Concerns over cybersecurity and data breaches are growing globally, fuelled and escalated by reports of ever-larger data breaches, the "rise of machines" and remote working. The extent and impact of a security incident largely differs depending on the sector infiltrated and the type of personal information processed within that sector.
As a natural consequence, organisations have no choice but to manage these risks by, inter alia, implementing appropriate, reasonable technical and organisation measures to secure the integrity and confidentiality of personal information under its possession. This is recognised in terms of section 19 of the Protection of Personal Information Act 4 of 2013 (PoPIA). Furthermore, when – and not if – a security compromise occurs, organisations must understand their obligation to notify such security compromise to the Information Regulator and affected data subjects in line with section 22 of PoPIA.
However, most organisations seem to be at a loss of how to:
The foregoing appears to be the case in the recent cyber attack that occurred at the Department of Justice where the Information Regulator wrote a stern letter to the Department of Justice about the "flawed way" in which it handled the cyber attack. In this cyber attack, the Department of Justice merely informed the Information Regulator that its computer systems had been hacked and that they are still investigating the matter without indicating whether any personal information was stolen, accessed or exposed.
So, what then must organisations do?
Organisations need to understand their notification obligations to the Information Regulator, in the first instance, and affected data subjects, in the second instance, in the event of there being reasonable grounds to believe that personal information of a data subject has been accessed or acquired by an unauthorised person. The test for what are "reasonable grounds" is likely to be a hybrid objective-subjective inquiry in that:
So, therefore, to the extent that the threshold of the requirement of reasonable grounds is satisfied, the Information Regulator and affected data subjects must be notified. This is an absolute, non-negotiable requirement. The only exceptions relate to when notification may be delayed which are limited to the following:
This notification obligation as set out in PoPIA differs from that of the General Data Protection Regulation 2016/679 which posits that only if the security compromise poses a high risk to those individuals affected then they should also be informed, unless there are effective technical and organisational measures that have been put in place, or other measures that ensure that the risk is no longer likely to materialise.
Taking guidance from the remarks made by the Information Regulator regarding the poor handling of the security compromise by the Department of Justice, it is important for organisations to take cognisance of how such notification must be made to affected data subjects. To this end, PoPIA is instructive and provides that a notification to data subjects must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise, including:
Furthermore, PoPIA prescribes that notifications must be in writing and may be by way of either:
According to a data breach report published by IBM and the Ponemon Institute, the cost of a data breach in 2021 is $4.24 million (which is about R63 million) and this is an approximate 10% increase from the average cost in 2019 which was about $3.86 million (which is about R57 million). This cost, will no doubt, continue to soar going forward.
Considering the above, organisations should take steps, plan, prepare and safeguard themselves from potential security compromises and cyber attacks, especially given the notion of not "if", but "when" a security compromise may occur. In this way, organisations will be able to manage such risk effectively and foster customer trust and confidence which are foundational pillars of success for any organisation.
