popi… who gives a damn! -...
TRANSCRIPT
Introduction
Introduction
• Is POPI the Holy Grail?
• Do you think the POPI Act will reduce the risk of
data breaches?
• Do you think the implementation of the POPI Act
will increase customer confidence in your
organisation?
• Do you where the greatest risk to your business is
in relation to POPI?
3
Current State of POPI
• The Act is still not effective
• A regulator has not been established
• The Deputy Minister of Justice recently
announced last week that the
remuneration range for the regulator has
been determined.
5
What will the regulator look
like?
Regulator
Chairperson
Member
Member
Member
Members
Administration
CEO
Other operational staff
Committees
Chairperson
Other Members
Enforcement Committee
Chairperson
sOther Members
• The maximum financial penalty that may be imposed
for a breach under POPI, is limited to R 10m
• Civil liability claims
• Criminal liability
• Financial and reputational loss
• Loss of consumer confidence and trust
6
What is the cost of not
complying?
2/3 customers would leave
you, if you mistreated
their data
76%of companies said a data
breach caused moderate
to severe impact on the
business
$3.5Maverage cost of a data
breach
"Investors see data breaches as a threat to a company's material value and feel discouraged in
investing in a business that has had its sensitive information compromised"
- Malcolm Marshall, global leader of KPMG's cyber security practice
7
• The inability of the UK’ ICO to impose financial penalties resulted in it being labelled
as a “toothless tiger” , however since 2010, when financial penalties were allowed,
that perception improved
• However two year after financial penalties were introduced information breach
figures indicate that “Data Breaches are 10 times worse”, with 821 instances in
2011-12 vs. 29 in 2007-08 (BBC, 2012), this two years after financial penalties were
introduced
• Even back in 2012 a number of new proposals aimed at overhauling data protection
legislation including penalties of up to 2% of annual turn-over, depending on the
magnitude of the breach
• There is also a view that the drivers for compliance are all but financial, which is
also visible from recent surveys conducted across organisations required to comply
with the PCI-DSS standard - It was found that the vast majority indicated “protect
the brand” was more of a driver for compliance than the fear of penalties for non-
compliance with the standard (Gensen, 2011)
Does compliance drive
change?
8
Data Breach trends from the UK’S ICO
UK Stats
59%16%
11%
8%6%
Top Five Breach SECTORS
Health Local Gov Education Charities Solicitors
9
3rd Party – the greatest risk?
• 3rd Party POPI remediation is the
most challenging and the most
difficult
• No right audit clauses with 3rd
parties
• It has the greatest impact to an
organisation
• We treat their compliance as a point
in time exercise
POPI Compliance Challenges
Challenges
Understanding
Legislative and
Regulatory
Requirements
Understanding
Information
Security Risks
Understanding
Information
Understanding
Organisational
Culture
Knowing all
Third Parties
Understanding
Business
Process
Do we know the legislative and
regulatory requirements for our
business in respect of information?
Do we know what
information we process,
why we process such
information, where
information is stored
and who can access it?
Do we understand
unstructured
information?
Do we know how information
is processed within the
organisation (i.e. do we know
where information goes?)?
Do we know where our risks
are and have we
implemented controls to
mitigate these risks?
Do we have an
organisational culture that
promotes the security and
privacy of information?
Do we know who are our third
parties, what information we share
with them and how they process it?
11
Past, Present and the Future
– a tense moment
Yesterday…
Today…
Bad “actors”
� Isolated criminals
� “Script kiddies”
Targets
� Identity theft
� Self-promotion
opportunities
� Theft of services
“Target of opportunity”
Bad “actors”
� Organized criminals
� Nation states
� Hactivists
� Insiders
Targets
� Intellectual property
� Financial
information
� Strategic access
“Target of choice”
12
Has POPI made life better?
Average Joe/June
• Without even knowing, his/her personal
information is more secure
• Organisations are acting more responsibility
• We are worrying about what 3rd parties are
doing with our information
• We as consumers understand the important
of personal information and the risk
associated
13
• 100 percent security/compliance is neither feasible
nor the appropriate goal
• Effective security is less dependent on technology
than you think
• The ability to learn is just as important as the ability
to monitor
• Compliance is not a department, but an attitude
• Focus on your core ability
The way forward
Jason GottschalkAssociate Director, Cyber Security
1 Medittearean Street
Foreshore, Cape Town
Mobile: +27 82 719 1804
© 2015 KPMG [member firm name if applicable], the
South African member firm of KPMG International, a
Swiss cooperative. All rights reserved.
KPMG and the KPMG logo are registered trademarks of
KPMG International, a Swiss cooperative.