Reporting data breaches under POPIA has its challenges

Read time 2min 00sec
Russell Opland, global privacy business expert.
Russell Opland, global privacy business expert.

The common maxim when it comes to data breaches is that it's not a matter of 'if' but 'when'.

Moreover, many organisations have suffered a security incident but are unaware of it. Last year, the Ponemon Institute found that the average time to identify a breach was approximately 191 days, with another 66 days on average needed to contain it.

The fact is, businesses of every type need to have an incident response plan in place. In the context of data privacy, an incident would be something that happens that sees personal information being accessed by an unauthorised individual or individuals.

Reporting data breaches becomes compulsory

This is where the Protection of Personal Information Act (POPIA) comes in. First and foremost, POPIA introduces for the first time, a compulsory reporting requirement for data breaches, says Russell Opland, global privacy business expert, who will be speaking about 'Incident response in the context of POPIA', at the ITWeb Security Summit, to be held from 21 to 25 May at Vodacom World in Midrand.

ITWeb Security Summit 2018

Registration is open for the ITWeb Security Summit 2018 in Johannesburg and Cape Town. Our must-hear keynote speaker Mikko Hypponen has been instrumental in uncovering and bringing down several infamous threats, and has assisted law enforcement agencies across the globe. Many other local and international experts will be sharing their knowledge, including Russell Opland. Get involved in #SS18HACK and choose from two half day workshops or a full day bootcamp, plus five training courses, and much more. For the agenda, click here.

Before the advent of POPIA, companies were not required to report such breaches, outside of certain narrow financial services regulations, he says.

"As we've seen overseas, with Uber and Yahoo examples, failure to report breaches in a timely fashion leads to a PR and regulatory disaster."

According to Opland, the first challenge with incident reporting under POPIA is determining whether or not to report as the current POPIA criteria are very vague. During his presentation, international criteria will be discussed to shed light on how our Information Regulator might proceed.

Secondly, he says if reporting is required, it is a non-trivial exercise, both in terms of timeframes, as well as establishing that it was effective and to the Regulator's satisfaction.

He will also present a real-world example of effective incident response that resulted in the Regulator closing the matter without further action.

To find out more about the ITWeb Security Summit 2018, go to:

Have your say
Facebook icon
Youtube play icon