Cyber-crime is usually seen as a developed country problem, but we have seen a struggle globally.
From a cyber-crime perspective, South Africa faces the same challenges as those experienced by the more advanced economies. In fact, according to global cyber reports, fast developing malware and security breaches are costing South Africa over ZAR5.8 billion each year. Cyberspace is changing how we interact and do business, and South African companies are fast becoming a prime target for cyber criminals. With that said, however, the Protection of Personal Information Act (POPI) will change the way South Africans protect, handle and store data and personal information.
The Act is comprehensive and regulates the manner in which personal information may be processed. POPI will significantly impact the manner in which organisations collect, store, process and disseminate information to and from clients, employees and customers. The legislation will promote the protection of personal information processed by public and private bodies; it aims to introduce certain information on protection principles to establish minimum requirements for the processing of personal information. In the financial sector, POPI will empower individuals to ensure their details are not randomly shared, sold or distributed without their explicit consent. Companies will be given a one-year grace period to manage risk and comply in terms of the POPI requirements, failing which, there will be penalties following the grace period. These penalties could include 12 months to ten years’ imprisonment, fines up to ZAR10 million and civil remedies. The consequences of non-compliance with the legislation are thus severe, but the most devastating would be the damage to the reputation of the company or institution.
Law suits cannot always be avoided as no individual or private/public body is immune to litigation. Every company has to have security measures in place to safeguard its customers' personal information and should also ensure it is adequately insured to cover the exorbitant costs, should it be faced with a cyber-lawsuit. South African businesses are significantly unprepared for cyber breaches and have not considered the financial and legal implications that would flow from such breach. It should be mandatory for businesses in South Africa to consider cyber liability insurance cover for both third party and first party cyber exposures and risks. This cover should also include data recovery, loss of business income, and security and privacy liability, among others. Cyber security and privacy are no longer the preserve of the IT department and should be dealt with at board level across all companies.
The emergence of class action lawsuits in South Africa has certainly created a greater need for companies to be aware of the financial implications of a multiparty lawsuit in the event of a data breach. Companies can no longer afford to be negligent in maintaining their cyber security. Failure to implement and maintain reasonable security procedures could result in a data breach that would affect hundreds of employees and customers/clients, resulting in a class action law suit for millions of rands. Companies would need to show that they implemented all the necessary safety measures and adequately managed the risks that could result in a data breach.
Companies should take the necessary precautions to minimise the likelihood of a data breach and reduce potential liability by implementing good practices, ranging from employee training to advanced IT systems. Sophisticated cyber-attacks are not the only reason for data breach; this could sometimes stem from basic employee negligence, such as the loss of a laptop or paper records containing sensitive information. Such negligence, which can be easily avoided, could cost a company millions of rands in damages. Companies would need to conduct periodic training sessions to ensure that all employees understand and comply with the company’s information security policies as well as POPI.