DEALING WITH A SECURITY COMPROMISE IN THE ERA OF POPIA (PROTECTION OF PERSONAL INFORMATION ACT)

Experienced security professionals advise that even the most sophisticated organisations will eventually experience a personal information breach (security compromise). Organisations with multiple layers of digital and physical security are vulnerable to the persistent threats of malicious unauthorised intrusions. Perfect security is impossible and the damage to the organisation that results from the collection and (mis)use of data are constantly evolving.
An organisation without adequate policies and appropriate rules increases its risk regarding the loss of reputation, incurring of increased expense to address the breach as well as an increased fine or sanction from the Regulator.
What is a security compromise?
A security compromise, in the context of data protection, is a security incident in which personal information of an individual (known as a data subject) is accessed by an unauthorised person or entity.
Security measures on integrity and confidentiality of personal information.
The Protection of Personal Information Act, 4 of 2013 (“POPIA”), provides that a responsible party (any person or entity which determines the purpose of and means for processing personal information) must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable, technical, and organisational measures to prevent:

  1. Loss of, damage to, or unauthorised destruction of personal information by an unauthorised person/entity; and
  2. Unlawful access to or processing of personal information by an unauthorised person/entity.[1]

To give effect to this, the responsible party must take reasonable measures to:

  1. Identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;
  2. Establish and maintain appropriate safeguards against the risks identified;
  3. Regularly verify that safeguards are continually updated in response to new risk or deficiencies in previously implemented safeguards; and
  4. Ensure that safeguards are continually updated in response to new risks or deficiencies in previously implement safeguards.[2]

Furthermore, the responsible party must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.[3]
Notification of security compromises
Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by an unauthorised person, the responsible party must notify the Information Regulator the data subject (unless the identity of a data subject cannot be established).[4]
When must notification of a breach of security take place?
The notification must be made as soon as reasonably possible after the discovery of the compromise, considering the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system.[5]
A responsible party may delay notification to the data subject if a public body responsible for the prevention, detection or investigation of offences or the Information Regulator determines that notification to a data subject will impede a criminal investigation by the public body concerned.[6]
Ways to notify a data subject of a security compromise
The notification to a data subject must be in writing and communicated to the data subject in at least one of the following ways:

  1. Mailed to the data subject’s last known physical or postal address;
  2. Sent by e-mail to the data subject’s last known email address;
  3. Placed in a prominent position on the website of the responsible party;
  4. Published in the news media; or
  5. As may be directed by the Information Regulator.[7]

Content of a security compromise notification
The notification must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise, including:

  1. Description of the possible consequences of the security compromise;
  2. Description of the measures that the responsible party intends to take or has taken to address the security compromise;
  3. Recommendations with regard to the measures that can be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
  4. If known to the responsible party, the identity of the unauthorised person who may have accessed or acquired personal information.[8]

Further directions from the Information Regulator
If the Information Regulator has reasonable grounds to believe that publicity would protect a data subject, who may be affected by a compromise, it may direct a responsible party to publicise the fact of any compromise to the integrity or confidentiality of personal information, in any manner specified.[9]
Conclusion
It is not a matter of “if” an organisation will experience a security compromise but more of a matter of “when”. Businesses need to ensure that there are adequate security safeguards in place to protect the integrity and confidentiality of personal information.[10]
An organisation armed with well-defined security policies and procedures assist in protecting the personal information held by that organisation from unauthorised access and disclosure.
*Kindly note that this is purely for informational purposes and does not constitute legal advice.
*Please contact Mikael Cain on mcain@blcattorneys.co.za
Author: Mikhael Cain