Ideas & Debate

Why your organisation should be concerned about data breaches

cyber
mk

Summary

  • Data breaches, which involve the access, theft and even sale of personal data, undoubtedly constitute a significant element of these attacks.
  • It is likely that your organisation may become a victim of a cyber-attack (if it hasn’t already), particularly given the increased technology uptake and the fact that many employees are increasingly working remotely given the Covid-19 pandemic.
  • The physical and virtual threats to IT assets and the subsequent risk of data breaches have therefore increased exponentially.

There has been a significant rise in cybercrimes in Kenya. In press releases recently associated with National Safe Internet Day celebrations in Nairobi, the Communications Authority of Kenya (CA) noted that cyber-attacks on Kenyan organisations rose by nearly 50 percent in the last three months of 2020 compared to a similar period the previous year.

Data breaches, which involve the access, theft and even sale of personal data, undoubtedly constitute a significant element of these attacks.

ICT Cabinet Secretary Joe Mucheru, speaking at the same event, urged the CA to heighten its cyber threats detection and monitoring capacity to mitigate the risk. Given the CS’s concerns and information from companies that have been the victim of such attacks, the reported cases may well be lower than the actual reality in the marketplace.

It is likely that your organisation may become a victim of a cyber-attack (if it hasn’t already), particularly given the increased technology uptake and the fact that many employees are increasingly working remotely given the Covid-19 pandemic. The physical and virtual threats to IT assets and the subsequent risk of data breaches have therefore increased exponentially.

Aside from the obvious financial and reputational threat to your organisation, data breaches may also expose your organisation to litigation from aggrieved clients and other parties and possible administrative fines from the regulator (Data Protection Commissioner) of up to Sh5 million.

This is already becoming a topical issue within the region, with the enactment of the Data Protection Act (the Act). For example, it has been reported that a leading telco is involved in litigation concerning an alleged subscriber data breach — which revealed personal information, including identity and passport numbers, gender, age and sports-betting history.

A complainant in the matter has through his counsel sought the intervention of the Data Protection Commissioner and it will be interesting to see how this matter progresses as one of the first key matters handled by that office.

Under the Act, in the event of a data breach, an organisation will have 72 hours to advise the Data Protection Commissioner of the breach if it involves loss of personal data. If the breach is reported after 72 hours you are required to attach the notification of breach with reasons explaining the delay in notification. The Act further requires organisations to: identify foreseeable risks to personal data they control and process; establish and maintain appropriate safeguards; ensure the pseudonymisation and encryption of personal data; ensure they have the ability to restore the availability and access of personal data in a timely manner in the event of a physical or technical threat; verify that safeguards are effectively implemented and continually updated in response to new risks and deficiencies.

In a recent article, I noted that effectively meeting the above obligations will require individuals with technical skills and competency to assist organisations to develop a comprehensive data privacy programme. This will likely include individuals with skills in law, data privacy and governance and cybersecurity.

Cybersecurity experts will be of particular relevance as they are able to undertake offensive security checks to identify, validate and assess the risk of any data security vulnerability that may exist within your organisation.

Offensive being the key word here, as with the operation of the Act, organisations must now take a proactive approach to their data security to ensure their compliance. It is imperative for organisations to undertake data privacy and cybersecurity assessments as well as training for all their employees.

In addition, depending on the size and complexity of your organisation it may be necessary to now employ a data protection officer or external data privacy consultant to audit, develop, implement and maintain your organisation’s data privacy posture.

It may also be necessary under the Act for your organisation to undertake a data protection impact assessment (DPIA), particularly in instances where the processing of personal data is risky and highly likely to result in breach. A DPIA is to the data world what an environmental protection impact assessment is to the construction industry.

The key takeaway here is whether you are a small sole proprietor, a small and medium enterprise (SME) or a large multinational company, your cybersecurity and data privacy posture should now be a key tenet of your organisation’s business functions.

With the uptake and integration of technology in all aspects of our working and social lives, preparedness in these areas is no longer an afterthought — it should be a key strategic pillar of your organisation’s day to day operations.

Embracing this early and taking the requisite steps proactively, as one does with financial fraud or the physical security of your building may save your organisation a lot of financial, legal and reputational damage down the line.

Kijirah is a data protection and privacy consultant.