As the last Futures Law Faculty Masterclass for 2020, the Ethical Hacker meets Cyber Security Expert, hosted on 24 October 2019 at the very sophisticated Inner City Ideas Cartel Auditorium did not disappoint.
The audience was wowed by Marcus Weinberger, a typical 16 year old teenager, who warned of the types of hacking tools available and how easily they were obtainable. He demonstrated the ease of hacking into a computer system by not only relaying his personal conquests and how he achieved same, but also performed a live demonstration on stage, taking the audience through each stage of the hack, confirming the danger of Public WiFi is and how blindly we tend to trust same to our own detriment.
Marcus confirms that there are thousands, if not hundreds of thousands, of hackers out there with most hackers pursing a financial gain and ultimately looking to take advantage of and steal from people, with the most vulnerable asset being information, as collected, stored and processed by companies. As Marcus explains, “[W]hoever has the information has access to everything”.
This is precisely what makes law firms such a susceptible target. What better place to access private information than from a law firm, who in terms of the Financial Intelligence Centre Act 38 of 2001 is an accountable institution who is obliged to keep accurate records of a clients identity and personal details whenever establishing a business relationship or concluding a transaction with the client such as when providing legal advice and/or services.
Marcus confirms that “[h]ackers target law firms because, rather than go after a single business with just its information, they may as well go after their lawyers who hold information on them and hundreds or thousands of others as well”. Law firms are a lucrative target to say the least.
Marcus’s claims of the relative ease with which firms can be hacked was confirmed by Mercantile law lecturer at the University of Stellenbosch and fellow of the Anton Mostert Intellectual Property Chair, Cobus Jooste.
Cobus Jooste pointed out that although the statistics on the frequency of cyber attacks were more often than not, inflated and sensationalised, he warned that although the risk of cyber attacks and breaches were not as frequent as reported, it remained a serious risk for which few companies have catered for.
Cobus Jooste referred to the recent “Global Risks Report” by the World Economic Forum , in terms of which cyber security and data theft, cyber attacks and information loss – were listed as real risks and concerns. The report further emphasised that Cyber security risks and threats were ranked higher as a global threat than adverse weather conditions, the impact of climate change and sustainable development. The report clearly serves as the wake up call lawyers and business professionals have been waiting for, calling for the need to invest and spend on cyber security measures.
Cobus Jooste summarized the various Cyber Security legislations, relevant and related to the cyber attacks and breaches, in a swift, witty manner confirming that it was not possible to list all statutes and regulations relating to cyber security but if there was one thing audience members should take away, it is the definition of “processing” as provided in Protection of Personal Information Act. The definition of “Data Processing” is as wide as the imagination can stretch, with Data Processing including anything from Data collection, receiving, storage, sending to others, merging with other data, linking, erasing, destructing and/or deleting it, too mention but a few. However the point of the matter is, as emphasised by Cobus Jooste that where a company is involved in any of the activities that fall under the ever wide definition of Data Processing, there are certain legal obligations that they have to comply with, certain protections that must be taken against cyber security attacks and breaches to ensure protection of data. Cobus Jooste warned of a small override that one should also take note of , even where the company itself is not engaging in any of the activities that are deemed to be included in Data Processing, the company remains responsible even where it should outsource the activities to another company to perform. Thus, by outsourcing the data processing work one is not less liable, one only serves to increase the extent to which other people are also liable for a data breach or information loss.
Appropriate security measures must be incorporated, however what constitutes appropriate measures remains undefined and open. Cobus Joost however confirms that what can be discerned from the legislation and definitions provided is that the appropriate measures must: protect the personal identity of the person to whom the data relates as well as the identity of the data itself, such as what data it is, where is it derived from and where is it stored. The protection measures must manage and mitigate loss and it should provide for some form of a code of conduct, with levels of confidentiality being more than the average non-disclosure agreement. Lastly, minimum encryption standards, access control measures, some malware protecting against malicious attacks and regular updates should also be provided for in the measures implemented.
Cobus completed his Masterclass by emphasising that by having knowledge of the cyber security laws and regulations out there, better communication can be provided for and take place as between yourself, your legal counsel and IT consultants. Cobus Jooste warned of the one stop shop –a single entity that can solve all of your ITC security risk concerns comparing same to the law firm that can advise from your divorce, to your debt matters to cyber security and intellectual property measures. One should rather seek diversity in so far as your counsel and consultants go, the more diverse the consultation the better, allowing one to ask more, get more options and to not just settle on one provider, but to engage with many.
If the potential wins or losses of cyber security, AI and the like of tomorrow’s future world of Law interests you, see the Futures Law Faculty website – www.futureslawfaculty.co.za or alternatively send an email to info@futureslawfaculty.co.za
Author
Kristi Erasmus
Head of Futures Law Faculty
info@futureslawfaculty.co.za / kristi@ilpdr.co.za