In today’s digital age, where information flows at an unprecedented pace and is a major driving force behind economies and societies, data breaches have become a common concern for individuals and organisations alike. Cybersecurity threats and data breaches have surged globally, and Kenya is no exception to this rapidly increasing concern.
According to the 2023 IBM Cost of a Data Breach Report, the global average cost of data breaches reached USD 4.45 million, a 15% increase from 2020, prompting 51% of businesses to increase their cybersecurity investments. Locally, Kenya saw a significant surge in cyberattacks, with 860 million incidents reported in the past year. According to the Communication Authority of Kenya (CAK), cybercriminals often facilitated these attacks by exploiting weaknesses in the particular organisations’ internal controls, system protocols, and information systems, thus leading to unauthorised access. The CAK also observed that various sectors, including financial services, healthcare, education, energy and utilities, and government agencies, are vulnerable to cyberattacks. One notable incident involved a cyberattack on the eCitizen platform in July 2023, disrupting access to over 5,000 government services provided by ministries, county governments, and agencies - read more here.
This issue is now a serious agenda item in the boardroom. Chief Executive Officers, Board of Directors and General Counsel are spending much time grappling with this new risk, which can not only lead to loss of revenue and data but also seriously damage their brand and reputation in the market that has been built over a long period. Indeed, the nature of a data breach and the rules around reporting it is difficult to keep confidential, hence the reputational risk.
In this article, we explore the intricacies of personal data breaches in Kenya as enumerated in the Data Protection Act of 2019 (DPA). We have drawn on our experience in assisting our clients to navigate such incidents and comply with the applicable legal requirements in Kenya.
Meaning of a personal data breach
The DPA defines a personal data breach as a security breach leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. Therefore, a data breach needs not only to be unlawful or unauthorised such as in instances where a hacker causes it, but it can also arise from an accidental release of data to the public by an employee.
Thresholds for a notifiable data breach
The first step when analyzing a suspected incident is undertaking a review to determine whether the breach would be classified as a data breach under the law. The DPA provides two key requirements in determining whether there has been a data breach. These are that firstly, personal data should have been accessed by an unauthorised person and that such access results in a real risk of harm to the data subject whose personal data has been subjected to unauthorised access.
The Data Protection (General) Regulations 2021 provides that a data breach may result in a risk of harm if it relates to, among others, the data subject’s full name or identification number, details of the data subject’s income such as wages, bonuses or income from the sale of goods or property, credit cards or debit cards, financial details such as bank accounts number and health-related data.
The exception to this category is with respect to information that is publicly available or information that is disclosed in accordance with the law. However, such information should not be publicly available as a result of a data breach.
Fulfilling Notification and Communication Requirements in the Aftermath of a Data Breach
After determining whether a breach has happened, the second step is to determine whether the breach is notifiable to the regulator, in this case, the Office of the Data Protection Commissioner (ODPC) and to the affected data subjects. In the aftermath of a data breach, data controllers and data processors are required to comply with certain notification conditions under the DPA should the notification conditions be met. The question as to whether a notification is required would need to be considered fairly quickly because of the strict timelines set in the law regarding notification. We have discussed the notification conditions further below.
Notifications between Data Processor and Data Controller
A data processor, who is defined as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller, must notify a data controller of the occurrence of a data breach. A data controller is defined as a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing personal data. In some instances, you will find that data processors and controllers are different or related entities within a group of companies and at times, this may present complications.
If a data processor becomes aware of a data breach, they are required to notify the data controller within forty-eight hours of becoming aware of such breach.
Notification to the Office of the Data Protection Commissioner
The DPA further requires a data controller to mandatorily notify the Data Commissioner within seventy-two hours of becoming aware of such a breach. This notification period is understandably very tight, especially if a breach has occurred across a vast network of branches of the affected company or in several countries if it’s a multinational. In addition, sifting through the data and internal reporting requirements between the various teams in the company may lead to delays. This is, therefore, a contentious issue in particular instances where a data controller requires more time to undertake investigations to establish whether the breach is indeed notifiable before informing the ODPC since the ODPC tends to insist on strict compliance within this notification timeline. One of the practical ways that the regulator has broached is to share a brief update email as a preliminary breach notification with the regulator that there is a suspected breach that may or may not be notifiable and indicate that investigations are ongoing and a detailed notification will be made should the same be found to be notifiable.
The DPA does not prescribe a specific format to notify a data breach. However, section 43(4) to (5) of the DPA outlines the considerations and information required to be set out in the notifications of data breaches. This information includes the facts about the breach, its effects and the remedial action taken. Such information can be provided in a single notification or phase depending on the information concerning the data breach that is available to the data controller when making the notification.
If the notification of the data breach to the ODPC is made past the seventy-two-hour period, the data controller is required to accompany the late notification with the reasons for the delay. In our experience, the ODPC, in most instances requests additional information upon submitting the initial notification, which should be made within the seventy-two-hour period. It is, therefore, imperative that the initial or follow-up notification, as the case may be, submitted to the ODPC be as comprehensive as possible.
Notification to the Data Subject
The DPA requires data subjects to be notified of a personal data breach in writing if they are identifiable. The timeline for this notification is not strictly defined but should be done within a reasonably practicable period. If data controllers decide not to notify data subjects, they must provide reasons for this decision in their notification to the Data Commissioner.
Since the DPA does not prescribe the format of the notification to the data subjects, the notification could take various forms depending on the appropriate and convenient mode. This could range from an e-mail to the respective individuals (preferably where the number of data subjects is definite and ascertainable), publishing a notice on the data controller’s website, or publishing a public notice in a newspaper with wide circulation.
How to Navigate a data breach
Based on our experience, the key takeaways for any data controller who suffers a data breach include:
- Upon learning that a data processor’s systems are compromised, the data processor should within 48 hours notify the data controller.
- Data controllers should submit a preliminary breach notification to the ODPC within the 72-hour period of a potential data breach under investigation, followed by a more formal notification once more details are discovered that confirm the breach is notifiable and, if possible, the data subject(s) within a reasonable timeframe.
- The data controller should consider involving a competent cybersecurity firm to examine the extent of the data breach and the categories of data accessed.
- If the data was not encrypted and the data breach affected classes specified under the second schedule to the General Regulations, the data controller should seek legal assistance in determining whether the data breach is notifiable.
Conclusion
Navigating data breaches requires a proactive approach and compliance with notification requirements to the ODPC and data subjects. Therefore, the response to data breaches should be coordinated to protect both data subjects and controllers.
In conclusion, data breaches are a pressing concern in the digital age, and Kenya has taken steps to address this issue through robust legislation. Understanding the intricacies of notifiable data breaches and the significance of timely notification to the regulator is pivotal for organisations. Navigating these incidents effectively requires a proactive approach, legal compliance, and collaboration with cybersecurity and legal experts. By doing so, organisations can protect their data, maintain customer trust, and thrive in an increasingly data-driven world.
--
Read the original publication at Bowmans