Organizations can better protect people’s privacy, as stated in Article 31(c) and (d), by using effective data breach response strategies. To do this, organizations need to understand what a data breach is. The Court in the case of Ogwaro v SGA Security Limited [2025] KEELRC 264 (KLR) defined a data breach as follows:
“ A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.”
Data breaches can happen in different ways, including:
1. Cybersecurity Breaches: These occur when outside attackers target the data controller’s systems, leading to exposure of personal information. Common methods include:
a) Malware Attacks: These use viruses to disrupt an organization’s systems.
b) Ransomware: This type of malware encrypts a victim’s data and demands payment to decrypt it.
c) Phishing and Social Engineering: Attackers use fake emails, pop-ups, or websites that look real to trick users into sharing sensitive information.
d) Man-in-the-Middle Attacks: Here, attackers intercept communications between two parties to steal sensitive information.
2. Insider Threats: These breaches happen from within the organization, either from employees who misuse their access to steal or expose data for personal gain or from innocent mistakes that accidentally reveal information.
3. Physical Breaches: These involve the loss of data due to theft or unauthorized access to the organization’s premises.
4. Supply Chain Attacks: This attack is normally done on third parties connected to the targeted data controller or processor to infiltrate the targeted organization. These third parties attacked may be vendors or suppliers who service the data controller or processor.
Data has become critical in today’s business world, which is why it’s important to protect it from unauthorized access. Despite best efforts, data may still be exposed to threats. Therefore, organizations need a clear plan to handle and reduce the impact of a data breach.
This plan, known as a Data Breach Response Strategy, and starts right after a breach is detected.
Protecting personal data is crucial because failing to do so can lead to serious problems. These problems include:
- Identity theft, where someone’s personal data is changed, making it inaccurate.
- Financial fraud and other types of abuse.
- Damage to an individual’s reputation when their personal information is exposed.
- Loss of trust in an organization following a data breach.
As a data processor or controller, you must follow data protection principles to safeguard the interests of individuals whose data you handle. One key principle is integrity and confidentiality. This means personal data should be safe from unauthorized access and accidental loss or damage.
Data breach response strategies can help protect data from unauthorized access. Furthermore, regulation 32 of the Legal Notice 263 of 2021 (The Data Protection (General) Regulations) provides Elements for principles of integrity, confidentiality, and availability. This regulation requires Data controllers and processors to have in place routines and procedures to detect, handle, report, and learn from data breaches. Learning from the experience of a data breach should always be followed by the correct response to such a breach.
What should you do after a data breach occurs?
1) Assessing and Analyzing the Impact
First, investigate how the breach has affected the data and individuals involved. This assessment takes place after the breach is detected. You should look into what happened during the breach to find the cause and prevent future unauthorized access.
2) Notification of the breach
Next, notify the relevant parties. The data processor informs the data controller, who then notifies the affected individuals and the Data Protection Commissioner. You must notify the Commissioner within 72 hours of detecting the breach. If there is a delay, be prepared to explain why.
a) Data Breaches that Require Notification
Not all breaches need notification. You should notify people if you find that:
- An unauthorized person accessed or acquired personal data, and
- There is a real risk of harm to the affected individual.
If the data controller or processor has taken strong security measures, like encrypting the data, they may not need to notify the affected individuals. This highlights the importance of having strong security in place to prevent or lessen the impacts of data breaches.
b) Contents of the Notification
The written notification should include important details on how to protect data against the consequences of the breach. This information should cover:
- A description of the breach;
- The measures the data controller or processor is taking or has taken to address the breach;
- Recommendations for the affected individuals on what they can do to protect themselves;
- If possible, the identity of the unauthorized person who accessed the data; and
- The name and contact details of the data protection officer or another contact person for more information.
c) Storage of Records on Data Breach
Data controllers must keep records about data breaches. This includes:
- The details of the breach
- The effects of the breach
- The steps taken to fix the issue. This often involves fixing security weaknesses, like changing passwords or improving locks for physical security.
3) Post-Incident Review
This process focuses on learning from the organization’s experience during and after the breach. The organization should identify its weaknesses and areas for improvement based on what happened. This information will guide changes to enhance security measures.
4) Developing a Comprehensive Response Plan
a) Proactive Approach
Organizations that handle data should prepare strategies to reduce risks and damages. These plans should help anticipate threats and include strong security measures to react when a breach occurs. Having a reliable breach detection system is critical, as all follow-up actions begin after detecting a breach. Effective software to monitor both internal and third-party threats can be beneficial.
b) Communicating with Data Subjects
A data breach can affect how customers and the public view the organization. Clear and honest communication is vital to maintain trust and reduce potential harm. When informing affected individuals, the response plan may include:
1) Post-Crisis Renewal Model: This approach focuses on rebuilding trust. Organizations can reassure data subjects that they are committed to preventing future incidents.
2) Image Restoration Model: This involves explaining what happened, who was responsible, and what is being done to address the situation. It may include both defensive and accommodative strategies, ranging from denying responsibility to accepting fault and offering apologies.
c) Employee Training and Awareness
Training employees is essential to prevent future data breaches. Lessons from past breaches should guide education efforts. Employee training helps by:
- Creating awareness about cybersecurity so employees can spot warning signs like unauthorized access attempts. Quick reporting by employees can lead to faster responses.
- Supporting ongoing learning, as cyber threats keep changing. Continuous training is necessary for employees to handle new types of threats.
- Ensuring the organization meets legal requirements for data protection and privacy training.
- Helping employees understand the organization’s comprehensive response plans and policies.
Conclusion
A Data Breach Response Strategy is essential for any organization that collects and stores personal and sensitive information. It is important for legal compliance and for protecting the organization’s reputation with clients and employees. When clients feel their information is secure, it builds trust, which is crucial for business success.
At Kioi and Co. Advocates, we provide legal services to help organizations prepare for and respond to data breaches. If you want to ensure compliance through a proactive approach, contact us at info@kioi.co.ke.
