Your SlideShare is downloading. ×
  • Like
The need for a comprehensive breach plan - Ahmore Burger-Smidt
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

The need for a comprehensive breach plan - Ahmore Burger-Smidt


The Protection of Personal Information Act - The need for a comprehensive breach plan

The Protection of Personal Information Act - The need for a comprehensive breach plan

Published in Law , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. GUN SHOTS – the need for a comprehensive breach plan. Ahmore Burger-Smidt
  • 2. A LEGAL OBLIGATION > The Regulator (who has not yet been established) must be informed of the breach > The data subject must be informed of the breach > The notification must be in writing (plain English) and can be transmitted to the data subject by way of post (to the last known postal or physical address), email, placed on the responsible party's website, published in the news media or as may be directed by the Regulator > The notification must provide a description of the possible consequences of the breach, the measures taken or to be taken to by the company to address the breach; advice on what the data subject could do to limit mitigate the possible adverse effects of the security compromise and the identity of the person responsible for breach, if known to the company > The Regulator may direct the company to publicise details about the data security compromise - if it will protect a data subject who may be effected by the compromise. 2
  • 3. 3 LEARN FROM HISTORY • Zurich UK, outsourced the processing of its data to Zurich South Africa • In 2008, a tape containing customer data was lost while being transported from the data storage facility by a third party • Zurich UK did not know that the data had been lost until the loss was recorded in the Zurich Group's annual data privacy report a year later • Regulator found that Zurich's management and reporting lines were unclear and that the Group's polices for security incidents were not always consistent
  • 4. 4 WHERE MIGHT IT BE COMING FROM 37% 35% 29%  Malicious or criminal attack  System glitch  Human factor Source 2013 Cost of Data Breach Study: Global Analysis
  • 5. DETERMINE THE RISK NO ONE SIZE FITS ALL! > Threat modelling - > Asset-focused approach: In an asset-focused approach, an organisation focuses on its information assets and how they might be vulnerable to information security threats. This approach asks: "How do we protect this resource?" > Attacker-focused approach: In an attacker-focused approach, an organisation focuses on how attackers might try to access an organisation's information technology ("IT") systems and resources. This approach asks: "How will an attacker try and harm this resource?" > Design-focused approach: In a design-focused approach, an organisation focuses on the design of an organisation's IT systems and resources. This approach asks: "How can the system be designed to resist attacks?" 5
  • 6. PLANNING! > Look at the risk of disasters and the business impacts of each > Design preventative and reactive controls > When disasters strike, confidential, secret, personally identifiable, or sensitive data may be exposed, and business continuity plans must take into account how to protect > Information > Reputation > Assets 6
  • 7. IT IS IMPORTANT TO UNDERSTAND 7 Time Goal Actions driven by strategy Where are we now? Mission: how do we mitigate exposure? Values: What are our enduring principles and beliefs? Vision: Where do we want to be? Strategy: How do we get there?
  • 8. BREACH REPORTING There are three main approaches to breach reporting, each requiring a different protocol- > Breaks from policy or established routine > Such events are the lowest form of beach and may or may not present a security risk. Leaders should note them and take appropriate action – empower and report > Detected breaches > Any incident involving unauthorised access to information systems containing sensitive data, or any other breach of security protocols, must be reported and action taken depending on circumstances – have breach notification obligations been triggered. > Potential vulnerabilities or undetected breaches of system security > An undetectable breach is one that, if it had occurred in the past, would not have been detected. So-called-zero-day vulnerabilities are typical in that while the vulnerability has existed for some time, it has only recently become known to the organisation > All such vulnerabilities require immediate investigation regardless of whether any actual breach has been detected. 8
  • 9. BREACH PLAN 9 Several key activities must be incorporated into the breach plan Procedures for declaration of an emergency Predefined roles and responsibilities Call lists and escalation criteria Communications plan, including with external emergency personnel Scenario creation for the impact of each type of failure and disaster Priority order for recovering each information resource based on scenarios Design, implementation, and testing of failover and redundancy in hardware, software and networking capabilities Training of all involved parties Reassessing on a regular basis to analyse new risk
  • 10. THE WAY FORWARD > When a breach has occurred, the company should – > openly and timeously communicate with the customers > stating the nature of the breach > what information has been stolen and what the customer can do to ensure that they are not victims of identity theft e.g. the 1 free annual credit check that all customers are entitled to in terms of the National Credit Act > Tell the story - what the company is doing to prevent future data breaches e.g. improving physical security if computers have been stolen or improving the quality of security software > Establish a comprehensive breach plan and ensure that all employees know what to do in the event of a breach! > Security breaches must be planned for 10
  • 11. THANK YOU Legal notice: Nothing in this presentation should be construed as formal legal advice from any lawyer or this firm. Readers are advised to consult professional legal advisors for guidance on legislation which may affect their businesses. © 2014 Werksmans Incorporated trading as Werksmans Attorneys. All rights reserved.