Comments: Naivas Limited's Data Breach Notification

Yesterday, a friend shared the data breach notification issued by Naivas Limited t/a “Naivas Supermarket” for me to share general comments on data protection and public affairs. Having gone through the data breach notice, I note that lack of clarity or assumptions may expose an entity to an unnecessary legal cause of action on matters data law.

One thing I have learnt as a business-minded lawyer is to look at a client's matter (controversial or non-controversial) in a broad sense that is beyond compliance but also the short- and long-term goals of the client. Even when handling stakeholder mapping and engagement or policy development, it is essential to understand the client's short- and long-term goals. Therefore, the essential purpose of the notification was to enhance customer confidence for customer retention.

The data breach notification is well intended since it is meant to comply with specific regulatory requirements under s 43 (5) of the Data Protection Act (DPA). However, in the process of being compliant, certain areas need improvement, see below:

Brand Identification: the notification drags in other unknown entities to indicate that Naivas is not the only affected entity. It may also mean that Naivas might suggest that it should be judged alongside entities that may have higher/lower data protection standards compared to it, which, per various laws and guidelines, may need a certain protection level.

Also, it is known that data protection is more towards reducing the risk as the threat of data breach is always live regardless of the measures put in place.

Assumption of the data breach: data breach may occur due to various classifications, but generally, the same can be classified as internal or external actors (without factoring in malice: think of social engineering or approved penetration testing processes). In instances where malice is present, the internal actor works with the external actors by creating a gateway through the core systems of a target (probably the easiest but still sophisticated). The notification assumes that the risk is entirely external.

Assumption of managing the risk: it is evident that during a data breach, depending on the interests of the person accessing the data, there is a chance of creating backdoor access points that can be used for any future breach or monitoring the data flow in a particular system.

Lack of clarity on financial information: the notification indicates that Naivas does not hold any credit or debit information. Naivas, through its e-commerce platform, indicates that it collects certain pieces of information, which includes data related to financial information.

Lack of clarity on remote transactions: Secure Sockets Layer (SSL) (https://) is meant to reduce the possible risk of interception of data during the communication between the website and the targeted server. However, if the data gets decrypted on the web server, then the protection measure is only limited to the time of pressing the purchase button. The lack of clarity for informed consumers results in mistrust of the brand.

Malicious use of data: stating “we are not aware of any malicious use of stolen data” does not establish customer confidence since no one is open to having their transaction data (other than financial data) shopping behavior based on items, timelines (how often), routine (at what time), spending, among others, available to anyone whether at a price or free.

The notification was well intended, and if Naivas is keen on reaching out to its customer base, the same notification should have been done through its customers' email addresses or phone numbers since, to this very end, more than the online publication is needed due to the type of consumers (there are those with access to social media, and lack of that access not to mention electronic gadgets like smartphones or feature phones).