We’ve had a privacy breach – now what?

Incident Response

1

The threat of information breaches is well known and much discussed. The classification of the breach as a privacy breach may very well

introduce a new dynamic of regulated notification to your response. Being prepared to respond and notify appropriately not only meets the regulatory requirement, but has also shown to limit the consequential damage, both reputational and financial, of the breach.

3 2

How big is the threat?In 2013/14 the two most common sources of breaches were unintended disclosures, like misdirected emails (31%); and the physical loss of paper records (24%)(1).

In 2015, phishing, hacking and malware incidents rose significantly to take the lead in causes of breaches (with human error in these incidents remaining the root cause of the incidents), while employee mistakes remained high, taking second place(2). One just needs to consider the Panama Paper leak to understand how widespread the impact of an incident can be – in that case, an anonymous, unauthorised source leaked 11.5 million documents.

As general consumers and members of the public, we are aware of incidents where personal information is lost. "According to Deloitte's 6th Annual Global Security study, innovations in technology and the people using these technologies rank as one of the biggest threats, with 70 percent listing their employees’ lack of security awareness as an “average” or “high” vulnerability. Employees without sufficient awareness of security issues may put an organization at risk by talking about work in public, responding to phishing emails, admitting unauthorized people into the organization’s facilities."(3)

The question is not if you will be attacked: the question is when and how you will respond. Effective management of information security risks requires a robust combination of prevention, early detection, and rapid response. Being cyber resilient is just as, or even more, important than being cyber secure alone.”(3)

(1) https://iapp.org/news employee-error-cause-most-breaches-spyware-breaches-most-costly.(2)“Is your Organization Compromise Ready?” BakerHostetler, 2016 Data Security Incident Response Report(3) http://www2.deloitte.com/global/en/pages/about-deloitte/articles/study-finds-top-tech-media-telecom-

firms.html

5 4

The position in other African countries would need to be established based on the specific pieces of legislation (Ghana has no notification requirement, while Angola’s data protection authority has not yet been established). Kenya, Tanzania, and Uganda have data protection bills in place.

Law in Process

Morocco

Algeria

Tuni

sia

EgyptLibya

Nigeria

Wes

tern

Sahar

a

Mauritania

Cape Verde Islands Mali

SenegalThe Gambia

Guinea-Bissau Guinea

Sierra Leone

Liberia

Burkina Faso

Niger

ChadSudan

Central African

Republic

Ethiopia

Eritrea

Djibouti

Somalia

Comores

Seychelles

Mauritius

Reunion

Cameroon

GhanaCôte d'Ivoire To

go Beni

n

Equatorial Guinea

Cabinda

Gabon

DemocraticRepublic of the Congo

Angola

Namibia

South Africa

Botswana

Zambia

Zimbabwe

KenyaUganda

RwandaBurundi

Mozambique

Mal

awi

Lesotho

Swaziland

Mad

agas

car

Cong

o-Br

azza

vill

e

Sectoral Laws

No Data Protection Law

Has Privacy Law Protection

SouthSudan

What is the legal position around notification?A number of African countries have now enacted privacy frameworks or are planning data protection laws and this number is increasing. So far 14 African countries have privacy framework laws and some sort of data protection authorities in place. Once the African Union Convention on Cyber Security and Personal data Protection (Convention) is ratified across the continent, many other nations will likely enact personal data protection laws.

Currently, seven African countries have data protection bills in place: Kenya, Madagascar, Mali, Niger, Nigeria, Tanzania, and Uganda. Many analysts believe that the Convention seeks to replicate the European Union data protection model whereby each country has its own national data protection laws and authority. Despite these developments, the Convention still has many important areas to provide guidance on. For instance, the Convention fails to define what is meant by “consent”, "breach notification", “personal data” and the “legitimate grounds” individuals can raise to object to the processing of their information.(4)

Taking guidance from Europe however, where privacy legislation is more mature and practicalities have been tested, we suspect that some form of risk assessment would be required in the notification process. The new General Data Protection Regulation (GDPR), put forth by the European Commission in 2012 and generally agreed upon in its final form by the European Parliament and Council in December 2015, is set to replace the Data Protection Directive 95/46/ec. For the first time, the GDPR stipulates specific breach notification guideline. (5)

For instance, In the UK, the breach notification introduces a new requirement and The Institute of Internal Auditors has already put out some indication that incident management should form part of the scope of Internal Audit. This would include data privacy incident management and not just the traditional ITIL/Cobit incident management reviews.

(4)https://www.technologylawdispatch.com/2015/02/data-cyber-security/new-data-protection-laws-in-africa/ (5)EU agrees on new Privacy Regulation”, http://www2.deloitte.com/be/en/pages/risk/articles/new-eu-privacy regulation.html

Tanzania

7 6

Developing additional information security controls would be a natural result of a privacy assessment. But more importantly, it would be the timeous detection, containment, analysis and remediation after a breach that would differentiate your organisation from the next. The evidence likely to be required would follow the international trend:

• Documentation of the incident response; including notification

• Copies of security policies and procedures

• Evidence of education and awareness programmes

• Security risk analysis

• Risk mitigation plans

• Vendor agreements, where incidents were caused by a vendor

• Evidence of corrective action

• Notification to the Regulator and consumers

So how can organisations prepare for this inevitable requirement?

8

What is your state of readiness for notification?Exploring and investing in 24-hour monitoring in order to be aware and respond to incidents timeously would go a long way to enable compliance.

While some organisations are utilising the delay of the Data Protection Act to remediate their controls around privacy in the interim, incident management and notification procedures might need to be prioritised in order to deal with breaches which are happening right now. We strongly recommend some simulation testing to ascertain the state of readiness of all the role players in dealing with an incident where personal information is compromised. Exploring and investing in 24-hour monitoring in order to be aware and respond to incidents timeously would go a long way to enable compliance.

ContactsNavin SingManaging Director: Risk Advisory AfricaMobile: +27 83 304 4225Email: navising@deloitte.co.za

Derek SchraaderRisk Advisory Africa Leader: Cyber Risk Services Mobile: +27 79 499 9046Email: dschraader@deloitte.co.za

Raymond IsiahoRisk Advisory Manager: Kenya Mobile: +254 721 443 705 Email: risiaho@deloitte.co.ke za

Adam NasserDirector Risk Advisory: Tanzania Mobile: +255 22 216 9018Email: NAdam@deloitte.co.tz

Julie NyangayaRisk Advisory Regional Leader: East Africa Mobile: +254 720 111 888Email: jnyangaya@deloitte.co.ke

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (DTTL), its network of member firms and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global” does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms.

Deloitte provides audit, consulting, financial advisory, risk management, tax and related services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries and territories, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Delolitte’s more than 225 000 professionals are committed to making an impact that matters.

This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms or their related entities (collectively, the “Deloitte Network” is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.

© 2016. For information, contact Deloitte Touche Tohmatsu Limited