Meet your CPD requirements effortlessly with our quick Express CPD activities before the cycle ends on 31 May 2024. Learn more.

Media Articles

You’ve had a data breach. Now what?

Posted on 18 Aug 2023

What obligations does the Protection of Personal Information Act (POPIA) place on businesses who have experienced a data breach?

It seems that hardly a week passes without yet another large data breach grabbing the headlines. The recent high-profile hack of the file transfer tool MOVEit, which reportedly compromised data at about 600 organisations, affecting almost 400 million people globally, is a stark reminder of the pervasive threat businesses face.

South Africa, too, has not been immune to such incidents. In 2020, Experian, a credit bureau, experienced a data breach that exposed the personal information of about 24 million South Africans and more than 790 000 business entities. And the hack of TransUnion in 2022 exposed millions of South Africans to potential risk.

Research done by the tech firm Proxyrack placed South Africa ninth amongst the top 10 countries experiencing significant financial losses due to data breaches, adding that in 2021, the average cost of a data breach in South Africa was about R58 million.

The Information Regulator – the body responsible for enforcing compliance with POPIA, the data privacy legislation that came into effect on 1 July 2021 – has also noted an increase in incidences. In 2021, a total of 234 security compromises were reported to the Regulator. The following year, the number jumped to 580, and more than 330 were reported in the first quarter of 2023 alone.

Data breaches caused by cyber-attacks have also become more prevalent, explains Mukelani Dimba, Executive for Education and Communication at the Information Regulator. “We used to receive a lot of reports about document mishandling, largely due to human error, but these have since declined. Now, most of the reports we get are because of unauthorised access to personal information by threat actors.”

Grave consequences:

There was a time when businesses would have tried to sweep the news of a data breach under the rug, but POPIA now places certain obligations on both public and private entities, whether they are large institutions like banks or small businesses like GPs’ practices or financial advisors, that deal with people’s personal information.

Failing to report a breach means non-compliance with the Act, which can result in a fine of up to R10 million and/or 10 years in jail. While no one has been fined for failing to report a breach yet, the Regulator recently administered its first penalty for POPIA non-compliance.

In July of this year, it slapped the Department of Justice and Constitutional Development (DoJ&CD) with a R5 million fine after the Department failed to comply with an infringement notice issued by the Regulator on 9 May 2023. The notice required the DoJ&CD, which had suffered a ransomware attack and data breach in 2021, to submit proof to the Regulator within 31 days that they had renewed their Trend Anti-Virus licence, the SIEM licence and the intrusion detection system licence.

Steps to take after a breach:

Regardless of whether the personal data of one person or millions was compromised, institutions need to take certain actions, according to POPIA.

Contain: An institution that suspects that an unauthorised person has gained access to personal information under their control must act immediately by putting into action their data breach response plan to contain and fix the breach – this will help minimise damage. All entities that manage personal information should have a response plan in place, and the Regulator may ask to see this plan during their investigation.

Notify: Using the Section 22 Security Compromise Notification Form, which is available on the Regulator’s website, the business must inform the Regulator – as well as the data subjects, the person or people whose personal data was compromised – of the breach as soon as reasonably possible. “Failure to do so is an offence,” warns Dimba. “We find that companies often delay informing the Regulator and do not use the appropriate platforms to inform the affected data subjects. Simply posting on the company’s website isn’t enough.” The data subjects must be informed in writing directly via one of the appropriate methods mentioned in Section 22, such as email or post, and the business should put a prominent notification on their website and in media publications.

The Notification Form has different sections that require specific information, for example, a description of the incident, what steps the business took to address the security compromise, recommendations on how the data subjects can protect themselves, etc. It also asks for the date of the security compromise, as well as the date on which it was reported to the Regulator. If there is a delay between these dates, the Regulator will want an explanation.

The Act doesn’t mention that staff or other stakeholders in the business should be notified, but it’s best practice to inform these parties of the breach as well because it’s important to build trust within a company, not just outside it. And if the breach was due to the actions of cybercriminals, it’s important to involve law enforcement.

Investigate: A business needs to determine exactly how the breach occurred. Was it due to human error or did cybercriminals exploit weaknesses in the software programs used by the company? The human factor is often the greatest threat to information security, whether it be through negligence or persons accessing information to illegally provide it to third parties for monetary gain. Additional information discovered during the investigation can be added to the Notification Form in a separate annexure.

Remediate: The cause of the breach must be addressed to prevent future incidents from occurring. Part D of the Notification Form asks for a full description of the measures the business intends to take, or has taken, to address the security compromise and protect the personal information of the data subjects from further unauthorised access or use.

Test: While not specifically mentioned in the Act, after a business has updated its data protection procedures to address the identified security concerns, it would be wise to test the updated systems to determine if they would withstand another attempted breach. In fact, businesses should proactively risk rate, review and test their data protection procedures periodically, rather than solely in response to breaches. This ensures that their security systems remain relevant and effective.

Prevention is better than cure:

While the Regulator is generally pleased with the business sector’s compliance with POPIA, more can be done to strengthen infrastructure to secure personal information, says Dimba. “The increase in data breaches tells us that the safeguards adopted by responsible parties in handling personal information are falling short of what is required to protect personal information. Vulnerabilities in systems must be identified and mitigated proactively,” he advises.

There is no denying that the rapidly evolving cybersecurity landscape makes staying ahead of criminals a formidable challenge. As they constantly devise new methods to gain unauthorised access to personal data, businesses must be proactive in enhancing their security measures to protect sensitive information. Cybersecurity insurance can help mitigate the financial damage caused by a data breach, but it is essential for organisations to take additional steps to safeguard the personal data they handle.

One effective strategy is for an organisation to engage the expertise of IT professionals to thoroughly review their cybersecurity systems. In addition, they can use compliance and risk management service providers to help them draft a comprehensive data breach response plan – including guidance on how to complete the Security Compromise Notification Form – and train staff to ensure compliance with POPIA and reinforce cybersecurity best practices.

Taking these proactive measures can go a long way in protecting an entity from a breach and help minimise the fallout should an unauthorised person gain access to sensitive information.

Additional duties for financial advisors:

Apart from their responsibilities under the POPI Act, additional legislation places added obligations on financial advisors to safeguard client information and prevent cyber threats or attacks by implementing adequate IT risk-management and cyber security protocols.

These duties are already applicable in terms of Section 37(2)(b)(iii) and (iv) of Board Notice 194 of 2017. However, the recently released Financial Sector Conduct Authority (FSCA) Regulatory Plan provided an update on two pieces of regulation that speak directly to Category II, Category IIA and selected Category I financial service providers (FSPs).

According to the FSCA Regulatory Plan, the aim is to have the following finalised before the end of 2023:

  • For Category II and Category IIA FSPs: The Draft Joint Standard on Information Technology Governance and Risk Management. (Final draft submitted to the National Treasury for tabling in Parliament on 14 December 2022. Proposed effective date 1 January 2024.)
  • For Category II, Category IIA and Category I FSPs that provide investment fund administration services in collective investments or hedge funds: The Draft Joint Standard on Cyber Security and Cyber Resilience Requirements. (Second draft published for public comment on 13 December 2022.)

By Masthead Practice Management Consultants, Keith Leenaerts and Andre van der Linde.

MASTHEAD IS

A national supplier of risk management services to independent financial advisors and other licensed financial service providers (FSPs). Established in 2004, we help our clients overcome their risk management challenges so they can grow and thrive in an increasingly regulated industry. Providing professional guidance and practical support, our team of specialists is passionately committed to delivering tangible solutions.

Why Masthead?

CONTACT US

Phone:

021 686 3588

E-mail:

  Show Email

B-BBEE CERTIFICATE

Masthead is a level 1 B-BBEE contributor.

Read more and view certificate