The need for a comprehensive breach plan - Ahmore Burger-Smidt

GUN SHOTS –

the need for a comprehensive breach plan.

Ahmore Burger-Smidt

2

A LEGAL OBLIGATION

> The Regulator (who has not yet been established) must be informed of the breach

> The data subject must be informed of the breach

> The notification must be in writing (plain English) and can be transmitted to the data subject by way of post (to the last known postal or physical address), email, placed on the responsible party's website, published in the news media or as may be directed by the Regulator

> The notification must provide a description of the possible consequences of the breach, the measures taken or to be taken to by the company to address the breach; advice on what the data subject could do to limit mitigate the possible adverse effects of the security compromise and the identity of the person responsible for breach, if known to the company

> The Regulator may direct the company to publicise details about the data security compromise - if it will protect a data subject who may be effected by the compromise.

3

LEARN FROM HISTORY

• Zurich UK, outsourced the processing of its data to Zurich South Africa

• In 2008, a tape containing customer data was lost while being transported from the data storage facility by a third party

• Zurich UK did not know that the data had been lost until the loss was recorded in the Zurich Group's annual data privacy report a year later

• Regulator found that Zurich's management and reporting lines were unclear and that the Group's polices for security incidents were not always consistent

4

WHERE MIGHT IT BE COMING FROM

37%

35%

29%

Malicious or criminal attack System glitch Human factor

Source2013 Cost of Data Breach Study: Global Analysis

5

DETERMINE THE RISKNO ONE SIZE FITS ALL!

> Threat modelling -

> Asset-focused approach: In an asset-focused approach, an organisation focuses on its information assets and how they might be vulnerable to information security threats. This approach asks: "How do we protect this resource?"

> Attacker-focused approach: In an attacker-focused approach, an organisation focuses on how attackers might try to access an organisation's information technology ("IT") systems and resources. This approach asks: "How will an attacker try and harm this resource?"

> Design-focused approach: In a design-focused approach, an organisation focuses on the design of an organisation's IT systems and resources. This approach asks: "How can the system be designed to resist attacks?"

6

PLANNING!

> Look at the risk of disasters and the business impacts of each

> Design preventative and reactive controls

> When disasters strike, confidential, secret, personally identifiable, or sensitive data may be exposed, and business continuity plans must take into account how to protect

> Information

> Reputation

> Assets

7

IT IS IMPORTANT TO UNDERSTAND

Time

Goal

Actions driven by strategy

Where are we now?

Mission: how do we mitigate exposure?

Values: What are our enduring principles

and beliefs?

Vision: Where do we want to be?

Strategy: How do we get there?

8

BREACH REPORTING

There are three main approaches to breach reporting, each requiring a different protocol‑

> Breaks from policy or established routine

> Such events are the lowest form of beach and may or may not present a security risk. Leaders should note them and take appropriate action – empower and report

> Detected breaches

> Any incident involving unauthorised access to information systems containing sensitive data, or any other breach of security protocols, must be reported and action taken depending on circumstances – have breach notification obligations been triggered.

> Potential vulnerabilities or undetected breaches of system security

> An undetectable breach is one that, if it had occurred in the past, would not have been detected. So-called-zero-day vulnerabilities are typical in that while the vulnerability has existed for some time, it has only recently become known to the organisation

> All such vulnerabilities require immediate investigation regardless of whether any actual breach has been detected.

BREACH PLAN

9

Several key activities must be incorporated into the breach plan

Procedures for declaration of an emergency Predefined roles and responsibilities

Call lists and escalation criteria

Communications plan, including with external emergency

personnel

Scenario creation for the impact of

each type of failure and disaster

Priority order for recovering each information resource

based on scenarios

Design, implementation, and testing of failover and redundancy

in hardware, software and networking capabilities

Training of all involved parties

Reassessing on a regular basis to analyse new risk

10

THE WAY FORWARD

> When a breach has occurred, the company should –

> openly and timeously communicate with the customers

> stating the nature of the breach

> what information has been stolen and what the customer can do to ensure that they are not victims of identity theft e.g. the 1 free annual credit check that all customers are entitled to in terms of the National Credit Act

> Tell the story - what the company is doing to prevent future data breaches e.g. improving physical security if computers have been stolen or improving the quality of security software

> Establish a comprehensive breach plan and ensure that all employees know what to do in the event of a breach!

> Security breaches must be planned for

THANK YOU

Legal notice: Nothing in this presentation should be construed as formal legal advice from any lawyer or this firm. Readers are advised to consult professional legal advisors for guidance on legislation which may affect their businesses.

© 2014 Werksmans Incorporated trading as Werksmans Attorneys. All rights reserved.