Now there is nowhere for companies to hide if they suffer a data breach
Protection of Personal Information Act forces businesses to tell the public and regulator of breaches as soon as possible
Cyberattacks spiked in SA as the country adopted remote working during the level 5 lockdown. It was reported that up to 310,000 devices were attacked in one week in March.
In February Eskom acknowledged a malware infection and possible data leak, and Nedbank suffered a data breach. Mimecast reports that during the last quarter of 2019 SA was hit by 14 major cyberattacks across several industries, including IT, retail, insurance, banking and transport. The City of Johannesburg and information and communications technology company Conor were among those targeted by these cyberattacks.
According to the IBM “Cost of a Data Breach Report 2019”, the average cost of a data breach (the exposure of confidential information) in SA in 2019 was about $3.06m, with the number of records disclosed per breach averaging 22,060. Though these figures are disconcerting, at least SA ranked second in terms of the average time taken to identify and contain a data breach, at 175 days and 56 days, respectively. Yet it remains frightening that according to these statistics it takes companies and public bodies almost half a year to identify a breach.
Though it is best practice, companies have no legal obligation when they have experienced data breaches to inform the individuals and companies whose data has been compromised. The commencement of most provisions of the Protection of Personal Information Act of 2013 (Popi) on July 1 has changed this.
Various provisions of Popi came into effect in 2014, but the key operational provisions and obligations have been lying in abeyance for many years. On July 1 those remaining provisions came into effect. Responsible parties (defined in Popi as a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information) will be given a grace period of one year in which to comply with the relevant provisions of the law. They will need to ensure compliance with eight stringent Popi conditions, including that processing must be lawful, reasonable, minimal and, generally, requires consent, and that the information must be complete and accurate.
The Popi condition on security of information may be of particular interest to boards of directors. Responsible parties are required to take steps to secure the integrity and confidentiality of personal information in their possession by taking measures to prevent the loss of, damage to, or unauthorised destruction of, personal information; and unlawful access to or processing of personal information. They must identify reasonably foreseeable risks to personal information; implement safeguards to reduce the risks; and ensure the safeguards are effective and continuously updated in response to new risks.
Here’s the twist: if a breach occurs there is no longer anywhere to hide. In the past companies might have done some damage control and heaved a sigh of relief that the breach did not go public. But no more. This is because responsible parties will, after the 12-month grace period, be obliged to notify the Information Regulator, and the data subject, in writing as soon as reasonably possible. Popi does not prescribe what this period must be. It will vary on a case-by-case basis, as it is dependent on the measures responsible parties need to take to determine the scope of the compromise, restore the integrity of the information system, and provide law enforcement with sufficient time to fulfil its obligations.
Failure to notify is a breach of Popi and may result in the imposition of a fine not exceeding R10m on the responsible party, imprisonment not exceeding 10 years, or both. Damages may also be awarded against the responsible party, whether the breach was notified or not.
However, it is not the threat of damages or even the possible fine that should galvanise companies and other organisations to ensure they become Popi compliant. First and foremost, Popi has been enacted to empower each person’s right to privacy. It puts flesh on what was otherwise a fairly bare bone of common law. Second, taking data protection seriously is not just a “nice to have”. It goes to the heart of whether your customers, employees and suppliers can trust you. The public outcry and flight of advertisers from Facebook after the Cambridge Analytica scandal underscores this point.
Having worked with a number of companies over the years in this area, we know the reputational and patrimonial loss caused by a data breach can be substantial, and potentially even catastrophic. The Popi clock is now ticking.
• The authors are attorneys with Webber Wentzel.