Braced for the inevitable breach-of-trust bombshells
WHEN last did you hear of a South African bank, insurance company, hospital or major retailer suffering a major security breach of its information systems? Probably never. But that is hardly a reason for confidence in the privacy of personal data such as health and financial status. In reality, because institutions have never been under an obligation to report such breaches, they have tended to sweep them under the carpet.
That will no longer be possible — or at least legal — once the Protection of Personal Information Act comes into effect in South Africa. Signed into law two years ago, it awaits proclamation of a commencement date. Companies will have a oneyear grace period to get their data house in order — and prepare for the bombshells that will land when they do suffer breaches.
“South Africa has a culture of non-disclosure and cover-ups when it comes to data loss and data breaches, but [the act] will force much greater transparency,” said Jos Floor of Floor Swart attorneys.
“A lot of companies prefer to deal with things quietly, and in some the culture of the cover-up is so strong that the board would rather not discuss an issue, or even get a report, to avoid putting their awareness of a problem on record. That is no longer an option.”
International experience signals that such reporting will make us aware of just how vulnerable we are to breaches.
“Everyone says cyber breaches are big issues in the US , but that’s only because it has to be reported,” said Brian West, senior vice-president at international communications firm Fleishman-Hillard, during a recent visit to South Africa.
“I suspect that, once it has to be reported in Europe and here, you’re going to hear a lot more about it.”
In the US, a breach has to be reported within 60 days. South Africa will require immediate notification of the regulator. While that may seem over-protective, it could well save companies from exacerbating their reputational damage.
West gave the example of US retail giant Target, where hackers stole 40 million payment card records in 2013.
“The typical response of a company is, ‘We want to know everything before we say anything.’ But people whose records are stolen need to be told immediately.
“They sat on the information for some time, and the delay cost them trust of customers. The breach occurred in September 2013, and they only announced it in January 2014. The share price plummeted, because they had also breached investors’ trust.
“On the other hand, the medical insurance company Anthem had a breach of 80 million med- ical records. They told customers and the FBI immediately, and set up help lines. The share price did drop initially, but then grew significantly, thanks to the trust that was earned.”
West recommended a “holistic approach” to cyber security.
“When Vodafone in Germany had two million records stolen internally, it showed that it’s now also a human resources issue, demanding vetting and education of employees. A German steel mill got hacked, causing immense damage and forc- ing the plant to be shut down. That made it an emergency response matter, which falls under operations, and of business continuity, which falls under legal.”
That is even before the communications and investor relations departments get in on the act. When breaches go public, companies will have to learn a new way not only of communicating externally, but also of organising themselves internally.
As West said, “You can’t buy time in a crisis.”
Goldstuck is founder of World Wide Worx and editor-in-chief of Gadget.co.za. Follow him on YouTube and Twitter @art2gee