How to deal with a data breach in your organisation

July 1st, 2018

Cliffe Dekker Hofmeyr’s (CDH), Director in Technology and Sourcing Practice, Preeta Bhagattjee, spoke about managing data breaches and putting a response plan in place when there is a data breach. She spoke at CDH’s data breach and other risk faced organisations seminar, held in Johannesburg on 9 May.

By Kgomotso Ramotsho

Cliffe Dekker Hofmeyr (CDH), hosted a seminar on data breach and other risks faced by organisations, such as theft. The seminar was held in Johannesburg on 9 May. Cliffe Dekker Hofmeyr’s Director of Technology and Sourcing practice, Preeta Bhagattjee, said data breaches are a reality. She added that most organisations are likely to be victims of data breaches and pointed out that data breaches can affect companies in various ways, whether it is a staff member downloading ransomware, an employee who has lost an unsecure laptop, or a hacker who has managed to hack a client’s data.

Ms Bhagattjee said organisations need to focus and have clear strategies pertaining to data breach in place. She pointed out that report released by McAfee in February, put the total annual global cost of cybercrime at US$ 600 billion. She said a data breach can happen to anyone, however, it may not be an organisations worst nightmare if the organisation is well-prepared and knows how to deal with it.

Ms Bhagattjee said when a data breach occurs, an organisation faces a number of risks, namely –

  • reputational risk;
  • business interruption;
  • business continuity;
  • shareholders and customer confidence;
  • technology risk; and
  • regulatory scrutiny if you are in a regulated jurisdiction.

Ms Bhagattjee added a data breach in a regulated jurisdiction could lead to consequences, such as a fine or even imprisonment for senior managers. She noted that the fine in the Protection of Personal Information Act 4 of 2013 (POPI) could result in a fine, which will not exceed R 10 million in comparison to other direct or indirect costs that an organisation could incur.

Ms Bhagattjee said the solution for organisations to mitigate risks is to be ready for possible data breaches and that means that the organisation needs to formulate a road map to comply within the data breach area. She added that organisations must have cybersecurity and data protection as an agenda item at board level. She pointed out that organisations need to adopt a proactive risk management strategy and make sure that they have gathered evidence and have internal investigation processes in place.

Ms Bhagattjee added by assisting authorities to fight cybercrime in organisations will go a long way. She said that for organisations to develop a responsive plan for data breaches and cyber incidents, they had to start by determining the level of exposure by looking at the organisations –

  • universe of compliance;
  • assess which business assets or data is critical to the business;
  • understand the likely threats, such as disgruntled employees, external hackers, criminals, system vulnerability; and
  • with regard to the perspective of POPI not just focus on technology, but also physical documentation.

Ms Bhagattjee said it is important for organisations to look at third-party suppliers and assessing risks in that regard. She added that a data response plan should contain the following components –

  • established notification and escalation procedures;
  • a way to address when an attack or incident occurred;
  • a formulated Public Relations (PR) marketing strategy, or communications strategy that when a data breach occurs everyone in the organisation related to the PR department is aware of the breach and knows what to do;
  • cybercrime and data protection awareness campaigns, which include training programmes. Ms Bhagattjee said it is important that not only senior management are aware of the risks of data breaches, but it is equally important that employees are made aware of the risks, because vulnerability of breaches can often arise from the support staff in the organisation;
  • a reporting requirements procedure;
  • established evidence gathering procedures;
  • an established time when to notify police or shareholders;
  • cyber risk insurance to cover the cost that could be incurred at the organisation if or when a data breach occurs; and
  • an appropriate processes for a broader level of awareness.

Ms Bhagattjee said when a data breach occurs within an organisation and a response plan is in place, it should be implemented by the task team who was put together to deal with the incident. She added that appropriate steps must be taken – where possible – to minimise damage and focus on the necessary technology implementations to recover data. She pointed out that the response plan must include notifying the all the legislative, regulatory and industry bodies, depending on the circumstances one may need to report to the police and if POPI is fully implemented the organisation must notify the regulator and the data subjects of the breach.

Ms Bhagattjee added that it is advisable to test a response plan on an ongoing basis to make sure that the response plan and the Internal Information Security Policy and procedures remain adequate, and updated for the business’ needs in a changing world. Ms Bhagattjee touched on the Cybercrime and Cybersecurity Bill B6 of 2017 and mentioned that an electronic communication service provider or financial institution needed to be aware that if a data breach has taken place they are required to notify the South African Police Services (SAPS) within 72 hours of becoming aware of the incident.

Ms Bhagattjee pointed out that an electronic communications service provider and financial institution would also have to preserve evidence and any related information linked to the cybercrime. She added that there is an obligation in terms of the Cybercrimes Bill that organisation’s would be required to cooperate in assisting with evidence against a court order where the organisation’s computer system has been involved in a certain type of cybercrime. She noted that failing to comply with the specified requirements is considered an offence. She said that under POPI, organisations would need to notify the regulator and data subjects as soon as possible in respect of every data breach. She said unlike certain jurisdictions, elsewhere in the world, the notification was not only for high impact or high risk cases, but for all data breaches.

Ms Bhagattjee added that the regulator may require the organisation where the breach occurred to publicise the fact that the breach had occurred. She said that there are certain requirements in providing data subjects’ information when notifying the regulator, so that the organisation could take steps to help curb any further damages and potential consequences. She pointed out that the requirement of POPI also extended to operators, the third parties to whom an organisation might have asked to process information on their behalf. She said that there is an obligation for the third-party entities to alert the organisation whom they are processing information for immediately when there is a data breach.

Ms Bhagattjee referred to the King IV Code on Coporate Governance and said that, if an organisation is required to comply with King IV there is a very specific focus on the audible oversight of information and technology management and rolling it out into the organisation. She pointed out that the board is specifically tasked to make sure it proactively monitors cyber incidents and make sure that systems and processes are in place to protect personal information and secure company operations from a cybersecurity perspective. She added that when South African organisations look at the compliance universe, they have to start in South Africa (SA), however, she said that it does not end in SA.

Ms Bhagattjee pointed out that if South African organisations have operations outside of SA or if they service clients outside SA, they should take cloud services into account. She noted that under these circumstances the organisation may have to comply with foreign laws and this includes cases where an organisation hosts personal information or company information offshore with a cloud service provider. She added that if an organisation operates in Africa there are 15 countries that have data protection legislation in place, however, she said some countries like SA do not have implemented data protection but have a number of jurisdictions and Bill’s in progress.

Ms Bhagattjee pointed out that there is also the General Data Protection Regulation (GDPR) in the European Union. She said that if an organisation processes personal information relating to European citizens, that organisation must comply with the GDPR.

Director in Dispute Resolution of CDH, Zaakir Mohamed spoke about commercial crime in an organisation. He said human beings panic when they realise that a commercial crime has been committed. ‘We panic because of the people implicated in such crimes, people we trusted and would never thought they could commit such a crime,’ Mr Mohamed said. He added that sometimes one panics because of the amount of money involved. One would start thinking of how long the crime had been going on for. However, Mr Mohamed pointed out that one must not panic but remain calm and think about how the situation is going to be managed.

CDH’s Director in Dispute Resolution, Zaakir Mohamed, spoke on how to deal with commercial crimes in an organisation.

Mr Mohamed said that what organisations do when they have discovered that a crime has been committed is very critical. He pointed out that ultimately when an organisation discovers that they have been hit by commercial crime, it is likely to result in a legal processes. He added that it could be a civil legal process, where an organisation may want to recover some funds, however, it could be an employment law issue where there is a disciplinary inquiry to consider or a criminal element could be added, if an organisation wants to establish a criminal case. He said that organisations must make sure that they do not hinder any investigations, compromise evidence or compromise legal processes.

Mr Mohamed highlighted what organisations should do and what not to do when dealing with a commercial crime. He said the following questions must be asked:

  • How did the suspicion and the knowledge come about?
  • Was the crime discovered by someone in the finance department, because the numbers did not add up?
  • Was is it a whistle-blower who came forward?

He pointed out that it is important with regards to the Protective Disclosure Act 26 of 2000, that there is a certain way investigations are to be conducted. He added that the way the organisation found out about the crime is also important especially, if it was a rumour or if there was speculation in the organisation. He added that it is important to establish the source of the rumour, then see what the timelines in the investigation of the particular incident are.

Mr Mohamed said the organisation must know how credible and reliable the source that they are dealing with is if the whistle-blower has an agenda or a score to settle with the accused person. He added that the organisation had to check if the conduct had been an ongoing occurrence or if it had been a onetime thing, because that will determine the scope of the investigation. He noted that the organisation also has to check on who was potentially involved in the crime, as there may have been more than one suspect. He added that the organisation had to investigate further than the department and has to see who was close to the suspect. That would determine the kind of interviews that the organisation would have to will conduct, or the sources of information that might have to be used as evidence.

Mr Mohamed said the organisation has to also consider whether there was a reasonable explanation for what had been discovered, if there was an administrative error in finance or a miscalculation of funds. He added that organisations must bear all of these facts and start to formulate how they were going to deal with the particular incident. He pointed out that an organisation had to understand what it was dealing with and had to work on a plan of how they were going to deal with the crime. Having a plan in place would save the company a lot of money on unnecessary legal fees that may be incurred if the wrong approach is followed.

Mr Mohamed said that importantly one must identify the immediate risk and check if the relevant suspect had access to the organisations its IT system, because the suspect could go and destroy evidence. He added that the organisation had to be careful of how information was shared when a commercial crime occurred. He pointed out that sensitive documents should be password protected to prevent information falling into the wrong hands. He noted that organisations had to be fully aware of the insurance policy terms and reporting deadlines of the crime to the insurance. He said that when an organisation has realised that a commercial crime had taken place, they should make sure they do not do anything to compromise their insurance claim.

Mr Mohamed said that organisation did not need to rush to the SAPS unless there was an urgent need for urgent action. He added that when an organisation conducts an investigation the starting point should be:

  • With whom I should consult?
  • Is this something that can be handled within the organisation?
  • Does the organisation we have the right skills to conduct the investigation?
  • What implications may there be if the organisation conducts the investigation externally?
  • Could a third-party be appointed to conduct the investigation?
  • What would be the benefit of using a third party to conduct the investigation?
  • What skills set should the investigation team have?
  • What sort of expert advice does the organisation need?
  • What is the objective of the investigation?
  • Where can the evidence be found?
  • What kind of questions are going to be asked?
  • Who are the suspects?
  • What will the financial analysis reveal?

Mr Mohamed said that after conducting an investigation, there had to be an incident plan in place. He said managers had a way of dealing with matters differently and that if the organisation did not have a plan in place it would risk having the matter not being confidential. He added that the suspect might get a tip off if the managers went around speaking to people and not just dealing with one person about the matter. This could lead to the suspect destroying evidence. He noted that the organisation inappropriate action, if sufficient evidence is not gathered.

Mr Mohamed said an incident plan would help the organisations deal with the commercial crime in a systemic and efficient manner. He added that it provided an effective framework so the organisation was not in the position where they did not know what to do when an incident or crime occurred. He pointed out that organisation also needed to have a whistle-blowing policy set out, which included a data breach policy. He noted that organisations had to have fraud and corruption response plan.

National Head of Employment Practice and CDH director, Aadil Patel, said organisations must have a protective disclosures to deal with how employees can report misconduct. He was speaking at CDH’s seminar in Johannesburg.

National Practice Head of the Employment Practice, director, Aadil Patel, said the problem that whistle-blowers face is what they do when they have identified an act of corruption or an act of impropriety. He added that it did not help anyone when SA told people that they have great legislation or tell them what other countries did, but pointed out that practically people need to know what to do, because as the potential cooperate it may affect an organisations brand.

Mr Patel added that it could affect the reputation of the organisation in the market place and the like. He pointed out that a disclosure was when the whistle-blower wants to tell somebody that a criminal offence is going to be undertaken or someone is misbehaving and stealing. He said that if a whistle-blower gives information and the employer does not treat them well the Protected Disclosure Act is a great piece of legislation to turn to. He noted that as a responsible employer the minute a report of any incident is received, the employer has to investigate, either by getting the external third party to investigate or establish their own internal investigation department.

Mr Patel said organisations had to have a budget called a protective disclosure budget, which is a separate budget dealing with investigations of protected disclosures. He added that within 21 days an employer must tell an employee that they are going to investigate them. He noted that if employers wanted to take legislation seriously and be able to show that an employee had lodged a false claim, the employer has to institute a criminal charge or institute a civil claim. He pointed out that the legislation makes provision for action to be taken against individuals who lodge false clams.

Mr Patel said it was easy for an employer to say ‘I am not going to investigate’ and force the whistle-blower to go to the media, however, he added that would then result in a trial by media. He pointed out that the first decision every organisation should take is whether they are going to insource or outsource the investigation with regard to protected disclosures. He noted that there were a number of auditing firms that had helplines and that a report can be done anonymously. The auditing firm does, takes the information and sends it back to ‘anonymous’ and ‘anonymous’ has to decide what they want to do with the information.

Mr Patel said there is no wrong or right answer, however, employers had to make sure they have a procedure that sets out how to deal with protected disclosures and have an obligation to do so in 21 days. He added that if an employer disciplines an employee for being a whistle-blower the maximum charge to that employer may be 24 months’ compensation. He pointed out that an investigator, could ask what a protective disclosure can be when investigating. Mr Patel said organisations should have policies and procedures in place in order to determine how to deal with how employees could report protected disclosures.

Kgomotso Ramotsho Cert Journ (Boston) Cert Photography (Vega) is the news reporter at De Rebus.

This article was first published in De Rebus in 2018 (July) DR 13.