Data breaches and security compromises - be prepared

data protection privacy Apr 23, 2021

 

Although data breaches are nothing new, this topic has received more focus recently with stricter data protection laws and regulations. It is more important than ever that organisations prepare for such an occurrence and have formal procedures and protocols in place to deal with the fallout. Here are some pointers and reminders of aspects to think about.

 

What is a data breach or security compromise?

In terms of the Protection of Personal Information Act (POPIA), this is not defined. Under the new Cyber Crimes Bill, there are descriptions of types of actions that would constitute criminal offences. However, for the purposes of being prepared, this could entail any type of data breach or security compromise (digital or physical) that would expose the organisation to potential risk.

Apart from the obvious things around cyber security such as hacking, malware, ransomware attacks, etc. we also need to consider other vulnerabilities in the protection of the (personal) information in our possession or under our control. For example –

  • Physical security – e.g. surveillance, (un)locked doors and cabinets, document handling, authorisation levels and restrictions, security protocols and secure destruction of data.
  • The human factor – e.g. corporate espionage, privilege misuse, employee negligence, sabotage, theft, leaks, usage of third-party systems.
  • Device management – loss or compromise of devices containing (unencrypted)  information.

 

What are the consequences of a data breach or security compromise?

It depends on the degree and extent of the breach, but the potential fallout can cripple an organisation and it is important to consider all the various areas of impact and to prepare for it as best as possible:

  • Practical incident response – e.g. crisis management, investigations, data recovery, reporting and notifications, remediation, operational contingencies, communications and reputation management.
  • Financial impact – e.g. the use of alternative systems to ameliorate business interruption, recovery costs, upgrading of systems, addressing reputational harm and brand degradation, loss of business, fines and penalties, litigation costs, settlements and insurance.
  • Liability – e.g. regulatory, criminal, civil and contractual.

 

Why should you have an incident response plan?

An incident response plan relating to data security is like having a fire plan for your premises. If the alarm goes off, everyone should know what to do, where to go, what steps to take and who is responsible to do what. There should also be 'drills' – rehearsing or running simulations from time to time to test the plan and to tweak it if necessary.

The aim of the plan should be to mitigate the fall-out and liabilities resulting from an incident, to keep operations going and to manage reputational harm and client confidence.

 

What should an Incident Response Plan contain?

The development of the Plan should involve a multi-disciplinary approach with input from all the critical areas of the organisation. This could include IT, legal, finance, compliance, communications (PR), HR, security and also the Executive.

The Plan should include consideration of the following aspects and provide appropriate and sufficient detail in each instance:

  • Identify the various stakeholders that should be involved in the response and how to contact them in an emergency.
  • Containment measures – immediate first steps in relation to crisis management, depending on the nature of the breach / compromise.
  • Notification and reporting protocols – both internally and externally. Employees must know how and where to report any compromise immediately, and protocols should in place to escalate the matter internally or if third-party Operators are involved. Under POPIA, the Regulator and the relevant data subject(s) must be notified. Reporting to other external parties such as your insurers and/or law enforcement may also be necessary – especially if extortion is involved, or as may be prescribed in terms of the Cyber Crimes Bill (when enacted).
  • The process for investigation and assessment of the incident: how to systematically investigate and handle the incident, keeping records of everything that is done and of all communications.
  • Evaluation of the extent and impact of the breach: the various risks the organisation is exposed to as a result of the incident and the severity thereof (operational, financial, reputational, legal).
  • Solutions and remedial steps to mitigate these risks and to prevent future recurrence.

Remember that data breaches and security compromises do not have to wait for 1 July 2021 – it can happen at any time! The Information Regulator is of the view that data breaches should in any event already be reported to them, even during this transitional period. So, the sooner you start working on an Incident Response Plan and have emergency protocols ready to roll, the better.

 

© Judith Griessel (Griessel Consulting)

Close

50% Complete

Sign up for our mailing list

Be the first to know about new developments, training, news and special offers