Breach notification procedure

Under section 22 of POPIA, where there are reasonable grounds to believe that personal information of a data subject has been accessed or acquired by an unauthorised person, the responsible party must notify the Information Regulator and the affected data subjects as soon as reasonably possible.

This page documents Cannabuben's standard operating procedure for detecting, containing, and disclosing such security compromises. It is the public-facing summary of the internal incident-response plan held by the Information Officer.

1. Detection

• Real-time monitoring: application errors and unusual access patterns are surfaced via Sentry alerts to the on-call engineer.
• Audit trail: every action on a customer record is recorded in a tamper-evident hash-chained audit log. Drift from the chain is alerted.
• Customer report: security@cannabuben.co.za is monitored by the Information Officer and the on-call engineer.

2. Triage and containment (within 1 hour of detection)

1. On-call engineer confirms whether unauthorised access to personal information has occurred or is likely.
2. If yes, the affected service is contained — credentials rotated, tokens revoked, suspect IPs blocked.
3. The Information Officer is paged.
4. An incident channel is opened; all subsequent actions logged.

3. Severity classification (within 4 hours)

The Information Officer classifies the incident:

• Critical: exposure of identity documents, dates of birth, prescription data, or financial data for any number of data subjects.
• High: exposure of names, addresses, emails, or order history for any number of data subjects.
• Medium: internal-only data (audit logs, admin activity) with no customer-PII spillover.
• Low: attempted breach contained before any data was accessed.

4. Notification of the Information Regulator (within 72 hours of detection)

For Critical and High incidents, the Information Officer notifies the Information Regulator using the Regulator's prescribed section-22 form. The notification includes:

• Date and time of detection.
• Possible consequences for affected data subjects.
• Containment measures taken.
• How affected data subjects are being notified.
• Contact details of the Information Officer.

5. Notification of affected data subjects

Affected data subjects are notified in writing — by email to the primary email on file — without unreasonable delay. The notification includes:

• Sufficient information to allow the data subject to take protective measures.
• The categories of personal information affected.
• What we have done in response.
• Recommendations for protective steps the data subject may take.
• Contact details of the Information Officer for follow-up questions.

Where postal notification is necessary (email undeliverable), notification is sent to the address on file. Where there is no viable contact route for a data subject, prominent notification is placed on the public Cannabuben site for at least 30 days.

6. Public disclosure

Aggregate counts of any notifications made under section 22 are published on our transparency page on a quarterly basis. Individual data-subject details are not disclosed publicly.

7. Post-incident review

Within 14 days of containment, the Information Officer publishes an internal post-mortem with root-cause analysis and remediation actions. Material remediation milestones are added to the compliance changelog if and when that page goes live.

8. Reporting a suspected breach

If you believe your Cannabuben data has been compromised, please email security@cannabuben.co.za with as much detail as you can share. The Information Officer is copied automatically and the triage clock starts on receipt.