POPIA
DIY

WEEK 7:
Data breach – what should you do?

This week we’ll unpack data security breaches. We’ll look at what constitutes a breach, what procedures you should have in place in case of a breach and how you should respond if the worst happens.

data breach is a security incident in which sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, or used by an individual unauthorised to do so.

Here are a few examples:

  • There is a break in at your practice and your patient files are stolen.
  • You accidentally email a patient’s HIV test results to your newsletter mailing list.
  • Your server is infiltrated by a virus and all patient records are destroyed.

When you look at data breaches around the world, and now in our own back yard, businesses often find themselves in hot water for not being prepared to deal with the breach.

Your response

  • must be swift,
  • must give the affected people the tools to protect themselves, and
  • must not open you up to liability (the legal stuff like fines and civil actions).

You must manage the PR fallout. The harm to your reputation is the biggest risk when a breach happens.

The POPIA says that the responsible party must notify the Information Regulator and the affected data subjects (those whose PI were accessed) as soon as reasonably possible if there are reasonable grounds to believe that there has been unauthorised access of PI.

This is what should be in the notice:

  • a description of the possible consequences of the breach
  • a description of the measures that you have taken or intend to take to address the breach
  • a recommendation relating to the steps that data subjects should take to protect themselves
  • the identity of the unauthorised party who may have accessed the PI

Your breach response policy must set out everything, including:

  • where and how to report the breach
  • who should be notified
  • steps taken to address the fallout
  • who gets to liaise with the regulator
  • who gets to draft and send the notices to everyone affected by the breach

DO YOUR STAFF KNOW WHAT THE BREACH PROCEDURE IS?

Training is essential. In a crisis, you want your staff to know what to do without having to think about it.

Keep record of any policies and procedures that you have implemented and of training that your staff received on data security and data breaches. If you ever need to defend yourself against fines or civil actions you’ll need evidence of the steps you’ve taken to mitigate this risk.

1. Put a breach procedure in place
Update your GAPS sheet if you don’t have a breach procedure in place and plan to sort it out. Here’s what you should cover in your policy and procedure.
2. Train your staff
Consider implementing an online training platform to train your staff on the new policy and procedure, and schedule refresher training at least once a year.
3. Don’t try to hide a breach
And finally, never try to hide a data breach or delay responding to it. Companies that have failed to respond quickly have suffered the largest losses.

Remember that you have a free one-hour consultation included with this programme!
Use it, and contact us if you have any questions about this week’s topic.