Reputation management and the POPI Act
Content provided by IACT Africa, specialist business consulting company with a focus on assisting organisations to add strategic value to IT Governance and IT Management.
During January 2017 Samsung announced the results of a months-long investigation when some of the devices it was selling started to self-ignite that then saw a steep decline in its global reputation, resulting in a recall of 2,500,000 Galaxy Note 7 units. This was not the first time a tech device has experienced such problems: do you remember the issues Dell (at one time the world’s largest supplier of PCs) had in 2006 when some of its laptop batteries also displayed auto-combustion characteristics and it recalled 4,000,000 of them? Of course you can see where this story line leads us already – the Ford Kuga debacle which has been almost constantly in the media over the last few months, with a much more modest recall target of only 4,500 Kuga units. When your good name is on the line, and you enjoy global recognition for your brand, the value of effective reputation management is kind of obvious. So what has this got to do with the POPI Act? A great deal, if international experience is anything to go by.
When the Information Regulator announces commencement of the twelve month transition period to full effect of the POPI Act – POPIA - (which had not happened at the time of writing this article but is widely expected in the second half of 2017), there will be a number of possible negative consequences to non-compliance with the Act. Whilst a security compromise (more often called a data breach in global markets) is the most obvious concern, there are numerous other grounds on which the Regulator and interested stakeholders (data subjects to use POPI parlance) may feel they have reason to take action where failure to comply with the Act is concerned. Any and all of these possible failures could have the direct negative consequences of a monetary penalty (issued by the Regulator), civil damages claims (from data subjects) and the costs of disruption to normal business in the recovery period after an incident has occurred, potentially including revenue lost from disaffected current and future clients.
Not yet mentioned in this article but almost certainly surpassing all the other negative impacts to be expected, but not welcomed, is reputation damage. That’s where the Ford Kuga and POPI Act non-compliance have something in common: headlines for all the wrong reasons. International surveys conducted over the last couple of years by information security companies such as Kaspersky Lab and Trend Micro provide some indication of the types of risks that need to be addressed (see the list below) where personal information protection is concerned.
Cost of security incidents by type (high to low)
- Failure Of Third Party Suppliers
- Fraud By Employees
- Cyber Espionage
- Network Intrusion/Hacking
- Intentional Leaking
- Accidental Leaking
- Software Vulnerabilities
Top three major consequences of a breach:
- Loss of access to business-critical information
- Damage to company reputation
- Temporary loss of ability to trade
Top three most expensive types of security breaches:
- Third-party failure
- Fraud by employees
- Cyber espionage
Top three IT security threats that lead to data loss:
- Phishing attacks
- Accidental data leaks by staff
Source: Kaspersky Lab report “DAMAGE CONTROL: THE COST OF SECURITY BREACHES”, 2016
So what action is recommended to help to manage your reputation when it comes to POPIA? Clients of mine have evaluated several frameworks which can be used to better manage their compliance activities. One of the most popular is from the US (visit www.nist.gov/cyberframework for more information) which is part of the Obama legacy from 2014 (not yet overturned by a Trump Executive Order at time of writing) that offers the following five groups of the Cybersecurity Framework Core Outcomes which can help with protecting your reputation, whether you are in Bloemfontein, Benoni or Bloubergstrand:
- Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
- Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
- Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
- Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
- Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
If you follow this advice your reputation is less likely to get burned than Samsung, Dell or Ford. Good luck with managing your reputation. Remember: you can submit your queries or feedback from these articles to email@example.com
Acknowledgement: this is a revised version of the article by Dr Peter Tobin “Burn, baby, burn” that appeared in My Office Magazine, March 2017.
Copyright © IACT-Africa 2016 -
Author and contact details:
Dr Peter Tobin, BA(Hons), MBA, DPhil, CGEIT, PMIITPSA, PMP, is a Senior Consultant with IACT-Africa. For more information please email: firstname.lastname@example.org