26 Oct Dealing with a corporate data breach: A guide for businesses
As the threat of data breaches continues to surge, South Africa ranks 9th among the top 10 nations grappling with significant financial losses stemming from cyber-attacks. A recent study reveals that the average cost of a data breach in South Africa soared to approximately R58 million in 2021. The situation intensified in 2022, with a staggering increase from 234 to 580 reported security compromises. The first quarter of 2023 witnessed over 330 reported data breach incidents.
The Protection of Personal Information Act (POPIA) carries substantial implications for any corporation or entity enduring a data breach. Regardless of an entity’s size, they are legally obligated to exercise due care in safeguarding individuals’ personal data. This adherence is closely monitored by the Information Regulator, an authority entrusted with the oversight and enforcement of POPIA compliance. Concealing a data breach by failing to report it may incur penalties of up to R10 million in fines and/or 10 years of imprisonment.
Even government entities are not exempt from accountability. In July 2023, the Department of Justice and Constitutional Development faced a R5 million fine for failing to heed an infringement notice from the Regulator. The breach resulted from a ransomware attack, compelling the Department to demonstrate within 31 days that it had fortified its information protection measures by renewing anti-virus and intrusion detection system licenses.
In the event of a data breach, POPIA mandates the following actions:
Develop a response plan and execute it
All entities must have a response plan for data breaches. This plan should delineate the steps required to contain and rectify the breach, mitigating its impact. The Regulator reserves the right to review this plan when a breach occurs.
Notify the Regulator
Any data breach must be immediately reported to the Regulator upon detection, using the Section 22 Security Compromise Notification Form, accessible on the Regulator’s website. The form demands comprehensive information detailing the nature and timing of the breach, actions taken for response and containment, and guidance for breach victims to secure themselves.
Notify affected parties
Individuals whose data has been compromised must receive direct notification. Mere public announcements, such as through company websites or social media platforms, are insufficient. In the Regulator’s eyes, breach victims must be formally informed via email or postal correspondence, in addition to public announcements on the company’s website and social media channels, as well as in the media.
Involve law enforcement
In cases of data breaches originating from cyber-attacks, law enforcement agencies, including the SAPS cybercrime division, must be engaged.
Conduct an investigation
The affected entity must investigate the breach’s root causes. The findings must be included in the notification form.
Remediate and prevent recurrence
After identifying the breach’s cause, measures must be implemented to prevent its recurrence. These preventive security measures should be documented in the notification form. This process should naturally encompass rigorous system testing, forming part of standard operating procedures rather than being reactionary, responding to data breaches.
In an era where data breaches are increasingly common, adherence to these guidelines empowers businesses to effectively manage and respond to such incidents while upholding legal compliance.
ABOUT THE AUTHOR
Megan Stella | Chief Operating Officer (COO)
Megan Stella is an accountant and IT professional with over 20 years of experience working in the insurance industry. She has extensive knowledge of IT and how to use it to improve business efficiency.