2 minute read
DATA SECURITY AND BREACHES THE GRACE PERIOD IS OVER
Next Article
The regulator will pursue directors if they are found to be negligent in safeguarding clients’ personal data.
Security breaches are becoming more common-place than ever before. Hackers target large and small corporations alike; the intent is to get access to data relating to the business, or specifically to their clients.
Globally there are different laws governing such breaches as pertains to the responsibility of the company that has suffered the breach. Generally the consensus is that the company has to disclose the breach and must take reasonable steps to avoid any subsequent breach from taking place.
In South Africa, we have POPIA (Protection of Personal Information ACT), which essentially safeguards personal information from being distributed, sold or accessed by third parties, or unlawfully accessed. In the event of a breach, the act states that the affected party must be contacted immediately and the breach must be reported to the regulator. The company must also ascertain the scope of the breach and what ramifications this may have on the affected party as quickly as possible. The regulator may instruct the company to publicise the breach, especially if the breach affects a large number of individuals or businesses and if the regulator believes that by publishing, it will protect the affected parties.
POPIA initially came into play in 2013, and the regulator was established in 2016. From 2016 till 30 June 2021, there was a grace period for companies to become compliant and put measures in place to protect their clients. The grace period has expired and the regulator has confirmed that they will now be imposing penalties for companies and company directors with weak security that allows sensitive information to be accessed by unauthorised individuals. The proposed fines are up to R10M and directors may face imprisonment of up to 10 years.
Thus, the onus is on the company and its’ directors to ensure that they have adequate security in place to protect consumers; and should a breach occur, that they have taken steps to bolster their systems to prevent further breaches.
There has been a spate of suspected or actual data-breaches that have involved large financial houses or corporate concerns, namely Liberty, Standard Bank, ABSA, Dis-Chem, Shoprite and consumer credit bureaus like Experian and Trans Union; many others have been breached but not been reported on as much in the media. In several cases, the personal contact information of the client or consumer was exposed, such as email addresses and cell phone numbers, in others, the breach was more comprehensive.
To date no fines or penalties have been doled out, and the regulator is understanding of companies that come forward to advise of a breach and take steps to bolster their online security, conversely, they take a dim view of those that try to hide a breach or those that make no effort to prohibit future compromises.
The regulator is not a well-funded branch of government, nor do they have limitless resources so progress is not as swift as what they would have liked. A few penalties will certainly ensure that those in possession of our personal data, safeguard it and take all reasonable measures to avoid a breach. �
