Tackling personal data breaches under the Personal Data Protection Act №9 of 2022

Background

It has now become public knowledge that a leading Sri Lankan payment gateway suffered a significant data breach that has purportedly exposed more than 65GB of payment records including over 1.5 million unique email addresses according to https://haveibeenpwned.com (HIBP). This breach is the first of its kind since Sri Lanka enacted the Personal Data Protection Act №9 of 2022 earlier this year. HIBP and the official statement indicates that the breached data includes IP and physical addresses, names, phone numbers, purchase histories and partially obfuscated credit card data (card type, first 6 and last 4 digits plus expiry date), whilst the official statement insists that no full credit card numbers have been compromised (https://blog.payhere.lk/ensuring-integrity-on-payhere-cybersecurity-incident/).

Personal Data Protection Act №9 of 2022 (PDPA)

Simply put, the PDPA mainly applies to controllers who process personal data of data subjects. Personal data means information that can directly or indirectly identify an individual whether on its own accord or when combined with other data. A controller is someone who decides on the means and purposes of processing personal data, and essentially decides on what data should be processed, why, how and when. A data subject is a human being to whom personal data would relate.

Though the PDPA became a law on the 19.03.2022, it is still undergoing its grace period for implementation. That is to say, the PDPA will come into full force and effect only in the next 18 to 36 months giving sufficient time for controllers and processors to get their affairs in order in line with the new law. In any event, the Data Protection Authority (DPA) must be set up before the PDPA can come into full effect. So technically, there is no Personal Data Protection Authority in place right now to look into the incident and investigate.

Be that as it may, it certainly would not be a futile effort to look at how the PDPA can address a situation of this nature, once it is fully operational and backed by a competent and robust data protection authority to administer and enforce the law. Therefore, this piece would hopefully provide some learning outcomes as to why it is imperative for an organisation which is fuelled by personal data, to effectively detect, contain and respond to personal data breaches in the future to be compliant under the PDPA.

Basics requirements

· The PDPA defines “personal data breach” as:

“any act or omission that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

· Section 10 requires that every controller must ensure the integrity and confidentiality of personal data that it processes by using appropriate technical and organisational measures. Such measures may include encryption, pseudonymisation, anonymisation and other security controls that are appropriate to the nature and gravity of the processing activity. This would include having essential cybersecurity safeguards backed by a competent team with relevant tools at their disposal tied to a sufficient budget.

· Furthermore, a controller must have a robust data protection management program, which among other things should include a mechanism to identify personal data breaches and such mechanism must be periodically updated according to section 12.

· It is also important to carry out data protection impact assessments (DPIAs) specially if a controller is carrying out high risk processing as prescribed in the PDPA. In any case, it certainly would be a prudent practice to conduct DPIAs even though the PDPA may not mandate it, for the sole purpose of identifying vulnerabilities and risks in a controller’s data processing practices. A DPIA would enable a controller to identify risks and vulnerabilities including information security risks and implement mechanisms to eliminate or mitigate such risks.

· The above requirements are meant to help a controller in preventing or mitigating a data breach. Whilst no information system can be 100% secure, it is still vital that a controller take all reasonable precautions to prevent, identify and contain a data breach.

When to notify under the PDPA

Where notification of breaches is concerned, section 23 mandates that data breaches should be notified to the data protection authority. However, you’d find that the section 23 does not go into the specifics about when a controller must inform the data protection authority (DPA) of a data breach, under what circumstances affected data subjects should be notified and what other information a controller is bound to provide to the DPA. These will come in the form of Rules once the DPA is up and running. It should be noted that such Rules are subject to the mandatory public consultation period of two weeks under the PDPA which would provide the DPA to hear out all stakeholders before mandating the procedure. So, we will not have these data breach notification rules anytime soon unless a robust data protection authority is set up in the very near future.

However, certain jurisdictions, such as in the EU, data protection laws require a controller to notify the supervisory authority of a data breach which is likely to affect the rights and freedoms of data subjects, within 72 hours from becoming aware of the breach. In some cases, affected customers must also be notified without undue delay where there is a high risk to the data subjects following the breach.

It is a fair assumption to make at this point that the future Sri Lanka DPA may not significantly deviate from the global best practices and may style its data breach notification rules in line with them. In any event, it will be imperative for a controller to have in place internal mechanisms to duly detect, assess and contain data breaches. Once becoming aware of a breach, the severity of the breach must be assessed in terms of the actual or potential impact on the data subjects and the likelihood of such impact. This assessment can be done using a criterion that considers the context and circumstances of the breach including the possibility of identification of data subjects.

If there is a high discernible risk to the data subjects concerned, they should be notified without any delay in addition to notifying the supervisory authorities so that the affected data subjects can take precautionary measures such as changing passwords, activating MFAs or informing card issuers as the case maybe, so they may guard themselves against any actual or potential financial loss, identity theft or any other substantial harm.

It is necessary that controllers do not treat data breach notifications as a potential suicide mission, but as a necessary measure that strengthens its transparency, accountability and compliance objectives and means to sustain consumer trust in the aftermath of a breach. A controller must thus be mindful to include breach notification terms in the contract with its joint-controllers and processors who may process personal data on behalf of the controller.

Special directives and penalties under the PDPA

Failure to comply with the basic requirements and notification procedure as set out above, may open a controller, who has suffered a breach, to potential directives and penalties under the PDPA. The data protection authority (DPA) will have the power to inquire into and investigate a data breach.

In that context, the DPA will have the authority to call in information from the controller pertaining to the breach including what measures such controller had adopted to prevent or mitigate such breach before it happened. Upon the conclusion of such investigation, and if a controller is found to have violated the basic requirements or notification procedures, the DPA may direct the controller concerned to perform such acts to rectify the situation including paying compensation to an aggrieved person who has suffered harm, loss or damage occurred as a result of such non-compliance. A controller may of course appeal against such directive. However, failing to comply otherwise will subject a controller to a penalty not exceeding Rs. 10 Mn. In any event, prior to imposing a penalty, the DPA must mandatorily consider the following:

(a) the nature, gravity and duration of the contravention taking into account the nature, scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;

(b) any action taken by the controller to mitigate the damage suffered by data subjects;

(c) the effectiveness of the data protection management programme required from the controller under section 12 (accountability principle);

(d) the degree of co-operation with the DPA, in order to remedy the contravention and mitigate the possible adverse effects of such contravention;

(e) the categories of personal data affected by any contravention;

(f) the manner in which a contravention became known to the DPA, in particular whether, and if so to what extent, the controller or processor notified the contravention to the DPA;

(g) the previous non — compliances by such controller under the PDPA;

(h) any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, arising out of or in relation to the contravention of the PDPA by the controller.

Conclusion

In summary:

Do’s:

· Implement appropriate information security measures to secure the personal data including mechanisms to identify, assess, contain and respond to breaches when they do occur.

· Conduct DPIAs to ensure early detection of possible vulnerabilities and put in place measures to eliminate or mitigate such risks.

· Be transparent about the breach to the customers and the supervisory authority. Inform affected customers without undue delay particularly if the risk of harm following the breach is high.

Don’ts

· Don’t try to sweep the incident under the carpet. It will only make things worse compliance-wise and consumer trust-wise.

· Don’t be vague to the customers about the incident. Provide them as much information as possible to enable them to take precautions themselves.

· Don’t take information security for granted. Adequately invest in information security and data protection best practices to ensure confidentiality, integrity and availability of the personal data that you process.

info@privacy.lk