It seems that hardly a week passes without yet another large data breach grabbing the headlines. The recent high-profile hack of the file transfer tool MOVEit, in which data at about 600 organisations was reportedly compromised affecting almost 400 million people globally, is a stark reminder of the pervasive threat businesses face.
South Africa has not been immune to such incidents either. In 2020, credit bureau Experian experienced a data breach that exposed the personal information of about 24 million South Africans and more than 790 000 business entities. The hack of TransUnion in 2022 also exposed millions of South Africans to potential risk.
Research done by the tech firm Proxyrack placed South Africa ninth amongst the top 10 countries experiencing significant financial losses due to data breaches. It added that the average cost of a data breach in South Africa was about R58 million in 2021.
The Information Regulator, the body responsible for enforcing compliance with the Protection of Personal Information Act (POPIA), has also noted an increase in incidences. In 2021, a total of 234 security compromises were reported to the Regulator. The following year, the number jumped to 580, while more than 330 were reported in the first quarter of 2023.
Data breaches caused by cyber-attacks have also become more prevalent, said Mukelani Dimba, Executive for Education and Communication at the Information Regulator. “We used to receive a lot of reports about document mishandling, largely due to human error, but these have since declined. Now, most of the reports we get are because of unauthorised access to personal information by threat actors.”
Grave consequences
There was a time when businesses would have tried to sweep the news of a data breach under the rug. However, this can no longer be done, as POPIA places certain obligations on both public and private entities that deal with people’s personal information.
Failing to report a breach means non-compliance with the Act. This can result in a fine of up to R10 million and/or 10 years in jail. While no one has been fined for failing to report a breach yet, the Regulator has administered its first penalty for POPIA non-compliance.
In July this year, it slapped the Department of Justice and Constitutional Development (DoJ&CD) with a R5 million fine after the Department failed to comply with an infringement notice issued by the Regulator on 9 May 2023. The notice required the DoJ&CD, which had suffered a ransomware attack and data breach in 2021, to submit proof to the Regulator within 31 days that it had renewed its Trend Anti-Virus licence, security information and event management (SIEM) licence and an intrusion detection system licence.
Steps to take after a breach
Regardless of whether the personal data of one person or millions was compromised, institutions need to take certain actions, according to POPIA.
An institution that suspects that an unauthorised person has gained access to personal information under their control must immediately put into action their data breach response plan to contain and fix the breach to help minimise damage. All entities that manage personal information should therefore have a response plan in place, which the Regulator may ask to see if it conducts an investigation.
Using the Section 22 Security Compromise Notification Form, which is available on the Regulator’s website, the business must inform the Regulator as well as the data subjects, namely the person or people whose personal data was compromised, of the breach as soon as reasonably possible.
“Failure to do so is an offence,” warned Dimba. “We find that companies often delay informing the Regulator and do not use the appropriate platforms to inform the affected data subjects. Simply posting on the company’s website isn’t enough.” The data subjects must be informed in writing directly via one of the appropriate methods mentioned in Section 22, such as email or post. The business should also put a prominent notification on its website and in media publications.
The Notification Form has different sections that require specific information, for example, a description of the incident, what steps the business took to address the security compromise, and recommendations on how the data subjects can protect themselves. It also asks for the date of the security compromise, as well as the date on which it was reported to the Regulator. If there is a delay between these dates, the Regulator will want an explanation.
While the Act doesn’t mention that staff or other stakeholders in the business should be notified, it is best practice to inform these parties of the breach as well. This builds trust within a company, not just outside it.
Investigate
The business needs to determine exactly how the breach occurred. Was it due to human error or did cybercriminals exploit weaknesses in the company’s software programmes? The human factor is often the greatest threat to information security, whether through negligence or persons accessing information to illegally provide it to third parties for monetary gain. If the breach was due to the actions of cybercriminals, it is important to involve law enforcement.
The cause of the breach must be addressed to prevent future incidents from occurring. Part D of the Notification Form asks for a full description of the measures the business intends to take, or has taken, to address the security compromise and protect the personal information of the data subjects from further unauthorised access or use.
While not specifically mentioned in the Act, after a business has updated its data protection procedures to address the identified security concerns, it would be wise to test the updated systems. This can determine if they would withstand another attempted breach. In fact, businesses should proactively risk rate, review and test their data protection procedures periodically, rather than solely in response to breaches. This would ensure their security systems remain relevant and effective.
Prevention is better than cure
While the Regulator is generally pleased with the business sector’s compliance with POPIA, more can be done to strengthen infrastructure to secure personal information, said Dimba. “The increase in data breaches tells us that the safeguards adopted by responsible parties in handling personal information are falling short of what is required to protect personal information. Vulnerabilities in systems must be identified and mitigated proactively,” he advised.
There is no denying that the rapidly evolving cybersecurity landscape makes staying ahead of criminals a formidable challenge. As they constantly devise new methods to gain unauthorised access to personal data, businesses must be proactive in enhancing their security measures to protect sensitive information. Cybersecurity insurance can help mitigate the financial damage caused by a data breach, but it is essential for organisations to take further steps to safeguard the personal data they handle.
One effective strategy is for organisations to engage the expertise of IT professionals to thoroughly review their cybersecurity systems. In addition, they can use compliance and risk management service providers to help them draft a comprehensive data breach response plan – including guidance on how to complete the Security Compromise Notification Form. They can also train staff to ensure compliance with POPIA and reinforce cybersecurity best practices.
Additional duties for financial advisors
Apart from their responsibilities under the POPI Act, additional legislation places added obligations on financial advisors. They are to safeguard client information and prevent cyber threats or attacks by implementing adequate IT risk-management and cyber security protocols.
These duties are already applicable in terms of Section 37(2)(b)(iii) and (iv) of Board Notice 194 of 2017. However, the recently released Financial Sector Conduct Authority (FSCA) Regulatory Plan provided an update on two pieces of regulation for Category II, Category IIA and selected Category I financial service providers (FSPs).
According to the FSCA Regulatory Plan, the aim is to finalise the following before the end of 2023:
• For Category II and Category IIA FSPs: The Draft Joint Standard on Information Technology Governance and Risk Management. (Final draft submitted to the National Treasury for tabling in Parliament on 14 December 2022. Proposed effective date: 1 January 2024.)
• For Category II, Category IIA and Category I FSPs that provide investment fund administration services in collective investments or hedge funds: The Draft Joint Standard on Cyber Security and Cyber Resilience Requirements. (Second draft published for public comment on 13 December 2022.)
While prevention really is better than cure, taking these proactive measures can go a long way in protecting an entity from a breach and help minimise the fallout should an unauthorised person gain access to sensitive information.