Cy­ber lives ex­pose us to vul­ner­a­bil­i­ties

A RE­VIEW OF THE GOVERN­MENT GAZETTE AND NEW DE­VEL­OP­MENTS IN LAW Data breaches af­fect us per­son­ally and can put businesses at risk

Business Day - Business Law and Tax Review - - FRONT PAGE - MAL­COLM RAN­DLES, MATTHEW MOR­RI­SON & ZAID GARD­NER

IN OUR per­sonal and pro­fes­sional lives tech­nol­ogy plays an enor­mous and ever grow­ing role. Whether it be the alarm on your smart phone that wakes you, the GPS nav­i­ga­tion sys­tem that gets you to your des­ti­na­tion, to the PC or lap­top from which you send e-mails, or on which you check in­ven­tory, buy shares, pre­pare a re­port, or sim­ply read the news. These are now stan­dard fea­tures of our daily lives.

But have we stopped to think, as con­sumers and equally im­por­tantly, as busi­ness pro­fes­sion­als, about how digi­tised our own per­sonal in­for­ma­tion has be­come with this rapid in­for­ma­tion tech­nol­ogy evo­lu­tion?

ID num­ber, pass­port num­ber, driver’s li­cense num­ber, date of birth, first, mid­dle and last name, the list is end­less and all cap­tured in a sys­tem to cre­ate a record that rep­re­sents “us”. Stop and ask yourself how many such records of “us” ex­ist”? Tech­nol­ogy will con­tinue to ad­vance and evolve and we will con­tinue to “ex­ist” dig­i­tally more and more as we live our lives and do busi­ness across elec­tronic plat­forms in a “big data” world.

This ap­plies whether it be com­mu­ni­cat­ing with one’s bank while wiring funds, ac­cess­ing med­i­cal aid ac­count ben­e­fits, shar­ing pho­tos with a group of school mates on a so­cial net­work plat­form, seek­ing out em­ploy­ment op­por­tu­ni­ties on sim­i­lar plat­forms or send­ing a sim­ple e-mail with a file at­tached.

The point be­ing that to en­gage with people and businesses in these times we do so by shar­ing highly con­fi­den­tial in­for­ma­tion across in­fra­struc­tures, po­ten­tially vul­ner­a­ble ones.

There are now thou­sands of in­ter­na­tional and do­mes­tic ex­am­ples of data

It is im­per­a­tive for busi­ness to make con­certed ef­forts to ad­dress these tech­no­log­i­cal vul­ner­a­bil­i­ties

breaches. Some of these are down to neg­li­gence but the re­al­ity is most are due to de­lib­er­ate, so­phis­ti­cated frauds per­pe­trated by highly skilled and well­funded thieves.

And it’s not just con­sumers’ credit cards these crim­i­nals are af­ter. This is one of the big mis­un­der­stand­ings of the in­for­ma­tion se­cu­rity world right now. Businesses also hold valu­able cor­po­rate in­for­ma­tion. Ex­am­ples of such could be in­vest­ment mar­ket re­lated data (merger or ac­qui­si­tion), dam­ag­ing de­tails to high pro­file celebri­ties (a leak could tar­nish or ruin an en­dorse­ment) or the recipe blend for a par­tic­u­lar brand of fried chicken.

On 4 Oc­to­ber last year Adobe an­nounced a se­cu­rity event which com­pro­mised 2.9-mil­lion cus­tomers’ credit cards. What makes this breach es­pe­cially in­ter­est­ing is that the hack­ers also il­le­gally took copies of the source code of some of the com­pany’s most widely used prod­ucts. These prod­ucts are used on per­sonal and busi­ness com­put­ers around the world.

This ex­am­ple demon­strates not only the po­ten­tial knock-on se­cu­rity im­pact with the code in the hands of the wrong people but also points out that these prod­ucts are highly val­ued rev­enue streams to the com­pany.

Once these prod­ucts are com­pro­mised their value greatly di­min­ishes.

It is im­per­a­tive for busi­ness to make con­certed ef­forts to ad­dress these tech­no­log­i­cal vul­ner­a­bil­i­ties. In­vest­ment in se­cu­rity in­fra­struc­ture is crit­i­cal, in­vest­ment in a ded­i­cated role to man­age the se­cu­rity is a fun­da­men­tal part of this, as is the cre­ation of an in­ci­dent re­sponse team along with an in­ci­dent re­sponse plan which should most def­i­nitely in­clude a team of pre-tested ven­dors pro­vid­ing 24-hour re­sponse to your ur­gent needs whether it be foren­sics, le­gal ad­vice, data mi­gra­tion and sup­port. Sweep­ing these breaches un­der the rug can no longer be the C Suite re­sponse.

South Africans have a con­sti­tu­tional right to pri­vacy, which has been reen­forced with the re­cent in­tro­duc­tion of ded­i­cated data pro­tec­tion leg­is­la­tion in the form of the Pro­tec­tion of Per­sonal In­for­ma­tion Act.

Com­pa­nies that han­dle people’s per­sonal in­for­ma­tion, whether of clients or sup­pli­ers or sim­ply their own staff, will have to meet strin­gent re­quire­ments un­der the act, and could face fines of up to R10m if they fail to

do so. Sig­nif­i­cantly, the act doesn’t just ap­ply to “nat­u­ral per­sons” but also to “ju­ris­tic per­sons”, mean­ing that, for ex­am­ple, con­fi­den­tial cor­re­spon­dence be­tween com­pa­nies would fall un­der its purview.

The se­cu­rity stip­u­la­tions of the act in­clude the need for com­pa­nies to pro­tect data and must iden­tify all rea­son­ably fore­see­able in­ter­nal and ex­ter­nal risks. Com­pa­nies are also ex­pected to es­tab­lish and main­tain “ap­pro­pri­ate safe­guards” and reg­u­larly ver­ify and up­date them. Un­der the act, com­pa­nies that ex­pe­ri­ence a se­cu­rity breach and have in­for­ma­tion com­pro­mised will have to dis­close this and in­form all af­fected par­ties as soon as is rea­son­ably pos­si­ble. Com­pa­nies may only de­lay no­ti­fi­ca­tion if a law en­force­ment body de­ter­mines that no­ti­fi­ca­tion would im­pede a crim­i­nal in­ves­ti­ga­tion.

Ul­ti­mately, over and above the min­i­mum se­cu­rity thresh­olds that need to be com­plied with, com­pa­nies will have to con­sider the rep­u­ta­tional dam­age a breach would cause, par­tic­u­larly as in­ter­na­tional in­for­ma­tion reg­u­la­tors have dis­played an in­cli­na­tion to name and shame trans­gres­sors.

In­sur­ance com­pa­nies in in­ter­na­tional mar­kets such as the US and the UK have de­vel­oped so­phis­ti­cated prod­ucts to deal with the cost of man­ag­ing sig­nif­i­cant data breaches and the li­a­bil­ity and losses suf­fered as a re­sult. The mar­ket in SA is new but there are cer­tain of­fer­ings avail­able from do­mes­tic un­der­writ­ers. A com­mon mis­con­cep­tion in the South African in­sur­ance mar­ket is that tra­di­tional pro­fes­sional li­a­bil­ity, and to a lesser ex­tent, commercial gen­eral li­a­bil­ity cover will ad­dress the li­a­bil­ity and first party fi­nan­cial losses re­sult­ing from an in­tru­sion and breach of data. While there are de­grees of over­lap­ping cov­er­age, the ben­e­fits of a stand­alone cy­ber li­a­bil­ity pol­icy can be sig­nif­i­cant in this con­text. Cy­ber in­sur­ance pro­vides ded­i­cated in­sur­ance to ad­dress con­tract pri­vacy risks and ex­po­sure cre­ated through web­site pri­vacy poli­cies, terms of busi­ness agree­ment and other war­ranties and in­dem­ni­ties. A cy­ber pol­icy should pro­vide af­fir­ma­tive cri­sis man­age­ment cover, pro­vid­ing in­dem­ni­fi­ca­tion for foren­sic as­sis­tance, le­gal coun­sel, rep­u­ta­tional harm cov­er­age to mit­i­gate neg­a­tive press, and most im­por­tantly cover the costs of the no­ti­fi­ca­tion(s) to the af­fected third par­ties and the rel­e­vant reg­u­la­tory au­thor­i­ties.

In short, as con­sumers and businesses we should be more cog­nisant of the in­for­ma­tion that we re­lease and the pur­poses for which the in­for­ma­tion is be­ing re­quested. Busi­ness in par­tic­u­lar needs to be alive to the de­vel­op­ments in the law and have pro­ce­dures and poli­cies in place to proac­tively man­age that data and re­ac­tive pro­to­cols in place to man­age breaches if (and when) they oc­cur. Com­pli­ance with the law is only part of the so­lu­tion. Con­sid­er­a­tion should also be given to the po­ten­tial cost and li­a­bil­ity as­so­ci­ated with a breach and this should fo­cus the mind on ro­bust risk man­age­ment poli­cies, prac­tices and pro­ce­dures through the strength­en­ing of a busi­ness IT in­fra­struc­ture cou­pled with risk trans­fer to an in­sur­ance so­lu­tion that caters for the es­o­teric risk of data theft.



Newspapers in English

Newspapers from South Africa

© PressReader. All rights reserved.