Safeguarding against data breaches under privacy law: A ten-point checklist
- There is no avoiding that data breaches need to be addressed in an appropriate and timely manner, given the harm that can result to the privacy and other rights of affected individuals.
- A recent spate of data breaches affecting some of the major companies in South Africa has reignited the debate on the critical importance of data protection under privacy law and serves as an important reminder of the business and reputational risks that data breaches can present.
- In line with the requirements of the Protection of Personal Information Act 4 of 2013 (POPIA), it would be advisable for organisations to develop a two-pronged strategy: first, to put in place appropriate safeguards to prevent data breaches from occurring; and second, to have a clear strategy on how to deal with such data breaches in the unfortunate event that they occur.
- This article concludes with a ten-point checklist to assist organisations with assessing their readiness to safeguard against – and, if necessary, respond to – any breach of personal information that may occur.
Data breaches under privacy law
There is no avoiding that data breaches need to be addressed in an appropriate and timely manner. It has been explained that the failure to do so may result in physical, material or non-material harm to affected data subjects, such as loss of control over their personal information, limitations of their rights, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal information protected by professional secrecy, or other significant economic or social disadvantage to the persons concerned.
A recent spate of data breaches affecting some of the major companies in South Africa has reignited the debate on the critical importance of data protection under privacy law. One of the most highlighted has been the Experian data breach which, according to the South African Banking and Risk Centre (SABRIC), exposed the personal information of approximately 24 million South Africans and 793 759 business entities to a suspected fraudster. It has since been reported that Experian willingly handed over this personal information, claiming to have been “duped” into doing so.
Data breaches can affect any organisation, regardless of the size or scope of activities. In terms of the Protection of Personal Information Act 4 of 2013 (POPIA) – which becomes enforceable as of 1 July 2021 – data breaches include the loss, damage, unauthorised destruction or unlawful access to personal information. Data breaches have typically been categorised according to the following three information security principles:
- Confidentiality breach: Where this is an unauthorised or accidental disclosure of, or access to, personal information.
- Integrity breach: Where there is an unauthorised or accidental alteration of personal information.
- Availability breach: Where there is an unauthorised or accidental loss of access to, or destruction of, personal information.
These recent data breaches should serve as an important reminder of the business and reputational risks that data breaches can present. It would therefore be advisable for organisations to develop a two-pronged strategy: first, to put in place appropriate safeguards to prevent data breaches from occurring; and second, to have a clear strategy on how to deal with such data breaches in the unfortunate event that they occur. Notably, POPIA puts in place specific requirements of what is expected when a data breach affecting personal information occurs, which should necessarily inform any strategy that is developed.
Legal requirements in terms of POPIA
As a point of departure, section 19 of POPIA requires that organisations must take “appropriate, reasonable technical and organisational measures” to prevent the loss, damage, unauthorised destruction of unlawful access to personal information. To give effect to this requirement, organisations should undertake the following measures:
- Risk assessment: Identify all reasonably foreseeable internal and external risks to personal information.
- Establishment of safeguards: Establish and maintain appropriate safeguards against the risks identified.
- Implementation of safeguards: Regularly verify that the safeguards are effectively implemented.
- Updating of safeguards: Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
- Generally accepted information security practices and procedures: Have due regard to generally accepted information security practices and procedures that may apply generally or be required in terms of a specific industry or professional rules and regulations.
To the extent that an organisation uses a third party operator to process personal information on its behalf, POPIA requires that there must be a written contract in place which guarantees that the relevant security safeguards are established and maintained to protect personal information.
In applying these requirements, there are several points worth noting. In particular, data breaches do not just occur at the hands of hackers or other external parties that prey on weaknesses within an organisation’s network. Rather, data breaches can result from internal vulnerabilities, such as members of staff not having appropriate security safeguards in place to, for example, securely store personal information or undertake the relevant verification procedures before sharing personal information.
Importantly, in order to respond to these challenges, organisations need to establish and implement appropriate security safeguards to prevent data breaches from occurring. To determine what constitutes appropriate safeguards, POPIA calls on organisations to have due regard to generally accepted information security practices and procedures as may be applicable, including in respect of a specific industry or profession. Having a clear policy that sets out these safeguards is an important step in any organisation’s data protection strategy, as this can serve to show that the organisation has taken reasonable steps to comply with POPIA.
However, POPIA also makes clear that this should not be treated as a once-off exercise. In this regard, POPIA specifically requires that the security safeguards are continually updated in response to new risks or deficiencies. In addition to developing a policy, organisations should also recognise the importance of regular training workshops with staff, operators and other stakeholders, to ensure that the security safeguards are appropriately and effectively implemented on an ongoing basis. Organisations may also consider other ways of assessing the implementation within the organisation, such as appointing ‘privacy champions’ or an oversight committee that assists management with overseeing the practical implementation of the security safeguards that have been developed.
Duty to notify in the event of a data breach
One of the key requirements under POPIA is the duty to notify in the event of a data breach where personal information has been compromised. This duty is two-fold:
- Information Regulator: The organisation must notify the Information Regulator as soon as reasonably possible after discovering the compromise.
- Affected data subjects: The organisation must notify all affected data subjects unless the identity of the data subject cannot be established.
With regard to affected data subjects, POPIA allows for a delay in notification to the affected data subjects if a relevant public body or the Information Regulator is of the view that notification will impede the criminal investigation. Importantly, the notification to the data subject must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise. This should include the following information:
- Possible consequences: A description of the possible consequences of the security compromise.
- Relevant measures: A description of the measures that the organisation intends to take or has taken to address the security compromise.
- Recommendation: A recommendation regarding the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise.
- Identification: The identity of the unauthorised person who may have accessed or acquired personal information, if known.
The Information Regulator is also empowered to direct an organisation to publicise, in any manner specified, the fact of the compromise to the integrity or confidentiality of personal information, if the Information Regulator has reasonable grounds to believe that such publicity would protect a data subject who may be affected by the compromise.
This duty to notify makes it apparent that a data breach can have severe consequences for an organisation. In addition to the possibility of court proceedings or an administrative fine of up to R10 million, organisations also need to be cognisant of the reputational harm that can arise. The duty to notify, coupled with the power of the Information Regulator to direct the publication of a data breach, means that there is an element of ‘naming-and-shaming’ built into the legal framework. This may have a direct impact on the public confidence, trust and loyalty that customers feel towards the organisation.
Practically, organisations should consider pre-emptively developing a response plan that can be relied on in the event that a data breach occurs. Regard should be had too, for example, who within the organisation needs to be notified if a data breach occurs, what internal measures will be taken, who will be responsible for notifying the Information Regulator, and how the organisation will engage in communications with affected data subjects. While organisations may hope to never have to use this response plan, it may be of significant comfort to have a clearly laid out process in place to ensure that the duty to notify is complied with in a timeous and efficient manner.
Ten-point checklist for compliance
In light of the above, and drawing guidance from the approaches taken by regulators in other countries, this ten-point checklist is intended to assist organisations to assess their readiness to safeguard against – and, if necessary, respond to – any breach of personal information that may occur:
- Policies: Has the organisation developed a policy that addresses security safeguards, protocols and other matters of relevance to data breaches?
- Written contracts: Does the organisation have written contracts in place with third party operators who process personal information on its behalf?
- Recognition: Does the organisation know how to recognise a data breach?
- Response plan: Has the organisation developed a response plan for a data breach that has occurred?
- Responsibility: Has the organisation allocated responsibility for managing a data breach to a dedicated person or team?
- Escalation: Do members of staff know how to escalate a data breach to the appropriate person or team in the organisation where a data breach has occurred?
- Risk assessment: Does the organisation have a process in place to assess the likely risk to individuals in the event of a data breach?
- Information Regulator: Does the organisation know how to contact the Information Regulator, and what information needs to be communicated?
- Data subjects: Does the organisation know how to communicate with affected data subjects, and what information needs to be communicated?
- Documentation: Does the organisation document all data breaches?
Avani Singh is a director and co-founder of ALT Advisory and Power Singh Inc. Avani writes in her personal capacity.
Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice. For any enquiries, please contact us at [email protected].