A certain sage once advised a classroom full of students that, ‘to every problem, there is a solution, even if the solution is learning to live with the problem’.
“There are only two types of companies: those that have been hacked and those that will be.” This seeming prophecy of doom was declared by Robert Mueller in 2012 when he was the Director of the United States Federal Bureau of Investigations. The office he held undoubtedly made his insight significantly more damning; it would be unfortunate to suppose his statement was conjecture. There may be some argument as to the semantics of it, but surely not as to its significance and relevance. His audience at the time, further heightens the gravitas of his prophecy, for it was at the RSA Cyber Security Conference in San Francisco, California. He further asserted that “No company is immune, from the Fortune 500 corporation to the neighborhood “mom and pop” business.”
Currently before our most August National Assembly, is a Bill sponsored by the Honourable Member and Leader of Majority Aden Duale, the Data Protection Bill 2019 (“DPB 2019”). The Bill has already gone through its first reading, and the deadline for submission of memoranda lapsed on 16th July 2019. We are therefore inching closer to the advent of more robust data protection and privacy laws in place.
Understandably Kenyan companies my cringe at the herald of the costs that usually accompany new laws and regulations, in that compliance can seem expensive because of the additional resources that have to be deployed to put measures in place to avoid deviating from the regulatory environment. This should, however, be seen as an opportunity, to not only protect the data and privacy of persons by scaling up cybersecurity systems and processes, there is also a business case for it when one considers the monumental fines and penalties that are being imposed on entities that fail to put measures in place to curb data breaches. Evolving our laws to be at par with international best practice should reassure companies that the regulators will not be making arbitrary decisions, as would likely be the case if there where a regulatory vacuum.
Having said that, there is also a second limb for the business case that can be made for a more robust regulatory environment. There needs to be a move away from the notion that it is only people in their private laws or on a personal level that can suffer the effects of data breaches. Indeed, how we define and identify the problem is integral to the kind of solutions that we can develop.
According to the World Economic Forum’s Global Risks Report 2019, it was noted that technology continued to play a pivotal role in shaping up the global risks landscape for individuals, governments, and businesses. In the Global Risks Perception Survey “massive data fraud and theft” was ranked the number four global risk by likelihood over a 10-year horizon, with “cyber attacks” at number five.
They may, therefore, be a need for a rethink of the fact that the Bill limits itself to a narrow of definition of “personal data breach”, which is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. The focus on the individual is well-intentioned, but it may potentially miss out on remedying the negative effects of the vice with respect to its effects on businesses.
World over, companies continue to face cyber threats and breaches with each second that passes. In June 2019 alone, there were 65 top breaches that were reported globally in mainstream publications. According to data from UK’s IT Governance, 39,713,046 data records were compromised. Among the top breaches was Theta360 (a photo-sharing application) that suffered a major data breach that affected 11 million public and private photographs on their platform. Another significant breach was that of Evite, an online social event planning application, that had a 10 million user record database containing full names, countries, emails, IP addresses and passwords from customers compromised and later put up for sale for .2419 Bitcoin (about USD 1,916) in the dark web. The most common types of breaches recorded were as a result of unauthorized access (hacking), internal errors and cyber attacks.
UK’s Information Commissioner, Elizabeth Denham in July this year stated “…when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.” This was after British Airways had been fined a record £183m for a data breach that occurred on their website in September 2018 and details of about 500,000 of their customers harvested by a group of hackers.
Though well-intentioned, it doesn’t require a significant leap to observe that business, especially those that have custody of personal data, are perceived and painted as the culprit or the aggressor, when in fact they are also the victims of cybercrime. Granted, some major corporations fuel this fire by driving capitalism beyond its moral limits by seeking to reap profits by exploitatively using personal data. That should not, however, result in an unbalanced view of the terrain, however ragged.
With ever-increasing internet penetration in Kenya, more and more services are being offered online. In the Q3 Sector Statistics Report for the Financial Year 2018/2019 Communications Authority of Kenya, there were 11,253,576 cyber threats in the aforementioned quarter compared to 10,221,191 in the previous quarter, representing a 10.1% increase. With such statistics, entities controlling and processing personal data find themselves in difficult positions as they bear the brunt of any data breaches with hefty fines awaiting them. Clause 63 of the Bill proposes a Ksh. 5,000,000 fine or 2% of the company’s annual turnover of the preceding financial year, whichever is higher.
That is, however, a cost on businesses, not on cybercriminals, and is therefore potentially prohibitive to doing business. That fact is especially not appeasing in light of the fact that the rate of cyber attacks are on the rise, and worse still even as some traditional measures are being put in place to curb cyber attacks, these are increasingly outdated in rapidly evolving environment in which cybercriminals are adapting to changes in technology faster than cybersecurity solutions are being found. We can, therefore, see how, an additional problem is in the horizon in light of a very well-intentioned, well informed, and well-considered effort to seek solutions.
Over legislation and over-regulation cannot be the route to the promise. There needs to be a balance. In any case, additional legislation and regulation beyond what is already contemplated in the Bill would be restrictive of an enterprise. What is needed are complementary mechanisms to help realise the spirit and intent of the law; to carry through the vision of policymakers and legislators. Enter from stage left, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), who together form the world-renowned specialized system for worldwide standardization.
The genesis of ISO can be traced back to 1946 when delegates from 25 countries met at the Institute of Civil Engineers in London to constitute a new international organization ‘to facilitate the international coordination and unification of industrial standards’. It was a global effort at self-regulation by private enterprise, for it was they who best understood the challenges and shortcomings that were a menace, as well as the opportunities that could be unlocked and advanced as a result of aspiring to higher standards.
It has been a consistent and deliberate effort to achieve this goal, and thus over its history, the ISO has published over 22,729 International Standards touching on numerous aspects of technology and manufacturing.
Its presence is global, with membership from 164 countries, and having 783 committees and subcommittees from all over the world which focus on the development of various standards. It is within this environment that ISO has developed ISO-27001, which is an international standard under the ISO/IEC 27000 family that sets standards for securing information held by an organization. ISO-27001 provides for requirements for an effective Information Security Management System.
In this regard, compliance with ISO/IEC 27001 by data controllers and processors enables firms to raise their internal mechanisms as regards data compliance to the level of international best practice. In this way, an ideal symbiosis is fostered between necessary legislation and self-regulation by private enterprise.
It is a way in which entities wishing to comply with data protection and will avoiding the infringement of the rights of individuals. Additionally, it gives customers the confidence that there has been a deliberate effort on the part of the organisations that they entrust with their information, and it ultimately reduces the costs that come with non-compliance. It may not necessarily be a full-proof vaccine against hacking and cybercrime, but it is undeniably a significant leap by way of risk mitigation.
The Kenya Bureau of Standards who are accredited to audit organizations and ISO certify them have so far certified three entities with ISO-27001: the Communications Authority of Kenya; the National Council for Population & Development; and the University of Embu. It is also reported that another three organizations are likely to also soon be ISO certified by them. Furthermore, the ISO/IEC 2017 report indicated that Kenya had, at the time, a total of 11 ISO/IEC27001 certifications.
The various bodies currently mandated to undertake the necessary audits and to subsequently issue the certification, include KEBS as well as Bureau Veritas Certification Kenya Limited. The latter have certified Samasource Kenya and the Kenya Reinsurance Corporation Limited.
If the case for certification in light of the legal developments that are unraveling is not yet apparent, and if one yet wonders how the ISO certification ties in with the highly anticipated Bill, the following can be plainly identified as the bottom line. The nexus between the Bill and the ISO standards can be inferred at clause 18 of the DPB 2019, as read together with clause 19. Clause 18 requires all data controllers and processors to be registered with the Data Commissioner, whereas clause 19(2)(e) requires any data controller or data processor wishing to be registered by the Data Commissioner to give a description of safeguards, security measures and mechanisms taken to ensure the protection of personal data. An ISO/IEC 27001 certification would, therefore, make the strongest case in favour of firms, as it would demonstrate and adherence to international best practice.
It is important to note that information security is not just about technology, as may perceivably be the case; it also involves people and processes. The users of computers in an organization ought to all be well trained on information security. An effective ISMS is only as good as the people that use it. With proper and frequent sensitization, the people who interact with the systems from day to day would be able to potentially better identify threats or notice anomalies thus enabling cyber-security/IT experts to arrest problems early enough, seal loopholes, and develop better processes to better secure the ISMS.
The top-level management should at the onset buy into the whole process and ensure that there is an understanding in the whole organization as to why it is of utmost importance to have an ISMS. It is advisable that they conduct a simple audit of where they stand before developing a policy that will guide the ISMS.
Compliance with this standard compliments the anticipated legislation and means that personal data in the hands of a data controller and processor is safe. An ISO/IEC 27001 certification will bring an organization’s reputation to the fore and instill confidence to its customers who share personal information with the organization. With this certification, organizations are able to respond to evolving security threats, while reducing the heavy costs and penalties attached to non-compliance.
Ultimately, the security of personal data is at the zenith of the data protection laws.
By Arnold Karanja,
Data Protection Compliance & Commercial Law Practitioner.