Data breach notification is both good business and required by law. What can we learn from the Regulator’s media statement on the Experian breach?

Not if but when

Commentators on cybersecurity warn “…it is not a question of if a data breach occurs, but when a data breach occurs.” Personal information is a very valuable commodity and the stark fact is it is very difficult, if not impossible, to maintain absolute safeguards against every attack or breach that may occur.

Data breach notification is very important

The requirement to notify data subjects and the Regulator of data breaches is a measure that has proved repeatedly to be a critical protection of data subjects. The mere fact that it is unlawful not to report a breach means that cybersecurity is taken more seriously by many organisations who fear the reputational damage that may result. It is also the data subjects right to know if the confidentiality and integrity of personal information has been compromised.

While there are processors that act properly in protecting personal information, regardless of legal requirements, I know of many data breaches that have occurred in South Africa, where processors have chosen to disregard clients’ constitutional right of privacy, the obligation to protect personal information, and who do not report the data breach to data subjects. Even in several well-published instances in South Africa, where the breach has been reported, processors have been less than forthcoming with facts regardless of the potential consequences to data subjects.

The media statement of the information regulator on the Experian security breach

The long-overdue proclamation of the commencement of PoPIA will, from 1st July 2021, make the failure to properly notify data subjects of a breach unlawful. The Information Regulator’s media statement addressing the Experian breach, provides a valuable insight into how the Information Regulator will deal with data breaches. Access the statement.

Data subjects need assistance to protect themselves

It is interesting that financial institutions that rely on credit bureau information, immediately alerted clients to the possibility of their information being compromised and provided guidance to clients to protect their personal information, particularly in conducting online financial interactions. The involvement of the South African Bank Risk Information Centre (SABRIC) and the South African Fraud Prevention Association (SAFPS) is something that is to be welcomed in the often-unequal war against cybercriminals. It highlights the importance of data protection legislation locally and globally and the tragedy of the inordinate delays in the implementation of PoPIA and appropriate cybercrime laws by the Department of Justice, that has resulted in irrecoverable damage suffered by many South Africans.

What lessons can we take from it?

What can we learn from the Information Regulators media statement and the circumstances surrounding the Experian data compromise?

  • Even large entities that have a global footprint, and who invest heavily in cybersecurity, are not immune from a data breach.
  • When a data breach occurs authorities, the media, shareholders and customer will ask questions about the organisational and technological measures taken and why they failed.
  • The legal requirement to notify data subjects and the regulator as soon as reasonably possible demands sound incident response, integral to the security safeguards you must maintain. As a guide, the regulator seems to regard 72 hours as a reasonable time period.
  • For many processors of personal information, the failure to act properly, prior to and after a breach, opens the possibility of reputational damage that may be significantly more severe than any regulatory response.

Secure personal data and respond quickly if there is a breach

Data protection for any modern business is not a “nice to have”. It is an essential part of doing business in the 21st century. Appropriate security is a legal obligation owed to data subjects. Even if the security measures are good, if a data breach occurs, the ability to respond quickly to mitigate risk to both the data subject and the processor is simply good business.