According to the Gemalto Breach Level Index, released in March 2017, South Africa experienced nine reported security breaches in 2016. Across Africa, 45.2 million records were stolen in 2016, compared with 38.5 million in 2015. Africa had 17 data breaches in total, compared with six in 2015.
It was not the rise in security breaches that caused the most alarm, however. Gemalto noted in the survey that the delay in disclosing or identifying security breaches was the most concerning factor. In March 2017 Ster-Kinekor in South Africa announced that its website had been hacked a year prior, in 2016 exposing personal information in over 6-million accounts.
Legislation around data protection and privacy in South Africa is currently awaiting implementation. The Protection of Personal Information Act, 2013 (POPIA) was enacted in 2013. Once implemented, it is expected to change the way businesses approach the protection of customer and employee data and how they will have to report on data security breaches. POPIA seeks to bring South Africa in line with international data protection laws by regulating the processing of the information of natural and juristic persons and placing more onerous obligations on “responsible parties” that process such information. However, only certain sections of the Act have commenced. These sections relate specifically to the establishment of the Information Regulator, who was appointed in December 2016.
The enactment of the Act itself, largely based on similar EU data protection legislation, is the most significant development in the South African privacy landscape. The timeline for the commencement of the entire Act is, however, still unclear. Given the limited transitional period of one year provided for compliance, coupled with potentially severe penalties, businesses in South Africa have already commenced implementing initiatives to comply with the prescriptive principles under the Act.
The notification of security compromises is governed by POPIA, where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party will have to notify the Information Regulator, as well as the data subject, unless that person’s identify cannot be established.
The notification will have to be made as soon as reasonably possible after the discovery of the compromise, considering the needs of law enforcement or any measures necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system. The responsible party may only delay notification of the data subject if a public body responsible for the prevention, detection or investigation of offences or the Information Regulator determines it will impede a criminal investigation.
The notification must be in writing and must be communicated either via email or posted to the data subject’s last known address. The notification could also be placed in a prominent position on the website of the responsible party, published in the media; or as directed by the Information Regulator.
The notification must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise. This includes providing a description of the possible consequences of the data breach and how they will affect the data subject. It should also include a description of the measures taken by the responsible party intends to address the security breach, as well as a recommendation on what measures the data subject should take to mitigate the possible adverse effects of the breach. If known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the personal information must also be divulged to the data subject.
In addition, the Information Regulator may direct a responsible party to publicise, in any manner specified, the fact of any compromise to the integrity or confidentiality of personal information, if the she has reasonable grounds to believe that such publicity would protect a data subject affected by the compromise.
An organisation that is involved in a data breach situation may also be subject to an administrative fine, penalty or sanction, or civil actions and/or class actions.
In addition, the revised Cybercrimes and Cybersecurity Bill, which was tabled in the South African National Assembly in February 2017 notes the further obligations of electronic communications service providers and financial institutions when they become aware that their computer systems have involved in a cyber security breach as defined by the Bill. They must, according to the Bill, report such offences to the South African Police Service and preserve any information which may be of assistance in the investigation. Non-compliance with the clause is a criminal offence.
Whether or not compulsory reporting of this nature is a good thing is certainly up for debate. One thing is certain however, in a world where security breaches are a matter of when, not if, the treatment and security of personal information ought to be a matter of top priority for all institutions.
Bernstein and his team recently contributed the South African chapter of the Baker McKenzie Global Privacy Handbook 2017 which outlines privacy and information protection legislation in 58 jurisdictions around the world. More information on the protection of personal information and the processes involved can be found in this guide.
Darryl Bernstein, partner in Baker McKenzie's Disputes and ITC Practice Groups in Johannesburg