More and more clients are asking about data breaches and what they must do to respond to a data breach. The media attention on high profile cyber-attacks and data leakages and growing consumer awareness of their right to privacy is fueling business paranoia about data security and the risk of data breaches, and rightly so, as the reputational risk alone can be devastating for a business. If this is you, then this article can help as we cover the basics about data breaches in the South African landscape.
The commencement of the Protection of Personal Information Act 4 of 2013 (“POPIA”) has significantly changed the position regarding the obligations of businesses in the event of data breaches. POPIA protects the constitutional right to privacy in South Africa and makes it clear that the right to privacy includes the right to protection against the unlawful collection, retention, dissemination and use of personal information. As a result, POPIA places an obligation on persons and businesses who process personal information (“responsible parties”), to do so in a responsible manner and to implement measures to prevent data breaches.
POPIA sets security safeguards as one of the eight conditions for the lawful processing of personal information in terms of POPIA. This condition requires that businesses implement the required safety and security measures to safeguard personal information and to prevent the unlawful access to or processing of personal information.
Although ‘data breach’ is not defined in POPIA, it is generally recognised that a data breach has occurred when there are reasonable grounds to believe that an unauthorised person has accessed or acquired personal information under the control of a business, or data has been intentionally or accidently lost, shared or destroyed. This clearly covers a broad spectrum of possible circumstances, including everything from hacking, losing a physical file, theft or even an unauthorised person reading an email that contains personal information.
POPIA provides that a responsible party is obliged, in the event of a data breach, to notify the Information Regulator, as well as the data subjects whose data has been compromised as soon as reasonably possible after the breach has been discovered. Of course, in order to be in a position to deliver such a report and deal with the matter appropriately, the business must have followed their own internal procedures to conduct an assessment of the event, potential damage and impact thereof, as well as ways of mitigating such adverse impact.
The notification to the Information Regulator and data subjects must be confirmed in writing and must contain sufficient information to allow data subjects to take protective measures against the potential adverse consequences flowing from the data breach. Such notification must include at least the following information:
- Possible consequences of the data breach.
- Description of the measures taken by the business or that the business intends to take to address the data breach.
- Recommendations for the measures which the data subject can take to mitigate possible effects of the data breach.
- The identity, if known, of the unauthorised person who may have accessed or acquired the personal information.
A failure to notify the Information Regulator and data subject of the occurrence of a data breach can result in the imposition of a fine up to R10,000,000.00 or even imprisonment of up to 10 years. Given that these are very serious consequences, in addition to reputational harm to your business, it makes a strong case for every business to have a framework in place to deal with data breaches.
Businesses should ensure that they have an appropriate data breach and incident response plan in place, with such plan detailing the steps that the business must take in the event of a data breach, including the notification requirements following such a breach. Steps to limit the impact of a data breach is also demanded, and each business should include such steps in their planning. Lastly, businesses should train and equip their employees with tools and knowledge to defend against attacks and inadvertent data leakages. This has been shown to have a marked impact on limiting data breaches.
Lastly, it must be pointed out that data breaches are not a standalone issue but should form part of the broader data and cyber security framework of the businesses. Any data breach response plan should therefore be aligned with this broader framework.
If you feel that your business is unprepared to deal with a data breach, ensure that you consult with a data security and privacy law advisor who can sit down with you to analyse your business and current framework and help you get a fit-for-purpose data breach incident response plan in place.Disclaimer: This article is the personal opinion/view of the author(s) and is not necessarily that of the firm. The content is provided for information only and should not be seen as an exact or complete exposition of the law. Accordingly, no reliance should be placed on the content for any reason whatsoever and no action should be taken on the basis thereof unless its application and accuracy has been confirmed by a legal advisor. The firm and author(s) cannot be held liable for any prejudice or damage resulting from action taken on the basis of this content without further written confirmation by the author(s).