Signed into South African law by the president in November 2013, the Protection of Personal Information (POPI) Act holds organisations responsible for the security of their customers' information. The act requires organisations to have legitimate reason for collecting customer information and requires them to destroy the information once it has fulfilled its purpose.
POPI is yet to come into effect but when it does, organisations will have a one year grace period to become compliant. The act has been 10 years in-the-making and its well-crafted nature has all stakeholders willing its success.
"Protection of personal information" is a broad term and includes the protection of a user's name, ID number, address, religious affiliation, sexual orientation, medical history, criminal record, educational and financial history and even biometric data, online identifiers (twitter handle) and location data. Should an organisation neglect to sufficiently protect the information, the regulatory body could enforce punishment of up to R10 million or 10 years' jail time.
The recently discovered vulnerability on the City of Johannesburg's Web site caused thousands of citizens' personal information to be accessed without user authentication. In this instance, POPI changes the way we would have interpreted the so called "hack". In the absence of the Act, The City of Johannesburg sought legal action against the party who accessed the information; however, when POPI becomes legally binding, the party responsible for protecting the information will be held responsible for its security. In this case, the breach may have led to a civil claim against the city.
Larger organisations have invested considerable resources to become compliant with POPI since it was passed by the National Assembly. However, many small to medium organisations have not yet taken the necessary steps to comply with the act.
The protection of customer information must become a top priority for organisations. Those in the financial services, healthcare and marketing sectors will be most affected by POPI. It is the organisation's responsibility to make sure they have done everything within reason to protect private information or face possible legal repercussions from the regulator.
POPI drives interest in the security industry with malware and cyber-attacks an increasing concern for organisations who are now legally responsible for securing information that may be stolen by cyber criminals. Comprehensive anti-malware, endpoint security and data loss prevention technology becomes a necessity. Organisations can no longer have their data stolen from them with little to no defence against cyber attacks.
Managed security solutions remove the hassle of data protection from in-house IT teams, allowing them to focus on core business tasks while their data protection is managed by a capable third party. Managed service providers are likely to see increased interest in their offerings and should concentrate on the security, management and support they provide to their customers.
Panda Security provides protection against zero-day attacks by updating its protection every six minutes thanks to its Collective Intelligence malware detection model. Panda Cloud Office Protection offers device control technology which allows network administrators to improve control over company data by denying or forcing read-only access on multiple storage devices, including flash drives. These policies are defined for individual PCs preventing data theft from devices holding important information.
Panda Security's offerings not only protect organisations from malware but also give them greater control over their networks and data. Panda Cloud Systems Management allows organisations to manage, monitor and support from a central location. The software includes mobile device management, giving IT administrators the ability to manage mobile devices with remote lock, remote wipe and geo-location capabilities - should a mobile device storing sensitive information go missing.
POPI's principles make it one of South Africa's most modern and well-founded laws. Ensuring that effective endpoint security and device management is in place will be critical to meeting the terms of the act.
Share