Costly data breaches on the rise
The reputational issues are what should be keeping CEOs up at night
Data breaches are on the increase, particularly cyberattacks or hacking. These events can have costly consequences, including damages claims by data subjects — and in due course fines by the information regulator. But the greatest cost of all is reputational. The reputational issues are what should be keeping CEOs up at night.
The Mimecast e-mail state of security report shows that in the last 12 months 53% of organisations in SA have reported an increase in phishing attacks, 46% reported an increase in impersonation fraud and 75% of that increase in impersonation fraud occurred in the first 100 days of Covid-19.
Twenty-nine data breaches were reported to the regulator’s office between May and September in SA, but that was probably the tip of the iceberg as organisations are not yet legally obliged to report.
One of the growing forms of cyberattack is the use of ransomware to extort money from an organisation to pay either for IT systems to be functional again, or for sensitive data not to be released. A local high-profile case involved Liberty Group in 2018, when an unauthorised hacker demanded payment after illegally obtaining data.
According to its public announcements, Liberty became aware of the breach on June 14 2018, informed customers on June 16 and made a Sens announcement on June 18. Its shares dropped 4% in that week but by all accounts it acted swiftly in notifying the public of the breach.
Liberty dealt with the issue well in two aspects. First, the CEO showed leadership. This is an important aspect of all crises, and cyberattacks are no exception. Senior executives should reassure their stakeholders with concrete facts about what they know about what has happened and what is being done about it. All organisations depend on the trust of their employees, suppliers, customers and other stakeholders.
Second, Liberty did not wait for the internal investigation to be completed before making a statement, as many companies tend to do. It is sometimes necessary for a company to tell the public that it is investigating, and not to wait for absolute certainty. These attacks are hot topics with media and the life cycles of these stories are fairly long. Proactive management of the media and messaging is critical in effectively managing the crisis.
And it is not local companies that have hit the headlines for data breaches. One other high-profile example in the international arena is the Marriott hotel chain. It was hit by an attack in 2018, when it reportedly discovered that customer credit card and other personal details, involving 339-million people, had been stolen in a hack of its global reservation database. It also found this had been occurring since 2014. A class-action suit has recently been launched. The UK information commissioner’s office has given notice that it may fine Marriott £99.2m.
A further example is British Airways (BA), at which 500,000 customer details were breached by hackers over a two-week period in 2018. Last Friday the information commissioner’s office announced it would be fining BA £20m for this data breach, and their airline may have got off lightly. A year ago the office gave notice of its intention to fine BA £183m. These eye-popping numbers are possible in the UK because under its general data protection regulation fines can be 1.5% of global turnover.
In SA the cost of data breaches was estimated by Poneman Institute and IBM at R37m per breach in 2020, or R2,700 per record, with about 22,060 records on average affected per breach. According to this research it takes about 56 days on average to identify a breach in SA, and 175 days to contain it. Companies may lay criminal charges in the event of unauthorised access of their databases. They are obliged to lay criminal charges in the event of an attempt to extort them.
In addition, companies will also be required to take certain steps under the Protection of Personal Information Act, when it begins to bite from July 1 2021 (at the moment it barks but does not bite, because “responsible parties” have until then to get their houses in order). Condition 7 of the act deals with what an organisation should do to prevent unauthorised access of personal data.
If there are reasonable grounds to believe there has been a data breach the organisation must notify the regulator and the data subjects as soon as reasonably possible after it occurs. Data subjects must be notified in writing. The Protection of Personal Information Act mentions post, e-mail, website, news media or as directed by the regulator (but oddly not text messages). The notification must describe what has happened, the possible consequences and who caused the breach, if this is known.
There are certain exemptions to notifying the data subjects, such as if law enforcement says this is not necessary, or if the organisation needs to take steps first to restore the integrity of the system. We recommend that the regulator be notified at least at the same time or preferably before notifying data subjects.
Since the act comes fully into force on July 1 2021, there is not yet a legal duty to notify the regulator or data subjects if a data breach occurs before that date. That aside, it often makes reputational sense to do so. Moreover, it is often important to warn data subjects so that they can take steps to protect themselves — such as changing passwords. Organisations should take six main steps when faced with a cyberattack:
- Have a crisis communications strategy that allows you to swiftly create a task group of senior executives, internal and external legal advisers and your insurer.
- Engage forensic investigators to help determine what happened.
- Inform law enforcement, particularly when it involves criminal activity (and in a ransomware attack, notifying law enforcement is mandatory).
- Engage the regulator and any other applicable industry regulator as soon as possible.
- Engage the data subjects.
- Consider issuing a proactive media statement — particularly if the breach is extensive and involves many millions of records. (For listed companies, a Sens announcement will often be mandatory).
• Milo is a partner at Webber Wentzel.
Would you like to comment on this article or view other readers' comments?
Register (it’s quick and free) or sign in now.
Please read our Comment Policy before commenting.