The Role of Digital Forensic & Incident Response (DFIR) in adhering to POPIA – By Professor Danny Myburgh, Managing Director at Cyanre, The Digital Forensic Lab

The Protection Of Personal Information Act (POPIA) has been fully in effect for the past 12 months. Most South African businesses have taken steps to comply with POPIA, specifically around the following areas to ensure they are on the right side of the law:

  • Reviewing and updating all customer, supplier and third-party agreements
  • Implementing technical and organisational measures to protect and prevent unauthorised access to and obtaining of personal information
  • Preparation of consent documentation and private notices
  • Implementing measures for identified boundary flow of personal information
  • Developing a culture of privacy by training staff, updating and implementing policies and procedures, and implementing awareness campaigns
  • Implementing a data breach and incident response plan and policy
  • Implementing a data access management system for the data subject in accordance with POPIA and the Promotion of Access to Information Act (PAIA) legislation.

These are all important tick boxes in terms of compliance, but what happens if a data breach actually occurs? The afore mentioned data breach and incident response plan and policy is critical, because it will ensure that all necessary steps are taken to comply with what happens after a breach, specifically that a full digital forensic audit can take place immediately to ensure all evidence of the breach is collected, that any vulnerabilities are identified and fixed, and that a Notification of Data Breach can be issued.

The role of digital forensics experts

Cybercriminals and the malware they use to infiltrate systems have become increasingly sophisticated. They are also always changing, which means as one vulnerability is discovered and patched, another is already being exposed and exploited. In our experience, malicious players can spend months looking for weaknesses in a system, often relying on phishing attacks to test which employees are not fully adhering to cyber security best practice. It only takes one employee clicking on a suspicious link or attachment to open the door, and then hackers can spend months slowly gaining access to other systems and cracking passwords.

By the time the real attack comes, thousands – and in a recent South African case, millions – of personal details can be exposed.

Digital forensic experts inspect, identify, analyse and preserve the digital evidence of these attacks. This not only lets them determine how the attack took place, what the damages were, and what information was compromised, but also if the hackers have left a back door open for themselves and even, in some cases, who the perpetrators are.

All of this is critical information for four reasons:

  1. If there is legal action, this evidence will be critical
  2. Insurance companies are increasingly asking for evidence that any vulnerabilities be closed before paying out and – in some cases – that all reasonable measures were taken to prevent the breach in the first case. Without digital forensics, this is impossible to prove
  3. Under POPIA, data subjects (any person whom a company holds personal information from), have the right to make a Data Subject Access Request. Under this request, a business must be able to show any data that is held, and in the case of a breach, if the data subject’s data was accessed
  4. The Regulator will need to be informed of the breach, and it will be important to prove that all reasonable measures were taken to protect the personal information of data subjects.

Can a business that violates the POPI Act get into trouble?

The short answer is yes. POPIA has strict regulations that every company must comply with and, depending on the nature of the offense, businesses as well as individuals can be punished. Offenders can be fined up to R10 million and can even be jailed.

The longer answer is that POPIA does understand that there is a cyber war and that hackers will stop at nothing to gain access to personal information. How the attack occurred is therefore important and could absolve a business – or lead to financial implications and reputational damage.

There are a number of key consequences to not paying attention to digital forensics:

Continued access and damage

Organisations that don’t use digital forensics run the risk of attackers remaining in their systems or having continued access to their data. The consequences of this can be dire, both from a business perspective and legally. Accessing a customer’s personal information, from credit card numbers to ID numbers, names, and phone numbers allows them to steal identities and defraud individuals – something you do not want your business to be the cause of. Making sure hackers are locked out and cannot access your system again is critical.

Loss of competitive advantage and legal consequences

Losing business information to cybercriminals or hackers can result in a loss of competitive advantage, being locked out of key business systems and even paying millions in ransoms. However, POPIA ensures that if your organisation collects and stores personal customer information, you have an ethical and legal duty to protect it, and, as we’ve mentioned, you are obligated to report it if the data has been compromised.

Protect your business

Our main advice to clients is to base their Cyber Security Strategy on the concept of “not if it happens, but WHEN it happens – will you be ready?”

Our MSS, while tailored for both small and medium-sized organisations, are scalable to large corporates and initially focus on defining a client’s current security posture and business needs, versus the prevalent security failures, to simplify cybersecurity and cyber security risk management. Through our continues security program, we build up and improve a client’s security, while benefitting from our ongoing exposure to real life security breaches across all industries.

Our holistic service overing ensures that clients can prevent, detect and respond to any security incident. We have extensive experience in this sector and draw considerable input from our Research, Threat Intelligence and Service Advisory partners, ensuring a comprehensive service offering.

We are looking forward to sharing more information with you. Please contact us here.