Although data breaches are nothing new, this topic has received more focus recently with stricter data protection laws and regulations. It is more important than ever that organisations prepare for such an occurrence and have formal procedures and protocols in place to deal with the fallout. Here are some pointers and reminders of aspects to think about.
What is a data breach or security compromise?
In terms of the Protection of Personal Information Act (POPIA), this is not defined. Under the new Cyber Crimes Bill, there are descriptions of types of actions that would constitute criminal offences. However, for the purposes of being prepared, this could entail any type of data breach or security compromise (digital or physical) that would expose the organisation to potential risk.
Apart from the obvious things around cyber security such as hacking, malware, ransomware attacks, etc. we also need to consider other vulnerabilities in the protection of the (personal) information in our possession or under our control. For example –
What are the consequences of a data breach or security compromise?
It depends on the degree and extent of the breach, but the potential fallout can cripple an organisation and it is important to consider all the various areas of impact and to prepare for it as best as possible:
Why should you have an incident response plan?
An incident response plan relating to data security is like having a fire plan for your premises. If the alarm goes off, everyone should know what to do, where to go, what steps to take and who is responsible to do what. There should also be 'drills' – rehearsing or running simulations from time to time to test the plan and to tweak it if necessary.
The aim of the plan should be to mitigate the fall-out and liabilities resulting from an incident, to keep operations going and to manage reputational harm and client confidence.
What should an Incident Response Plan contain?
The development of the Plan should involve a multi-disciplinary approach with input from all the critical areas of the organisation. This could include IT, legal, finance, compliance, communications (PR), HR, security and also the Executive.
The Plan should include consideration of the following aspects and provide appropriate and sufficient detail in each instance:
Remember that data breaches and security compromises do not have to wait for 1 July 2021 – it can happen at any time! The Information Regulator is of the view that data breaches should in any event already be reported to them, even during this transitional period. So, the sooner you start working on an Incident Response Plan and have emergency protocols ready to roll, the better.
© Judith Griessel (Griessel Consulting)