Very shortly, the CEO of a big South African corporation will call a press conference to apologise to the organisation's customers for leaking their personal information during a hack on its IT systems.
The CEO will reassure the corporation's clients, as well as its shareholders and suppliers, that the data security breach has been identified and fixed. Media representatives at the conference will be told that a full investigation is underway to determine how the security lapse occurred, how long it went undetected, and what data was accessed by the cyber hackers.
They are likely to respond by quizzing the CEO about the identity of the hackers, the motive for the attack and the extent of the damage caused by the incursion. They will probably be told that it's too early to answer such questions, but assured that the corporation is doing all in its power to safeguard the interests of its clients.
Behind the scenes, the organisation's hastily-convened task force will be frantically trying to contain the crisis. Senior executives will be meeting prominent shareholders, investors, partners and clients, as well as industry representatives, to inform them of the extent of the security breach. The corporation's technical team will be isolating the servers that have been compromised, securing electronic records for evidence and implementing backup procedures. If it's smart, it will have commissioned external data security specialists to conduct extensive penetration testing of its IT systems to make sure the leak has been fixed and to check for other potential flaws.
Big legal costs
The corporation's communications staff will be contacting customers to tell them the situation is under control. They will probably advise clients to change the passwords they use for online services and urge them to look out for suspicious transactions on their banking accounts. Key spokespeople will be identified to handle media relations and an extensive public relations campaign, probably backed with prominent advertising, put in place to counter the effects of the escalating negative publicity. The organisation's lawyers will be meeting with legal counsel to determine the company's likely liability as a result of the cyber hack and limit further exposure to litigation.
The effect of the revelation is likely to be extensive and far-reaching. As the first local corporation to publically admit that it is the victim of a major cyber hack, it will have to withstand barrages of adverse publicity, substantial damage to its reputation and considerable loss of confidence among investors and customers. It will also have to bear the brunt of big legal costs.
"There is a tsunami waiting to happen. And it's going to be a big one. There's no doubt about it," says Guy Golan, CEO at security and risk management firm Performanta.
"South African organisations are under cyber-attack every day, but no one is disclosing it. They're not prepared to go public. However, these events can't be hidden forever," he adds.
The POPI legislation is like the anti-smoking laws. It's going to be enforced by the public.
David Taylor, Legal Edge Consulting
Golan expects a major security breach to be exposed in South Africa very soon. "It will happen because a company's security breach is revealed by a whistle-blower, or because senior management is brave enough to admit in public that they've suffered a hack, or because new legislation such as the POPI (Protection of Personal Information) Act will force a firm to disclose it has lost personal data through a cyber-attack," says Golan. "Exposure by a whistle-blower seems the most likely," he adds.
The unexpected disclosure of a cyber-attack is likely to add to the victim's woes. Damage to the corporation's reputation and loss of customer and investor confidence would be far greater if the organisation had to react to reports of a security breach rather than taking the initiative and disclosing the event, argues Golan.
He dismisses suggestions that he is crying wolf to drum up business. "In the US and Europe, where there's greater awareness of the importance of cyber security, there is far more disclosure of data hacks. "Visibility is the first step in combating the threat of cyber-attacks. It encourages organisations to work together and share information to protect themselves and their customers," he says.
During the past year, prominent US organisations such as retailers Home Depot, Neiman Marcus and Michaels Stores as well as JP Morgan Chase bank and the Internal Revenue Service have revealed that their IT systems have been breached and substantial client data lost.
Simeon Tassev, MD at Galix Networking, says the first local organisations that publically acknowledge they've suffered a cyber-attack will have to endure considerable media attention and consumer anxiety.
"It's important that these organisations show what they're doing to make sure a breach doesn't happen again. If they can't do that, they risk being seen as negligent," he says. Galix is an IT network and security solutions provider that specialises in helping clients comply with Payment Card Industry (PCI) data security standards.
Tassev confirms that South Africans are already under attack from cyber hackers. "Local firms are being attacked. The nature of these attacks varies. Some are cyber-crimes for gain, but others don't have a clear motive. They could just be malicious," he says.
Greater disclosure of cyber hacks, says Tassev, is likely to encourage local organisations to be more thorough in addressing IT security. "It's not enough for companies to just buy technology. They need proper policies and procedures. It's important to adhere to international security standards such as the PCI specifi cations," argues Tassev.
David Taylor, IT law specialist at Legal Edge Consulting, believes the forthcoming POPI Act will accelerate the disclosure of local organisations that experience security breaches. The new Act, which is expected to be implemented soon, gives organisations operating in South Africa one year to comply with regulations about how personal information is collected, stored and shared. If an organisation loses such information because of a security breach, it's required by the Act to notify everyone who has been affected. The legislation could also result in the organisation being fined, if found to have been negligent, up to R10 million and its senior executives jailed.
"The POPI legislation is like the antismoking laws. It's going to be enforced by the public. Ordinary citizens will alert the regulator when the law has been broken," says Taylor.
War-chests
A former professor of IT law at UNISA, Taylor says the POPI legislation is similar to well-established data protection laws in Europe. "Some South African organisations, particularly multinationals, have put good data security provisions in place. Those that haven't will need to get compliant with the POPI Act quickly," he says.
It's important to adhere to international security standards such as the PCI specifi cations.
Simeon Tassev, Galix Networking
Taylor expects a regulator to oversee the application of the POPI legislation to be appointed later this year. "The Act allows for those affected by data security breaches to institute class action and sue for damages. Several law fi rms are building up war-chests to be ready to institute such claims," says Taylor.
Many South African organisations are already under attack from cyber hackers. If they don't get their IT security up to scratch, they may also have to fend off legions of hungry lawyers and angry customers.
This article was first published in Brainstorm magazine. Click here to read the complete article at the Brainstorm website.
Share