We’ve had a privacy breach – now what?

Incident Response

1

The threat of information breaches is well known and much discussed. The classification of the breach as a privacy breach may very well

introduce a new dynamic of regulated notification to your response. Being prepared to respond and notify appropriately not only meets the regulatory requirement, but has also shown to limit the consequential damage, both reputational and financial, of the breach.

3 2

In 2013/14 the two most common sources of breaches were unintended disclosures, like misdirected emails (31%); and the physical loss of paper records (24%)(1).

In 2015, phishing, hacking and malware incidents rose significantly to take the lead in causes of breaches (with human error in these incidents remaining the root cause of the incidents), while employee mistakes remained high, taking second place(2). One just needs to consider the Panama Paper leak to understand how widespread the impact of an incident can be – in that case, an anonymous, unauthorised source leaked 11.5 million documents.

As general consumers and members of the public, we are aware of incidents where personal information is lost in South Africa. In December 2015, it was reported that an international hotel chain was infiltrated and credit card details of customers lost in over 50 countries. In March 2016, an insurance company had to respond to an incident where personal information was mistakenly sent to the incorrect recipient, in unprotected form.

Research indicates that the healthcare industry is at the highest risk (23% of all incidents), with financial services (18% of incidents) in second place. The impact of incidents however, has been reported as being more severe in the hospitality and insurance industries, in first and second place respectively(2).

How big is the threat?

(1)https://iapp.org/news employee-error-cause-most-breaches-spyware-breaches-most-costly.(2)“Is your Organization Compromise Ready?” BakerHostetler, 2016 Data Security Incident Response Report.

5 4

In South Africa, the Protection of Personal Information (POPI) Act does not have an effective date yet as we are awaiting the appointment of the Regulator. As such, there is no legal obligation to report to either the Regulator or the person(s) whose information was compromised as yet. Once effected, we believe further guidance will be provided, since POPI currently suggests that all losses should be reported, in writing, to both the Regulator and the person(s) affected.

Taking guidance from Europe however, where privacy legislation is more mature and practicalities have been tested, we suspect that some form of risk assessment would be required in the notification process.

The new General Data Protection Regulation (GDPR), put forth by the European Commission in 2012 and generally agreed upon in its final form by the European Parliament and Council in December 2015, is set to replace the Data Protection Directive 95/46/ec. For the first time, the GDPR stipulates specific breach notification guidelines.

In the event of a personal data breach, data controllers must notify the appropriate supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it. If notification is not made within 72 hours, the organisation must provide a reasoned justification for the delay. However, notice is not required if the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals(3). The Panama Paper leak occurred almost a year before the information was published in the beginning of April 2016. By 4 April 2016, Ramon Fonseca, the director of Panama-based law firm Mossack Fonseca, said that all of the firm’s clients had been notified of “this problem”, arguing that the firm has been caught up in an international anti-privacy campaign.

In the UK, the breach notification introduces a new requirement and The Institute of Internal Auditors has already put out some indication that incident management should form part of the scope of Internal Audit. This would include data privacy incident management and not just the traditional ITIL/Cobit incident management reviews.

Seeing as POPI is founded on and derived from the same principles as the soon to be replaced European Data Protection Directive 95/46/ec, we anticipate that POPI will adopt the same stance towards incident management and notification as the new GDPR.

The position in other African countries would need to be established based on the specific pieces of legislation (Ghana has no notification requirement, while Angola’s data protection authority has not yet been established). Most African countries only provide constitutional protection and thus have no notification requirements.

What is the legal position around notification?

Law in Process

Morocco

Algeria

Tuni

sia

EgyptLibya

Nigeria

Wes

tern

Sahar

a

Mauritania

Cape Verde Islands Mali

SenegalThe Gambia

Guinea-Bissau Guinea

Sierra Leone

Liberia

Burkina Faso

Niger

ChadSudan

Central African

Republic

Ethiopia

Eritrea

Djibouti

Somalia

Comores

Seychelles

Mauritius

Reunion

Cameroon

GhanaCôte d'Ivoire To

go Beni

n

Equatorial Guinea

Cabinda

Gabon

DemocraticRepublic of the Congo

Angola

Namibia

South Africa

Botswana

Zambia

Zimbabwe

Kenya

Tanzania

Uganda

RwandaBurundi

Mozambique

Mal

awi

Lesotho

Swaziland

Mad

agas

car

Cong

o-Br

azza

vill

e

Sectoral Laws

No Data Protection Law

Has Privacy Law Protection

SouthSudan

(3)EU agrees on new Privacy Regulation”, http://www2.deloitte.com/be/en/pages/risk/articles/new-eu-privacy-regulation.html 

7 6

Developing additional information security controls would be a natural result of a privacy assessment. But more importantly, it would be the timeous detection, containment, analysis and remediation after a breach that would differentiate your organisation from the next. The evidence likely to be required by the South African Regulator would follow the international trend:

• Documentation of the incident response; including notification

• Copies of security policies and procedures

• Evidence of education and awareness programmes

• Security risk analysis

• Risk mitigation plans

• Vendor agreements, where incidents were caused by a vendor

• Evidence of corrective action

• Notification to the Regulator and consumers

So how can organisations prepare for this inevitable requirement?

8

What is your state of readiness for notification?

While some organisations are utilising the delay of the POPI Act to remediate their controls around privacy in the interim, incident management and notification procedures might need to be prioritised in order to deal with breaches which are happening right now. We strongly recommend some simulation testing to ascertain the state of readiness of all the role players in dealing with an incident where personal information is compromised. Exploring and investing in 24-hour monitoring in order to be aware and respond to incidents timeously would go a long way to enable compliance.

Exploring and investing in 24-hour monitoring in order to be aware and respond to incidents timeously would go a long way to enable compliance.

ContactsNavin SingManaging Director: Risk Advisory AfricaMobile: +27 83 304 4225Email: navising@deloitte.co.za

Dean Chivers Risk Advisory Africa Leader: Governance, Regulatory & RiskMobile: +27 82 415 8253 Email: dechivers@deloitte.co.za

Candice HollandDirector: Risk Advisory Southern AfricaMobile: +27 82 330 5091Email: caholland@deloitte.co.za

Mimi le RouxAssociate Director: Risk Advisory Southern AfricaMobile: +27 83 655 3358Email: mleroux@deloitte.co.za

Derek SchraaderRisk Advisory Africa Leader: Cyber Risk ServicesMobile: +27 79 499 9046Email: dschraader@deloitte.co.za

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (DTTL), its network of member firms and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms.

Deloitte provides audit, consulting, financial advisory, risk management, tax and related services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries and territories, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Delolitte’s more than 225 000 professionals are committed to making an impact that matters.

This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms or their related entities (collectively, the “Deloitte Network”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.

© 2016. For information, contact Deloitte Touche Tohmatsu Limited

Designed and produced by Creative Services at Deloitte, Johannesburg. (811622/Vee)