If the discussion around data security wasn’t pertinent enough, the data breach, or hack, against the digital infrastructure of the City of Johannesburg (CoJ) on 28 October 2019, has undoubtedly brought the discussion to the fore. A group of hackers gained access to the cities online client-facing platform and demanded four Bitcoin, failing which they would release all the private data to which they had access. South African law as it relates to data security and Cyber Law has been woefully inadequate for the longest time.
The legal framework which consists of the Electronic Communications and Transactions Act (ECT) and parts of the Common Law has been bolstered with the very recent finalisation of the Protection of Personal Information Act (PoPI) in December 2018 as well as much needed amendments to the ECT. A new version of the Cyber Crimes Bill, passed by the National Assembly in November 2018, provides a more robust set of measures than the original 2015 Bill but is yet to be enacted.
While we wait for the legislative framework to catch up, the first quarter of 2019 saw a 22% increase in cyber-attacks and according to AON’s 2019 Global Risk Management Survey Cyber Attacks and Data Breaches are seen as the eighth most significant risk, which is projected to move up to third position in the next few years. Experts tout the rise in cyber-attacks as a natural symptom of economic growth and an increase in digital connectivity.
Off the back of the most recent attack against the CoJ, it is crucial that we understand our rights and duties under the current framework and how this will be affected in the future with the advent of a more rigorous legislative framework.
The Existing Framework
The discussion around Cyber Law begins and end with the protection of people right to privacy. The ECT aims to protect by providing for a set of principles which govern the protection of personal information. Although adherence to these principles is not compulsory, legislature had initially intended on amending the ECT to make adherence compulsory. The principles, in effect, suggested that personal information should be obtained with informed consent. Work on the Amendment Bill has slowed down, and the legislature will most likely use PoPI as the vehicle to drive protection of data privacy. Once PoPI is enacted its provisions will replace this aspect of the ECT with a far more rigorous regime.
How These Rights are Protected and Enforced
For now, the ECT bares some teeth in the form of criminal sanctions against the unauthorised access to, interception of or interference with data. Cyber related extortion, fraud and forgery are also listed as criminal offences along with a wide array of activities which would allow the state to follow criminal prosecution. Importantly the ECT also criminalises so-called denial of service of attacks, which for the CoJ and its users is a welcome addition as the city was forced to shut its systems down to prevent the ‘Hackers’ from causing any further harm.
In this most recent attack against the CoJ, the hackers held the city to ransom, which, in terms of the ECT is defined as extortion. If these hackers face trial and are found guilty, they may have to pay a fine or face imprisonment for up to five years.
The concern, however, is the limited legislative scope for victims of the crime being able to seek compensation for any harm or loss suffered as a result of the data breach. Claims against Institutions holding persons private information are based on a combination of the Constitution and the Common Law view of privacy. If the data breach is a result of negligence or a lack of adequate security in place to guard against breaches in security, then each victim could potentially have some form of claim against the allegedly negligent institution. Fortunately, most institutions hold some type of third-party insurance and which should then compensate innocent parties for loss suffered.
The hope is that once the legislative framework is in force with PoPI and the Cyber Crimes Bill, institutions will have to work hard towards taking positive steps to ensure that the information they hold is being held safe. Institutions are liable to face significant penalties if their systems are found wanting, but whether the watchdog institutions will have the muscle to strictly enforce the terms of these new pieces of legislation is not yet clear. Indeed, the new PoPI regulations do not seem to present any new rigorous challenges to most companies existing framework.
Reenen Lombard, SchoemanLaw Inc, www.schoemanlaw.co.za