Cyber-espionage is on the rise, with increasing amounts of state secrets and intellectual property being stolen by hackers. Cyber-criminals are phishing banking details and are able to empty bank accounts. As a result of these cyber-security breaches, personal information can be intercepted and shared without consent.
The recent cyber security breach affecting the United States Federal Government in early June 2015, is just one example of the global phenomenon showcasing the threat to the privacy of personal information. The breach occurred just one day after Edward Snowden revealed that the National Security Agency was monitoring American citizens' international internet traffic in an attempt to identify and prevent hacking from anyone outside of the United States. The database contained personal information of thousands of employees at the Office of Personnel Management, including their identity numbers, names, addresses, telephone numbers, biometric information, gender and religion.
With technological advances and an increase in highly skilled, sophisticated cyber-criminals, it is proving to be exceptionally difficult to protect information, even information which is regarded as highly confidential. IT specialists are constantly having to increase their level of security and modus operandi to protect information from hackers. Their primary focus being on access control management, tracking and auditing, anonymity, encryption, separation of data, data reconstruction and destruction policies, with IT security being a moving target.
From a South African perspective, the Protection of Personal Information Act imposes obligations on organisations to protect personal information, including by implementing appropriate, reasonable technical and organisational safeguards to prevent loss of, damage to or unauthorised destruction of personal information and unlawful access to or processing of personal information. Responsible parties under the Act are obliged to take measures to identify all reasonable foreseeable risks, establish, maintain and regularly verify safeguards against such risks and update such safeguards to account for new risks identified. Although the Act does not impose specific measures to be taken, it does oblige responsible parties to have due regard for generally accepted information security practices and procedures. Certain provisions of the Act have commenced but the Act is not yet fully in force and the commencement date (which will be by way of proclamation by the President) is awaited. The Act does at least provide a framework to ensure the protection of personal information but parties will need to implement the means with which to prevent data breaches.
In an article by Trevor Hughes' article entitled "The massive federal breach: why Infosec will never be enough" https://privacyassociation.org/news/a/the-massive-federal-breach-why-great-infosec-will-never-be-enough/he acknowledges that IT departments in government or business are able to institute controls to prevent hacking or breaches of databases. He recognises, however, that the role of IT departments falls in the realm of breach prevention, but that advances in technology now require more than protective software. Privacy and IT professionals need to work together to inventory the data, making sure that all the personal information they have on their databases is useful or necessary. They should then ensure that the data is in a format that would be useless to hackers in the event that they do breach the databases. Companies and organisations need to put data policies in place that ensure that risks are mitigated, including by stipulating the period of time documents need to be retained for and a list of persons that may have access to the data. Data protection does not happen in a vacuum and therefore all employees dealing with personal information within a company, organisation or state department must undergo data protection training.
Accordingly, in a world which turns on data and online transacting, a significant degree of vigilance is required to mitigate the risk of a breach occurring and the extent of the damage which may flow therefrom. South African companies are urged to become aware of the provisions of the Protection of Personal Information Act and to implement appropriate measures to meet the requirements imposed by the Act and also to ensure that data breach risks are mitigated.