Larger organisations have invested considerable resources to become compliant with the Protection of Personal Information (POPI) Act since it was passed by the National Assembly. However, many small to medium enterprises (SMEs) have not yet taken the necessary steps to comply with the Act.
That's the view held by Panda Security, which notes that signed into South African law by the president in November 2013, the POPI Act holds organisations responsible for the security of their customers' information.
According to the security solutions vendor, the Act requires organisations to have legitimate reason for collecting customer information and requires them to destroy the information once it has fulfilled its purpose.
"POPI is yet to come into effect but when it does, organisations will have a one-year grace period to become compliant. The Act has been 10 years in the making and its well-crafted nature has all stakeholders willing its success," says Panda in a statement.
The vendor notes that "protection of personal information" is a broad term and includes the protection of a user's name, ID number, address, religious affiliation, sexual orientation, medical history, criminal record, educational and financial history and even biometric data, online identifiers (Twitter handle) and location data.
It warns that should an organisation neglect to sufficiently protect the information, the regulatory body could enforce punishment of up to R10 million or 10 years' jail time.
Panda explains that the recently discovered vulnerability on the City of Johannesburg's Web site caused thousands of citizens' personal information to be accessed without user authentication. In this instance, it notes, POPI changes the way we would have interpreted the so called "hack".
In the absence of the Act, the City of Johannesburg sought legal action against the party who accessed the information; however, when POPI becomes legally binding, the party responsible for protecting the information will be held responsible for its security, it says, adding that in this case, the breach may have led to a civil claim against the city.
Panda urges that the protection of customer information must become a top priority for organisations. Those in the financial services, healthcare and marketing sectors will be most affected by POPI, it notes, pointing out that it is the organisations' responsibility to make sure they have done everything that is within reason to protect private information or face possible legal repercussions from the regulator.
According to the vendor, POPI drives interest in the security industry with malware and cyber attacks and increasing concern for organisations that are now legally responsible for securing information that may be stolen by cyber criminals. It urges that comprehensive anti-malware, endpoint security and data loss prevention technology becomes a necessity. Organisations can no longer have their data stolen from them with little to no defence against cyber attacks, it states.
"POPI's principles make it one of South Africa's most modern and well-founded laws. Ensuring that effective endpoint security and device management is in place will be critical to meeting the terms of the Act," it says.
Share