In Kenya, data breaches have become an increasingly common and concerning issue. and like many other countries, Kenya has implemented data protection legislation to safeguard the personal information of its citizens. The Data Protection Act, 2019, establishes the Office of the Data Protection Commissioner (ODPC) as the authority responsible for overseeing data protection compliance and investigating data breaches.

Understanding Data Breaches

A data breach occurs when there is unauthorized access to, or disclosure of, personal data. This can happen due to a variety of factors, including hacking, malware infections, human error, or physical loss of data storage devices. Personal data can encompass a wide range of information, including names, addresses, phone numbers, email addresses, financial information, and medical records.

Reporting Data Breaches to the ODPC

The Data Protection Act mandates that data controllers, entities that determine the purposes and means of processing personal data, must report any data breaches to the ODPC within 72 hours of becoming aware of the incident. This requirement extends to data processors, entities that process personal data on behalf of data controllers.

The ODPC has established a dedicated data breach portal where data controllers and processors can submit their reports. The portal requires detailed information about the breach, including the nature of the breach, the type of personal data involved, the number of individuals affected, and the measures taken to mitigate the breach and notify affected individuals.

Steps to take in Reporting a Data Breach in Kenya

1. Identify the Breach: The first step is to determine whether a data breach has occurred. This may involve investigating suspicious activity, reviewing system logs, or receiving reports from affected individuals or third parties.
2. Contain the Breach: Once a data breach is confirmed, immediate action must be taken to contain the breach and prevent further unauthorized access to data. This may involve disabling compromised systems, changing passwords, isolating affected data and consulting a digital forensics company.
3. Assess the Impact: The next step is to assess the scope and impact of the data breach. This involves identifying the type of personal data involved, the number of individuals affected, and the potential harm that could result from the breach.
4. Notify Affected Individuals: Data controllers and processors are obligated to notify affected individuals of the data breach promptly and without undue delay. The notification should provide clear and concise information about the nature of the breach, the type of personal data involved, the potential risks, and the steps individuals can take to protect themselves.
5. Report to the ODPC: Within 72 hours of becoming aware of the data breach, data controllers and processors must submit a detailed report to the ODPC using the dedicated data breach portal. The report should include information about the breach, the measures taken to mitigate the breach, and the notification process for affected individuals. To report a data breach incident, you can visit their online reporting portal at https://www.odpc.go.ke/report-a-data-breach/

In addition to reporting data breaches to the ODPC, data controllers and processors are also responsible for taking appropriate measures to prevent future breaches and to ensure that personal data is processed in a secure and compliant manner. This includes implementing robust security measures, providing data protection training to employees, and regularly reviewing and updating data protection policies and procedures.

Consulting digital forensics experts after a data breach

Consulting digital forensics experts after a data breach is a critical step in understanding the scope and impact of the breach, identifying the responsible parties, and taking steps to mitigate the damage. Digital forensics experts can help you to:

• Collect and preserve evidence: Digital forensics experts can collect and preserve evidence from the compromised systems, including system logs, network traffic data, and other digital artifacts. This evidence can be used to identify the cause of the breach, track the movements of the attackers, and potentially identify the responsible parties.
• Analyze the data: Digital forensics experts can analyze the collected data to identify the type of data that was compromised, the number of affected individuals, and the potential harm that could result from the breach. This information can be used to make informed decisions about how to notify affected individuals and what steps to take to mitigate the damage.
• Provide expert testimony: Digital forensics experts can provide expert testimony in court or other legal proceedings. This testimony can help to explain the technical details of the breach and the potential impact on the affected individuals.

When to consult digital forensics experts

You should consult digital forensics experts as soon as you become aware of a data breach. The sooner you engage experts, the sooner they can begin collecting and preserving evidence, analyzing the data, and providing you with the information you need to respond to the breach effectively.

Benefits of consulting digital forensics experts

Consulting digital forensics experts can provide a number of benefits, including:

• Reduced risk of further harm: Digital forensics experts can help you to identify and remediate vulnerabilities in your systems, which can help to prevent future breaches.
• Protection of your reputation: A data breach can damage your reputation, but consulting digital forensics experts can help you to show that you are taking the breach seriously and are taking steps to protect your customers’ data.
• Peace of mind: Knowing that you have hired qualified experts to investigate the breach can give you peace of mind and allow you to focus on other aspects of your business.

Penalties for Data Breaches in Kenya

Data breaches can have severe consequences for individuals and organizations alike. In Kenya, the Data Protection Act, 2019, establishes a robust framework for data protection and imposes significant penalties for data breaches.

Administrative Fines for Data Breaches

The ODPC has the authority to impose administrative fines on data controllers and processors who fail to comply with the Data Protection Act, including failure to report data breaches within the prescribed timeframe. The maximum administrative fine that can be imposed is Kshs. 5,000,000 (approximately USD 49,000).

Factors Determining Penalty Amounts

The ODPC considers various factors when determining the appropriate amount of an administrative fine, including:

• The severity of the data breach
• The number of individuals affected
• The type of personal data involved
• The measures taken to mitigate the breach
• The data controller or processor’s compliance history

Additional Penalties

In addition to administrative fines, the ODPC may also issue other penalties, such as:

• Orders requiring data controllers or processors to take specific actions to comply with the Data Protection Act
• Orders prohibiting data controllers or processors from processing personal data in certain ways
• Suspension or revocation of licenses or registrations

Criminal Penalties

In cases where a data breach results in intentional or reckless disclosure of personal data, the data controller or processor may be subject to criminal prosecution. The maximum penalty for such offenses is a fine of Kshs. 10,000,000 (approximately USD 98,000) or imprisonment for a term of not more than three years, or both.

Importance of Data Breach Penalties

The imposition of penalties for data breaches serves several important purposes:

• Deterrence: The threat of penalties discourages data controllers and processors from engaging in negligent or unlawful data handling practices.
• Accountability: Penalties hold data controllers and processors accountable for their actions and ensure that they bear the consequences of data breaches.
• Compensation: Administrative fines can provide some measure of compensation to individuals who have suffered harm as a result of a data breach.

The penalties for data breaches in Kenya are designed to protect individuals’ privacy and promote responsible data handling practices. By imposing significant penalties, the ODPC aims to deter future breaches and ensure that organizations take data protection seriously.

Conclusion

Data breaches pose a significant threat to individuals’ privacy and can have far-reaching consequences. By promptly reporting data breaches to the ODPC, data controllers and processors play a crucial role in safeguarding personal data and ensuring that individuals are informed of potential risks. The ODPC’s investigations into data breaches help to hold entities accountable for their data protection practices and deter future breaches.

NB: Kindly note that the information contained is only intended for general knowledge. It therefore should not be construed as legal advice, for more information consult an advocate or visit https://www.odpc.go.ke/ for more information.

Here’s some more useful resources on data breach in Kenya

https://medium.com/@eastafricatechsolutions/how-to-report-data-breach-in-kenya-with-the-odpc-a297a105c441

https://www.linkedin.com/pulse/how-report-data-breach-kenya-odpc-east-africa-hi-tech-solutions-jazqe/