One of the major challenges from a legal standpoint at present, according to Fatima Ameer-Mia, Senior Associate within the Technology and Sourcing practice at Cliffe Dekker Hofmeyr, is that there is currently no legislation in force which compels a business to disclose such data breaches to its information security.
“Across the world, data is a very valuable resource and the commercialisation and monetisation of data is therefore big business. Businesses in South Africa, however, tend to have particularly poor information security practices in place, which puts them at greater risk to opportunistic cyber criminals. Until a regulatory framework is established which criminalises cybercrimes, providing the impetus for businesses to implement more robust information security measures and disclose any data breaches experienced, South Africa will continue to be a high risk country with regards to cyber and information security threats.”
Under the current South African law, Ameer-Mia says that legal recourse against cybercrime is fairly limited. “The only circumstances under which compensation may be payable is if an individual is able to prove monetary loss and causality and succeeds with a delictual claim*, whereby they claim for damages from the individual or organisation who caused the data breach. In this case, however, the claimant will have to go to court, which is usually a complicated and costly exercise.”
She says that this is expected to change when the Protection of Personal Information Act, 2013 ("POPI") comes into force. “The notification of data breaches in South Africa is governed by POPI, and while POPI has been promulgated, its substantive sections are not yet in effect."
“Only once these substantive sections become legally binding, do we expect to see businesses change their approach to the protection of customer and employee data, as this will mean that an organisation which is involved in a data breach situation may be subject to an administrative fine, penalty or sanction,” Ameer-Mia explains.
“Furthermore, POPI will provide remedies and a complaint channel for those compromised by the unlawful processing of personal information,” she adds.
Ameer-Mia says that, as a starting point, to protect both themselves and their customers, companies need to safeguard the data collected and held by them, and be more transparent about instances where this data may be breached. “This starts with a risk assessment in terms of critically evaluating what data they hold, where they get it from, why they hold it, how they use it and who has access to such data."
“Once this understanding has been established, businesses can then turn to the technical and organisational measures they currently have in place (or have to put in place) to safeguard such data against unlawful access.”
She concludes that hopefully, the recent data breach will provide the impetus for government to take positive action with regards to implementing the legislative and regulatory framework around data protection and cybersecurity. “In the long run, implementing a regulatory framework which protects citizens and allows for healthy economic development will benefit all parties – consumers, businesses and the government alike.”
*Note: A delictual claim is awarded when a person receives monetary compensation for losses suffered. For a delictual claim to succeed, the person making the claim (the claimant) or attorney must prove that:
- The action of the other individual or organisation was wrongful because it caused harm to the claimant or their property.
- The individual or organisation performing the action was negligent (was at fault) or acted intentionally.
- The claimant suffered loss which can be given a monetary value (such losses are called damages).
- The monetary loss (damages) was suffered as a result of the action of the negligent individual or organisation i.e. the action of the negligent individual or organisation caused the monetary loss.