beyond repair. It is also evident that the consequences of a breach last for a long time – considering Liberty’s breach occurred in 2018 but is still discussed today. We therefore encourage businesses to consider investing in data privacy management by incorporating good business practices that lead to business sustainability and business opportunities. When clients trust your business to protect their personal information, they will trust you with their business. Further to this, we have seen how becoming POPI compliant leads to data protection. The POPI Act is an enactment of s14 of the Constitution of South Africa, which deals with the right to privacy. Therefore, when incorporating the principles of POPI into your business it shows clients that you respect their basic human right of being protected from harm which in turn protects the business from harm.
Masthead recently launched a new service offering so you can be compliant with the provisions of the POPI Act by 1 July 2021.
Whether you need help in guiding your employees through the process of understanding the POPI Act; or you want to understand the impact it will have on various processes and people in your business; or you need support and guidance in the steps you need to take; or you’re at your wits end about the policies and processes you need to implement to become and remain POPI complaint, we can assist.
The additional benefit of taking up this service offering is that when 1 July 2021 comes, the business will have minimised the risk of being fined or incurring a penalty as a result of POPI non-compliance.
Our POPI webinar and online course provides useful guidance in becoming POPI compliant so that you and your staff are well-informed on the importance of POPI and its impact on your business – perfect for your business’ internal awareness sessions.
Choose between two options:
- Full Implementation – Hands-on, expert assistance with implementation of POPI throughout your FSP. We will conduct a GAP Analysis, create a roadmap and assist with all the required documentation and processes to ensure POPI is implemented across your FSP.
- DIY POPI Compliance Toolkit – A complete toolkit suitable for all FSPs who want to do their own implementation. Read more and buy the toolkit.
After the effective date of 1 July 2021, and once your POPI implementation is complete, we can assist with monitoring POPI in your business. Our monitoring services will provide you with a skilled compliance expert who will conduct ongoing monitoring, review your FSPs’ processes to ensure that adequate measures and standards are in place, review your PAIA manual to ensure that it is up-to-date and much more.
If you would like to know more about our POPI services, please contact your Compliance Officer or nearest Masthead office. Click here for contact details.