Financial Crime World

Here is the rewritten article in markdown format:

Uganda’s Data Breach Response Plan in Peril: PDPO Uncovers Shocking Non-Compliance at Uganda Securities Exchange

The Personal Data Protection Office (PDPO) of Uganda has released a damning report concluding its investigation into a data security breach at the Uganda Securities Exchange (USE). The investigation revealed shocking non-compliance with regulations and laws, putting personal data of individuals at risk.

Causes of the Breach

According to the PDPO, the breach was caused by non-compliance with the Information Systems Policies Manual, Data Protection and Privacy Act, and supporting Regulations. Specifically:

  • A change in the firewall configuration left a port open without following established change management procedures.
  • Critical areas of non-compliance were identified, including inadequate data protection and privacy clauses in the Maintenance Agreement between USE and Soft Edge Uganda Limited.

Failure to Verify Security Safeguards

The PDPO also found that both USE and Soft Edge Uganda Limited failed to regularly verify whether implemented security safeguards were effective, allowing the breach to go unnoticed for 12 days. Additionally:

  • Soft Edge Uganda Limited, a data processor for USE, was not registered with the PDPO as required by law, constituting a legal violation.

Recommendations and Enforcement Action

The PDPO has recommended that USE:

  • Initiates disciplinary proceedings against relevant personnel
  • Ensures implementation of the Information Systems Policies Manual throughout its operations
  • Reviews and updates policy and data-sharing agreements to ensure compliance with the Data Protection and Privacy Act and supporting Regulations

USE is expected to implement these recommendations within three months from today. The PDPO has also commenced enforcement action against USE and Soft Edge Uganda Limited for non-compliance with the law in areas where violations were established.

Responsibilities of the Personal Data Protection Office (PDPO)

The PDPO is responsible for:

  • Implementing and enforcing the Data Protection and Privacy Act and attendant Regulations
  • Coordinating, supervising, and monitoring all organizations collecting and processing personal data within Uganda and outside Uganda where it relates to Ugandan citizens.