Over the Youth Day weekend, Liberty informed its customers, and later everyone else, that it had been the subject of a successful security intrusion. In a media statement, it claimed that an email repository had been compromised, and that an as yet undisclosed number of emails had been accessed, possibly together with their attachments. This is not the first – merely the latest – in a series of information security failures affecting the personal data of South Africans. It is probably not even the worst incident thus far, in terms of volume or nature of information compromised.
It is, however, a South African company’s first publicly-admitted violation of GDPR (the European Union’s General Data Protection Regulations), upon which our own Protection of Personal Information (PoPI) Act was based.
Why is GDPR relevant to a South African company?
Because it affects the data management of personal data of any EU citizen, regardless of where in the world that data is held. Since Liberty has clients that are citizens of EU countries, it is required to comply with the provisions of GDPR.
There are, in fact, a great many South African companies that are required to comply with GDPR. The Liberty breach should serve as a wake-up call to these organisations, making them aware that GDPR compliance is a complex, far-reaching, and non-trivial exercise because it applies to an extensive set of personal data elements that may be housed in a number of different systems. How many multi-national organisations do you know of that have all their customer, supplier or employee data in a single system?
A number of questions have been levelled at Liberty since the breach became public knowledge.
Why wasn’t the data encrypted? Was it properly secured? Why did their internal controls not pick up the intrusion until the intruders alerted them to it? Is our information safe with Liberty?
While these questions all deserve considered and complete answers, there are other questions that, perhaps, require equal attention.
Do we even know how many of our systems hold personal data?
What is the data used for and who should have access to it?
Are our controls sufficiently deep and robust to detect an intrusion?
How do we guard against attacks from within?
How would we handle a multi-system breach?
Who is responsible for dealing with this?
What is the process for dealing with a breach?
What are the legal implications – both in South Africa and in other jurisdictions where we may be exposed?
How much would a breach like this cost us?
Sound data governance is key
GDPR, and by extension PoPI, require sound data governance to ensure that the impact of any potential breach can be quickly understood, and that the relevant data subjects and the regulators can be informed.
Data governance ensures that the right experts are presented with the right knowledge, at the right time, to deal with a crisis of this nature in an informed way, and in compliance with the regulations.
It is true that there is a cost to complying with privacy legislation. But perhaps the cost of not complying is even higher when one considers a company’s reputation. Furthermore, there is a cost to alerting customers.
There is also a cost in terms of the time taken by several teams, from IT personnel, to Marketing and Corporate Communications, to develop a considered and co-ordinated response. There is a cost to the CEO himself spending an hour at a media briefing; along with whatever time he had to focus on this event in order to be prepared. There is the opportunity cost of whatever had to be dropped to deal with this crisis, not to mention the cost in terms of share price (liberty’s shares dropped 5% after the announcement), customer insecurity, lost business and brand damage.
In Liberty’s case, only a single system is believed to have been compromised. In many breach cases, multiple systems may have been compromised.
By Gary Allemann, MD at Master Data Management