Data breaches and cyber-attacks are a common, and increasingly frequent, threat faced by every organisation. Most organisations and employees can relate to a myriad of distressing experiences, for example, realising that you have just mistakenly sent an email to a large mailing list, by putting all parties' email addresses in the “To” line, or having your work laptop or files stolen from your car, or accidentally clicking on a link too quickly without checking who the sender was.

While these may be some common examples of unintended, but possible data breaches, cyber-incidents or data breaches can occur in many forms ranging from the most simple employee error to more insidious cyber-attacks that any organisation can fall victim to. It is therefore imperative that your organisation is fully prepared for any cyber-incident and fully aware of what your mandatory reporting obligations are in order to mitigate any possible losses and liabilities for your organisation.

The commencement of the Protection of Personal Information Act, 2013 (“POPIA”) on 1 July 2020 (subject to a one year “grace period”) has brought with it a mandatory data breach notification obligation (both for the Regulator and, in almost all instances, the affected data subjects) for all entities that process personal information. In addition, and hot on the heels of POPIA, is the Cybercrimes Bill which has been passed by the National Council of Provinces and is awaiting signature by the President.

The Bill imposes a further mandatory obligation to notify the South African Police Service within 72 hours after becoming aware of a cybercrime, on all “electronic communications service providers and financial institutions who are aware or become aware of the fact that their computer systems are involved in a cybercrime.

In addition, all electronic communications service providers and financial institutions are required to preserve any information that may be of assistance to law enforcement agencies in investigating the offence. If parties fail to comply with their obligations, they could be found guilty on an offence and be liable on conviction to a fine not exceeding ZAR50 000. 

If your organisation is faced with a cyber-incident or data breach, it is imperative that you have a clear, effective and robust plan on hand to deal with these incidents. A major challenge is ensuring that all appropriate stakeholders in the business are consulted and speedily work together. This will generally include senior management, IT, legal, compliance and communications. These stakeholders will need to coordinate some of the most important aspects of responding to a cyber-incident or data breach, and the most effective way to do this and to navigate any incident is through the adoption of a robust incident response plan well in advance of any data breach or cyber-incident.

The content of an incident response plan is not mandated, but it should be tailored to meet the needs of and resources available to each organisation. Bearing in mind that an incident plan has, at its heart, the objective of mitigating any liabilities that flow from data-breaches and cyber-incidents, it also serves to bolster client and customer confidence after any event. A number of key aspects which should be included in an incident response plan include:

  1. the names and identities of the relevant stakeholders who should be involved in the response;
  2. an evaluation of the risks posed to the business;
  3. containment measures for any incident;
  4. the process for conducting an initial assessment of any incident;
  5. the remediation steps that should be implemented; and
  6. a clear understanding of notification obligations, including any notification to insurers under any applicable insurance policy.

Having a clear, readily-accessible incident response plan available to implement immediately upon becoming aware of any cyber-incident or data breach is vital. It is also important to implement periodic dry-runs, training, awareness and testing of any incident response plan to ensure that your incident response plan is effective. This will facilitate and enable your organisation to comply with its obligations under POPIA, navigate the aftermath of cyber-incidents and data breaches and mitigate any possible liabilities faced by your organisation.

ENSafrica provides comprehensive and full-service data privacy and data-breach advice and assistance, including:

  • pre-breach services to assist with the protection of data privacy, the preparation of data-management and security policies, incident response plans and coaching, contracts and procedures for businesses, information officer training services and advice on all aspects of POPIA, including trans-border transfers of personal information; and
  • post-breach services to assist with breach-response and mitigation of liability, breach notifications and regulatory investigations, and complex litigation matters involving data-breaches.
  1. We also provide comprehensive coverage advice to clients in relation to cyber insurance policies.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.