Data breaches and POPI: Nowhere to hide
By Dario Milo, Pooja Dela and Fatima Ismail
Cyber attacks in South Africa spiked as the country adopted remote working during the level five lockdown. It was reported that up to 310 000 devices were attacked in one week in March.
In February, Eskom acknowledged a malware infection and possible data leak and Nedbank suffered a data breach. Mimecast reports that during the last quarter of 2019, South Africa was hit by 14 major cyber attacks across several industries, including IT, retail, insurance, banking and transport. The City of Johannesburg and ICT company Conor were among those targeted by these cyber attacks.
According to the IBM Cost of a Data Breach Report 2019, the average total cost of a data breach (the exposure of confidential information) in South Africa in 2019 was estimated at $3.06 million, with the number of records disclosed per breach averaging around 22 060. Although these figures are disconcerting, at least South Africa ranked second in terms of the average time taken to identify and contain a data breach, at 175 days and 56 days respectively. Yet it remains frightening that, according to these statistics, it takes companies and public bodies almost half a year to identify a breach.
Although it is best practice, companies have no legal obligation when they have experienced data breaches to inform the individuals and companies whose data has been compromised. The commencement of most provisions of the Protection of Personal Information Act, 4 of 2013 (POPI) on 1 July 2020 will change this.
Various provisions of POPI came into effect in 2014, but the key operational provisions and obligations have been lying in abeyance for many years. From 1 July, those remaining provisions came into effect. Responsible parties (defined in POPI as a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information) will be given a grace period of one year in which to comply with the relevant provisions of POPI. They will need to ensure compliance with eight stringent POPI conditions, including that processing must be lawful, reasonable, minimal and, generally, requires consent and that the information must be complete and accurate.
The POPI condition on security of information may be of particular interest to boards of directors. Responsible parties are required to take steps to secure the integrity and confidentiality of personal information in their possession by taking measures to prevent:
- Loss of, damage to or unauthorised destruction of personal information; and
- Unlawful access to or processing of personal information.
They must identify reasonably foreseeable risks to personal information; implement safeguards to reduce the risks; and ensure that the safeguards are effective and continuously updated in response to new risks.
And here's the twist: If a breach occurs, there is no longer anywhere to hide. In the past, companies might have done some damage control and heaved a sigh of relief that the breach did not go public. But no more. This is because responsible parties will, after the 12-month grace period, be obliged to notify the Information Regulator and the data subject in writing as soon as reasonably possible. POPI does not prescribe what this period must be. It will vary on a case by case basis, as it is dependent on the measures responsible parties need to take to: (i) determine the scope of the compromise; (ii) restore the integrity of the information system; and (iii) provide law enforcement with sufficient time to fulfil its obligations.
Failure to notify is a breach of POPI and may result in the imposition of a fine not exceeding ZAR10 million on the responsible party, imprisonment not exceeding 10 years, or both. Damages may also be awarded against the responsible party, whether the breach was notified or not.
It is not, however, the threat of damages or even the possible fine that should galvanise companies and other organisations to ensure that they become POPI-compliant. First and foremost, POPI has been enacted to empower each person’s right to privacy. It puts flesh on what was otherwise a fairly bare bone of common law. Secondly, taking data protection seriously is not just a “nice to have”. It goes to the heart of whether your customers, employees and suppliers can trust you. The public outcry and flight of advertisers from Facebook after the Cambridge Analytica scandal underscores this point.
Thirdly, having worked with a number of companies over the years in this area, we know the reputational and patrimonial loss that a data breach can cause can be substantial, and potentially even catastrophic. The POPI clock is now ticking.