Cyber lives expose us to vulnerabilities
A REVIEW OF THE GOVERNMENT GAZETTE AND NEW DEVELOPMENTS IN LAW Data breaches affect us personally and can put businesses at risk
IN OUR personal and professional lives technology plays an enormous and ever growing role. Whether it be the alarm on your smart phone that wakes you, the GPS navigation system that gets you to your destination, to the PC or laptop from which you send e-mails, or on which you check inventory, buy shares, prepare a report, or simply read the news. These are now standard features of our daily lives.
But have we stopped to think, as consumers and equally importantly, as business professionals, about how digitised our own personal information has become with this rapid information technology evolution?
ID number, passport number, driver’s license number, date of birth, first, middle and last name, the list is endless and all captured in a system to create a record that represents “us”. Stop and ask yourself how many such records of “us” exist”? Technology will continue to advance and evolve and we will continue to “exist” digitally more and more as we live our lives and do business across electronic platforms in a “big data” world.
This applies whether it be communicating with one’s bank while wiring funds, accessing medical aid account benefits, sharing photos with a group of school mates on a social network platform, seeking out employment opportunities on similar platforms or sending a simple e-mail with a file attached.
The point being that to engage with people and businesses in these times we do so by sharing highly confidential information across infrastructures, potentially vulnerable ones.
There are now thousands of international and domestic examples of data
It is imperative for business to make concerted efforts to address these technological vulnerabilities
breaches. Some of these are down to negligence but the reality is most are due to deliberate, sophisticated frauds perpetrated by highly skilled and wellfunded thieves.
And it’s not just consumers’ credit cards these criminals are after. This is one of the big misunderstandings of the information security world right now. Businesses also hold valuable corporate information. Examples of such could be investment market related data (merger or acquisition), damaging details to high profile celebrities (a leak could tarnish or ruin an endorsement) or the recipe blend for a particular brand of fried chicken.
On 4 October last year Adobe announced a security event which compromised 2.9-million customers’ credit cards. What makes this breach especially interesting is that the hackers also illegally took copies of the source code of some of the company’s most widely used products. These products are used on personal and business computers around the world.
This example demonstrates not only the potential knock-on security impact with the code in the hands of the wrong people but also points out that these products are highly valued revenue streams to the company.
Once these products are compromised their value greatly diminishes.
It is imperative for business to make concerted efforts to address these technological vulnerabilities. Investment in security infrastructure is critical, investment in a dedicated role to manage the security is a fundamental part of this, as is the creation of an incident response team along with an incident response plan which should most definitely include a team of pre-tested vendors providing 24-hour response to your urgent needs whether it be forensics, legal advice, data migration and support. Sweeping these breaches under the rug can no longer be the C Suite response.
South Africans have a constitutional right to privacy, which has been reenforced with the recent introduction of dedicated data protection legislation in the form of the Protection of Personal Information Act.
Companies that handle people’s personal information, whether of clients or suppliers or simply their own staff, will have to meet stringent requirements under the act, and could face fines of up to R10m if they fail to
do so. Significantly, the act doesn’t just apply to “natural persons” but also to “juristic persons”, meaning that, for example, confidential correspondence between companies would fall under its purview.
The security stipulations of the act include the need for companies to protect data and must identify all reasonably foreseeable internal and external risks. Companies are also expected to establish and maintain “appropriate safeguards” and regularly verify and update them. Under the act, companies that experience a security breach and have information compromised will have to disclose this and inform all affected parties as soon as is reasonably possible. Companies may only delay notification if a law enforcement body determines that notification would impede a criminal investigation.
Ultimately, over and above the minimum security thresholds that need to be complied with, companies will have to consider the reputational damage a breach would cause, particularly as international information regulators have displayed an inclination to name and shame transgressors.
Insurance companies in international markets such as the US and the UK have developed sophisticated products to deal with the cost of managing significant data breaches and the liability and losses suffered as a result. The market in SA is new but there are certain offerings available from domestic underwriters. A common misconception in the South African insurance market is that traditional professional liability, and to a lesser extent, commercial general liability cover will address the liability and first party financial losses resulting from an intrusion and breach of data. While there are degrees of overlapping coverage, the benefits of a standalone cyber liability policy can be significant in this context. Cyber insurance provides dedicated insurance to address contract privacy risks and exposure created through website privacy policies, terms of business agreement and other warranties and indemnities. A cyber policy should provide affirmative crisis management cover, providing indemnification for forensic assistance, legal counsel, reputational harm coverage to mitigate negative press, and most importantly cover the costs of the notification(s) to the affected third parties and the relevant regulatory authorities.
In short, as consumers and businesses we should be more cognisant of the information that we release and the purposes for which the information is being requested. Business in particular needs to be alive to the developments in the law and have procedures and policies in place to proactively manage that data and reactive protocols in place to manage breaches if (and when) they occur. Compliance with the law is only part of the solution. Consideration should also be given to the potential cost and liability associated with a breach and this should focus the mind on robust risk management policies, practices and procedures through the strengthening of a business IT infrastructure coupled with risk transfer to an insurance solution that caters for the esoteric risk of data theft.
DATA PROTECTION LEGISLATION A SAFEGUARD