“My business has suffered a data breach following a successful phishing scam which one of our employees reacted to and so enabled the hacker to gain access and obtain client and business data. We have tried to do what we can to manage the breach, but are unclear about our responsibilities in this regard, especially in the light of POPIA?”
Cyber-crime, phishing attacks, ransomware and data breaches are increasingly more common and a threat to the day-to-day operations of a business. Of necessity, data security has become an essential consideration for just about every business, small or large, requiring businesses to put in place appropriate safeguards to try and prevent data breaches from occurring, and if they do occur, from managing such breaches.
A recent wave of data breaches affecting some major companies in South Africa has reaffirmed the critical importance of data protection under privacy law and serves as an important reminder of the business and reputational risks that data breaches can present.
A data breach may occur due to a variety of reasons, including outdated anti-virus software, weak security systems, human error, or succumbing to a wide variety of crafty cyber scheme and attacks that aim to bypass your security defences.
Here the Protection of Personal Information Act 4 of 2013 (“POPIA”) becomes important. POPIA requires that a responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to, or unauthorised destruction of personal information and unlawful access to or processing of personal information. Whatever the cause for the breach, any business that falls within the definition of a “responsible party” in terms of POPIA is expected to act as a custodian of any personal information collected from customers and are expected to have the necessary measures in place to stop a breach and where a breach occurs, take responsibility for the breach.
In particular, compliance with data protection legislation, such as POPIA in South Africa and the GDPR in the European Union, has become imperative due to the constantly increasing amount of personal and sensitive client data being captured and maintained by businesses. Data privacy legislation emphasises the need to have adequate data security measures in place to protect personal information collected by businesses, with failure to do so potentially resulting in large fines, penalties, reputational damage and even jail time.
Accordingly, it is advisable that businesses follow a two-pronged strategy in this regard. Firstly, put in place suitable safeguards to avoid data breaches from occurring, and secondly, have a clear strategy on how to deal with such data breaches in the unfortunate event that they do happen.
POPIA sets out strict procedures regarding data breaches and what must happen in the event that a data breach occurs. It is especially important to integrate these procedures in your business’ policies and systems to ensure that you remain POPIA compliant even if your business falls prey to a cyber-attack or personal information is leaked in some other manner.
POPIA, for example, states that where there are reasonable grounds to believe that the personal information of data subject has been accessed or acquired by any unauthorised person, the responsible party must notify the Information Regulator and the data subject, unless the identity of such data subject cannot be established. Such notification must be made as soon as reasonably possible after the discovery of the data breach. Although POPIA does not prescribe a specific time limit for the breach notification, it is advisable that your business have the necessary measures and procedures in place which sets out the steps with accompanying timeframes to be taken in the event of a data breach.
Such measures and procedures should be encapsulated in a data breach policy or response plan to help ensure that your business reacts in the correct manner, complies with your obligations under POPIA and that all public communications follow an approved strategy to protect your business and its relationships with its customers. A few basic items that should form part of your data breach policy, are the following:
- Availability of the policy for use in the event of an incident.
- The response plan steps to be taken in the event of an incident.
- Notification requirements and deadlines, including notification to the Information Regulator.
- Identification and notification of data subjects of the breach, how it affects them as well as steps that can be taken to protect or minimize impact.
It is important to appreciate that a data breach can happen, but being prepared and responding correctly is as important as taking steps to try and avoid a data breach. If a breach does happen, communication is vital to helping your business manage the breach and the impact thereof on your customer.
Our advice would be to obtain the assistance of a data security specialist to help you assess how to remedy your data breach, put measures in place to minimize future breaches and also help you formulate the correct policy approach to dealing with the current breach and communication to your clients.