A few years ago, many corporations used to think data protection meant security of systems. And this was because they thought the word protect meant security in the context of cyber security.
While security of data is a way of implementing privacy and data protection, information security does not guarantee privacy compliance, as privacy is much broader. The General Data Protection Regulations (GDPR) has the security principle, that states that personal data shall be ‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.’ Interestingly, the Kenya Data Protection Act, 2019 which is modelled after the GDPR has no explicit security principle.
However, that does not mean that the Act does not have any security provisions. In fact, the Act requires a data controller or processor to inform an individual of a description of the technical and organizational security measures taken to ensure the integrity and confidentiality of the personal data before collecting it.
The Act also states that a data protection impact assessment shall include the measures envisaged to address the risks and the safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Act. The data protection by design or by default provisions also require data controllers or processors to implement appropriate technical and organisational measures which are designed to implement the data protection principles in an effective manner and to integrate necessary security safeguards for that purpose into the processing.
Not every cyber security incident is a breach, but all breaches are incidents. The threshold for what constitutes a breach is set in local privacy laws. Where there is a security incident that amounts to a privacy breach, the Act requires notification to be made to the Data Commissioner and in some instances affected data subjects.
The Act requires a data controller to notify the Data Commissioner without delay, within 72 hours of becoming aware of such breach and to communicate to the data subject in writing within a reasonably practical period. The notification and communication should provide sufficient information to allow the data subject to take protective measures against the potential consequences of the data breach. The Act also states that a data controller may delay or restrict communication to a data subject if it is necessary and proportionate for prevention, detection or investigation of the breach.
In the unfortunate situation where a data processor becomes aware of an incident that amounts to a privacy breach, the data processor is expected to notify the data controller without delay within 48hours of becoming aware of such breach.
In the UK, before the GDPR came into force( and before Brexit), breach disclosure requirements existed mainly in the regulatory policies of the Information Commissioner, the policies of government for the public sector and the ePrivacy rules for communications companies, and the reporting of incidents led directly to enforcement actions against the reporting entities in hundreds of cases. In many cases, however, a breach was investigated, the reporting entity was found to have engaged in appropriate security measures, and no further action was taken.
In Kenya, the Act is not clear on what the Office of the Data Protection Commissioner (ODPC) will do. Just like the WP29 guidance notes, the ODPC will have to publish guidance notes on how it will handle data breach notifications.
The Computer Misuses and Cybercrimes Act contains no provision on reporting but it contains provisions on how cybercrime such as data breaches can be investigated. This means that an entity that has suffered data breach should not only report to the ODPC but also to the Directorate of Criminal Investigations and the Kenya Cyber Incident Response Team (Ke-CIRT).
For structured detection, classification of a data breach before the ultimate notification, the controller needs to put in place an incident response strategy. Examples of an incident response strategy include an incident response plan, incident response playbook, creation of an incident response team and an operational incident detection team, such as an Security Operations Center (SOC).
To prevent breaches caused by internal staff, the controller also needs appropriate organisational measures which will require a programme to embed and enforce the right cultural profile and behaviours in the workforce. Central to the achievement of the right culture is the selection of competent, trustworthy and reliable workers.
One of the great problems with cybersecurity is that criminals and hackers are both patient and good at hiding their tracks. It is very common for cyberattacks to lie unnoticed on a network, even for many years. Therefore, penetration testing needs to be performed using advanced forensics techniques.
Even good programmes with good controls get hacked. There is no need for panic should an intrusion be detected. It’s better to know, analyse and respond than to be in the dark. Knowledge enables remediation.