The Protection of Personal Information Act - The need for a comprehensive breach plan

1. GUN SHOTS –
the need for a
comprehensive breach
plan.
Ahmore Burger-Smidt

2. A LEGAL OBLIGATION
> The Regulator (who has not yet been established) must be
informed of the breach
> The data subject must be informed of the breach
> The notification must be in writing (plain English) and can be
transmitted to the data subject by way of post (to the last known
postal or physical address), email, placed on the responsible party's
website, published in the news media or as may be directed by the
Regulator
> The notification must provide a description of the possible
consequences of the breach, the measures taken or to be taken to
by the company to address the breach; advice on what the data
subject could do to limit mitigate the possible adverse effects of the
security compromise and the identity of the person responsible for
breach, if known to the company
> The Regulator may direct the company to publicise details about
the data security compromise - if it will protect a data subject who
may be effected by the compromise.
2

3. 3
LEARN FROM HISTORY
• Zurich UK, outsourced the processing of its
data to Zurich South Africa
• In 2008, a tape containing customer data
was lost while being transported from the
data storage facility by a third party
• Zurich UK did not know that the data had
been lost until the loss was recorded in the
Zurich Group's annual data privacy report a
year later
• Regulator found that Zurich's management
and reporting lines were unclear and that the
Group's polices for security incidents were
not always consistent

4. 4
WHERE MIGHT IT BE COMING FROM
37%
35%
29%
 Malicious or criminal attack
 System glitch
 Human factor
Source
2013 Cost of Data Breach Study: Global Analysis

5. DETERMINE THE RISK
NO ONE SIZE FITS ALL!
> Threat modelling -
> Asset-focused approach: In an asset-focused approach, an
organisation focuses on its information assets and how they
might be vulnerable to information security threats. This
approach asks: "How do we protect this resource?"
> Attacker-focused approach: In an attacker-focused approach, an
organisation focuses on how attackers might try to access an
organisation's information technology ("IT") systems and
resources. This approach asks: "How will an attacker try and
harm this resource?"
> Design-focused approach: In a design-focused approach, an
organisation focuses on the design of an organisation's IT
systems and resources. This approach asks: "How can the
system be designed to resist attacks?"
5

6. PLANNING!
> Look at the risk of disasters and the business impacts of
each
> Design preventative and reactive controls
> When disasters strike, confidential, secret, personally
identifiable, or sensitive data may be exposed, and business
continuity plans must take into account how to protect
> Information
> Reputation
> Assets
6

7. IT IS IMPORTANT TO UNDERSTAND
7
Time
Goal
Actions driven
by strategy
Where are
we now?
Mission: how do we
mitigate exposure?
Values: What are our
enduring principles
and beliefs?
Vision: Where do we
want to be?
Strategy: How do we
get there?

8. BREACH REPORTING
There are three main approaches to breach reporting, each requiring a different protocol-
> Breaks from policy or established routine
> Such events are the lowest form of beach and may or may not present a security risk.
Leaders should note them and take appropriate action – empower and report
> Detected breaches
> Any incident involving unauthorised access to information systems containing sensitive
data, or any other breach of security protocols, must be reported and action taken
depending on circumstances – have breach notification obligations been triggered.
> Potential vulnerabilities or undetected breaches of system security
> An undetectable breach is one that, if it had occurred in the past, would not have been
detected. So-called-zero-day vulnerabilities are typical in that while the vulnerability has
existed for some time, it has only recently become known to the organisation
> All such vulnerabilities require immediate investigation regardless of whether any actual
breach has been detected.
8

9. BREACH PLAN
9
Several key activities must be incorporated into the breach plan
Procedures for declaration of an emergency Predefined roles and responsibilities
Call lists and
escalation criteria
Communications
plan, including with
external emergency
personnel
Scenario creation
for the impact of
each type of failure
and disaster
Priority order for recovering
each information resource
based on scenarios
Design, implementation, and
testing of failover and redundancy
in hardware, software and
networking capabilities
Training of all
involved parties
Reassessing on a
regular basis to
analyse new risk

10. THE WAY FORWARD
> When a breach has occurred, the company should –
> openly and timeously communicate with the customers
> stating the nature of the breach
> what information has been stolen and what the customer can do to
ensure that they are not victims of identity theft e.g. the 1 free
annual credit check that all customers are entitled to in terms of the
National Credit Act
> Tell the story - what the company is doing to prevent future data
breaches e.g. improving physical security if computers have been
stolen or improving the quality of security software
> Establish a comprehensive breach plan and ensure that all
employees know what to do in the event of a breach!
> Security breaches must be planned for
10

11. THANK
YOU
Legal notice: Nothing in this presentation should be construed as
formal legal advice from any lawyer or this firm. Readers are
advised to consult professional legal advisors for guidance on
legislation which may affect their businesses.
© 2014 Werksmans Incorporated trading as Werksmans Attorneys.
All rights reserved.