E-mail, businesses' most used communication tool, will prove to be the biggest nightmare when it comes to complying with a pending privacy law because it has been overlooked as a risk factor.
The Protection of Personal Information (PPI) Act was recently signed into law by president Jacob Zuma. However, it has yet to come into effect and companies will only have between one and three years to comply with its requirements after a promulgation date is announced.
The law is SA's first consolidated piece of legislation detailing how individual and company information must be dealt with. It is also expected to cut down on spam, because it makes provision for an opt-in regime when it comes to electronic communication from companies.
Under the law, companies face a fine of up to R10 million - or a decade in jail - if they breach its provisions, and could also encounter civil class-action lawsuits. However, the most damaging penalty will be reputational damage, because organisations will have to inform people if their data has been breached.
Lack of awareness
Yet, many firms are unaware their biggest nightmare in securing information is their e-mail system, says Novation Consulting director Elizabeth de Stadler. She says most firms are more worried about security aspects, such as firewalls, so they can avoid being hacked.
Others are taking a wait and see approach when it comes to implementing the law, which is problematic as compliance cannot be done overnight, De Stadler adds.
The bulk of business communication is done through e-mail, adds De Stadler. While the potential privacy breaches are not an insurmountable problem, the privacy hole has been given scant regard by companies, she adds. "People are not aware at all."
There is a low level of awareness because the law is new and only companies that have dealings with other jurisdictions with similar privacy legislation will have implemented policies and practices, she explains.
Craig Freer, head of product at Vox Telecom, says although awareness of this problem is high at larger companies, it is not top-of-mind for small and medium enterprises. He notes e-mail is the biggest PPI weakness when it comes to communication. "It's almost impossible to legislate against stupidity and ignorance."
At risk
De Stadler says e-mail could easily fall into the wrong hands - even if sent legitimately - unless companies have implemented security measures and policies. "It's generally risky," she says of the situations she has encountered in practice.
Personal information, secured in a company's system, can be copied and taken off a secure drive to be sent to unauthorised people, notes De Stadler. "E-mail is an enormous problem."
Freer explains information takes two forms: at rest, which is data stored in a system; and in motion, when information is circulated through e-mail, fax or voice.
When information is at rest, access rights and audit trails can be implemented to protect it, says Freer. However, the problem is with data in motion, which accounts for the bulk of information, he adds.
Freer says "there is no reason why someone cannot use an e-mail to send out financials," noting it is a primary business communication tool. "It's not that difficult." He adds research shows 60% to 70% of all data leaks come from an internal human breach.
Information can be sent out illegitimately by a staff member, or by a third-party, who should have received the mail, but then forwards it on, says Freer. He says the onus is on the company that stores the data to fix the leak and make sure they have confidentiality agreements in place.
Security needed
Entities do not think about what happens with an e-mail containing private information once it has left their system, says De Stadler. She notes the originating company will be found to be at fault unless it can show it took reasonable steps to prevent data leakage through e-mail.
Freer says e-mail can be encrypted, but this results in a loss of openness on the system and is a challenge companies are faced with. Unsecured mail is "leaky" and not archived, and there is no proof of where it was sent, he adds.
Organisations will inevitably find themselves investing in products, such as encryption tools, as well as policies, says De Stadler.
Freer adds Vox will shortly launch a tool that will attach an audit trail to e-mails, allowing to track when the message has been sent, deleted, read or forwarded, for example. It will also allow rules to be set, such as those governing printing.
Share