Cyberattacks, which often lead to data breaches, are becoming more and more apparent. As mentioned in a previous newsletter, the root causes of data breaches are malicious or criminal attacks, human errors and system glitches. With ABSA bank being the latest victim in South Africa and the United States (US) government a victim on an international scale, it is evident that a data breach can happen to anyone.
As seen in the event of ABSA, security safeguards against third parties are important but one should also incorporate protection against internal threats. ABSA incurred reputational damage and incurred costs in terms of legal fees as they brought criminal charges against the employee and they may take further action in relation to the recipients of the data once the full scope of the leak is identified and all investigations are completed (Faku, 2020). The successful cyberattack against the US government is also proof that hackers and cyber criminals are becoming more skilled and attacks more sophisticated.
We have all witnessed the dire financial implications as well as the intangible reputational damage data breaches have on smaller and larger businesses. In Verizon’s 2020 Data Breach Investigations Report, 28% of the 3950 confirmed data breaches studied in their report involved small business as victims. As data breaches increase, so do concerns among many business owners. The main concern is how to protect the business against the occurrence of a data breach and the associated negative consequences. To illustrate the severity of these consequences, IBM Security reported that, on average, data breach incidents cost South African companies R40.2 million per breach. 48% of the data breaches experienced in South African organisations were malicious attacks on customer, employee and corporate data. This was identified as the most costly source of breach experienced by businesses. In addition to these consequential losses as a result of data breaches, once the POPI Act takes effect, businesses may also be subject to civil remedies, be found guilty of offences, or be subject to penalties and/or administrative fines.
Given that data breaches are occurring more often, and cyber-attacks are becoming more sophisticated, you may be concerned about whether:
- You have thoroughly implemented Data Privacy Management in your business.
- There are enough business processes and security safeguards in place to prevent unauthorised access to sensitive information by both employees and third parties.
- Your business has adequate and appropriate Professional Indemnity cover to protect itself in the event of a data breach.
In this newsletter we look at how easily data breaches can occur, and which Data Privacy Management practices can be implemented in order to demonstrate a willingness to do what it takes to protect clients’ personal information and through this, prevent, as far as possible, a data breach from occurring. We also look at how a possible data breach may occur when handling business equipment and confidential information whether working from the office or remotely. Lastly, we also look at PI Cover as a possible solution that a business can introduce.
Handling confidential information whether working from the office or remotely
Data breaches can occur so easily and therefore one needs to be mindful of how confidential information is handled in both the office and when working remotely. For example, employees should get into the habit of immediately collecting documents which they send to the printer. It doesn’t matter whether one is working remotely or at the office, leaving confidential information lying around at the printer, may result in a data breach. This information left lying around can end up in the hands of an unauthorised party. For example, when working at the office a client may be able to see confidential information by simply walking past the printer on the way to a meeting room. Or an employee, while on their way to fetch a printout, may come across confidential documents and misuse this information. This example is similarly applicable to instances when working remotely as well.
We also recommend that, if a business is still using paper-based documents, personal and confidential information should be stored in cabinets, drawers or in places where they cannot be accessed by unauthorised parties. For example, don’t keep documents in boardroom or meeting rooms where client meetings are held regularly. In the case of working remotely, don’t keep documents in open areas such as the lounge or living area, where guests can easily access confidential information.
We recommend that client files and other confidential information should not be left on desks, especially if the office makes use of a CCTV camera. If the camera can record the personal information, there is a risk of a data breach. If the personal information is recorded, it means that whoever has access to the recorded footage has access to that personal information. It is important to ensure that the necessary security safeguards e.g. POPI Act compliance agreements between the business and CCTV host and other measures are in place. Further to this, should your business collect personal information such as ID numbers as a COVID-19 protocol, these registers should not be left unattended or in view of the CCTV camera.
Handling of Business Equipment
With today’s technological advances, one is able to connect a cellphone to a vehicle system and make ‘hands-free’ phone calls while driving. While it may be convenient to use this feature, making such a connection means providing the vehicle system with access to the personal information on the cellphone. The personal information from the cellphone (e.g. contact names and numbers, e-mail addresses, home and office addresses and routes travelled), is then stored in the vehicle system.
The risk here is that, should this vehicle be traded in or stolen, whoever is able to access the vehicle will have access to this personal information. They may then be able to locate your home or offices and contact your clients.
To mitigate this risk, we recommend all Bluetooth pairings should be removed: This applies to all devices connected to the vehicle. When doing so, the cellphone’s personal data is usually removed automatically. Further to this, one could restore the settings to the vehicle’s factory settings. This will erase all settings. However, should this not work, we recommend:
- manually deleting the contact history on the vehicle system, via the menu option.
- manually deleting the addresses visited when using the navigation system
- ensure you are logged out of mobile applications included in the vehicle or those which connect your smart device to the vehicle system. Usually, the Bluetooth feature is the connection. However, examples of other applications may include navigation or audio.
- some vehicles now have an advanced feature, allowing one to open one’s garage door by clicking a button in the vehicle. Should the vehicle have this feature, ensure that it is disengaged or switched off whenever you leave the vehicle. One wouldn’t want unauthorised access to your home.
- ensure all subscription services which the vehicle is connected to are cancelled or transferred to the new vehicle. For example, maintenance and insurance plans.
These considerations and principles should be applied to situations where the business provides cellphones to employees and when replacing office equipment e.g. computer hardware and printers. Before, these devices are discarded or assigned to another employee or external party, the business needs to ensure that all personal information and intellectual property is destroyed or deleted. Section 14 of the POPI Act requires that the destruction or deletion of a record of personal information must be done in a manner that prevents its reconstruction in an intelligible form. The POPI Act does not specify the exact steps on how to do this. However, simply deleting the electronic files may be insufficient in terms of the POPI Act, as the file may be recoverable elsewhere e.g. the recycle bin. Files can be permanently deleted when pressing shift and delete but as we know cybercriminals are very skilled and may be able to recover the deleted files. If you are unable to delete the electronic files, (e.g. due to legislative recordkeeping requirements) then they need to be de-identified.
Section 1 of the POPI Act defines “de-identify” as follows: “in relation to personal information of a data subject, (“de-identify”) means to delete any information that—
- identifies the data subject;
- can be used or manipulated by a reasonably foreseeable method to identify the data subject;
- or can be linked by a reasonably foreseeable method to other information that identifies the data subject.”
In addition, we recommend making use of IT experts who have the necessary tools, knowledge and expertise to ensure the electronic files have been properly deleted or destroyed. When making use of third parties, such as IT professionals, it is important to ensure that they are POPI compliant.
Even if the used device is being stored somewhere e.g. storage units, cupboards or drawers for future use, the personal information should be destroyed, deleted or de-identified immediately. If not, there is a risk of a data breach. The reason being, that an unauthorised party could gain access to the information and can communicate with clients unknowingly. For example, they could pretend to be a client and send the business a fraudulent request e.g. to make a withdrawal from a client’s account. The unauthorised party may easily bypass the security questions if they are able to gain access to enough personal information from the computer e.g. banking details and account numbers of the client. Should your client be a victim of fraud and submit a claim against the business for negligence, the business may be at risk of financial and reputational damage. If reasonable steps such as failing to discard the client’s personal information from the hardware before replacing it was not implemented, the PI Cover claim may be rejected, resulting in your business becoming liable to pay the costs.
Professional Indemnity Cover
The FAIS General Code of Conduct stipulates that an FSP must maintain in force suitable guarantees or professional indemnity or fidelity insurance cover. This ensures that the business is covered in the event that a client or a third party submits a claim against the business for a financial loss that results from the business (1) being negligent, (2) making a mistake, or (3) not doing something (e.g. failing to process a client’s instruction to sell shares on time or failing to disclose exclusions when providing clients with cover).
But, despite businesses having PI Cover in place that may protect them against losses experienced in day-to-day business activities, it is important to check whether your PI Cover protects your business in the event of a data breach or cyberattack, and if it does, is the cover sufficient? For this reason, we recommend that you consider the option of adding Cyber Insurance to your existing PI Cover.
Masthead PI Cover Scheme
The Masthead Professional Indemnity Cover Scheme has been custom designed to suit the needs of independent financial advisors. It offers the right combination of benefits, price and flexibility to suit the needs of our members.
More than 50% of Masthead members are already on the scheme, enjoying the benefits and competitive pricing. For more information, please contact your Compliance Officer.
In response to the sections of the POPI Act which will take effect on 1 July 2021, a unique cyber insurance and liability product was developed by Broker & D&O Protect. This specific Cyber Insurance, which can be added to your existing PI Cover, provides an array of benefits, e.g.:
1. Cover Options:
There are two cover options: (1) Comprehensive Cover, which provides cover for your own costs incurred after a cyber-breach e.g. restoration of data and software, as well as business interruption due to the cyber-breach; and (2) Third Party Cover, which ensures cover for the amounts you are legally liable to pay to other parties after a cyber-breach e.g. media liability. If you elect Comprehensive Cover the Third-Party Cover is also included. However, if you elect Third-Party Cover you only have Third-Party Cover.
2. Cover for data breach response:
This data breach response is a benefit that covers any reasonable and necessary costs resulting from an actual or suspected data breach. For example, the costs:
- for an expert to investigate and report to you on the data breach;
- to comply with their respective data protection laws (such as notifying the supervisory authority or data subjects);
- to purchase credit and identity theft monitoring services for the benefit of data subjects affected by a data breach, subject to Santam’s prior written consent;
- for an expert to manage and protect the insured’s reputation until the end of the reputational protection period after the data breach; and
- for legal defence costs incurred to respond to or defend action taken by the supervisory authority.
The cover will also reimburse the insured for any legally insurable administrative fines and penalties imposed by your supervisory authority as a direct result of the data breach.
3. Exclusions and responsibilities
Please note, there are certain exclusions and there are certain responsibilities which need to be carried out in order to ensure the success of the claim. As we know, insurance claims are only paid out if certain requirements, stipulated by the insurer, are met. Therefore, it is important that your business not only puts adequate security safeguards and measures in place but also incorporate Data Privacy Management into day-to-day business activities. The practices we’ve spoken about above may therefore strengthen the chances of PI claims being paid out.
For more detailed information or any questions regarding this unique cyber insurance and liability product, contact Len Faul via email: firstname.lastname@example.org. Should you require a quotation you may send an email to email@example.com
It is evident that even when you have extensive security safeguards in place, it is still possible for a data breach to occur. The IBM Security report found that, based on the companies studied in South Africa, it takes an average of 177 days to identify a data breach and 51 days to contain one. The report also found that it costs an average of R1,984 per lost or stolen record. Therefore, we encourage you to be proactive in identifying gaps where a data breach may occur in your business. When Data Privacy Management is implemented properly, along with robust business processes, it will also assist the business in its POPI compliance journey. But it also ensures that should a data breach occur; your business can confidently say it did everything that it could to protect the personal information of its clients. If a business is able to quickly identify a data breach, the business may be able to ensure that the minimum personal information is compromised. This then can save the business in terms of reputation, cost and client trust.
When looking at possible responses and the implementation of security safeguards, there are obviously costs, and our advice is to look at what the business can afford, and we think it is worthwhile to consider adding at least one of the cover options mentioned above to your existing PI Cover. However, it is important to keep in mind is that purchasing the cover without implementing any Data Privacy Management principles or processes is not enough. One needs to ensure effective Data Privacy Management principles and processes are implemented to minimise the damages of a data breach and to ensure that your business retains its client trust by keeping to its promise of safeguarding the personal information of its clients.
For more information about how Masthead assists with ensuring POPI compliance, click here.