What does the law have to say about data leaks?

Recently, South Africans woke up to the fact that two out of three of them had had their personal data leaked online. 

According to experts, this occurred because of woefully inadequate security measures.

According to news reports, 30m data sets relating to unique South African identity numbers have been freely available online since at least March 2017.

The data sets are said to include email addresses, phone numbers, identity numbers, employment history, company directorships, income data and property ownership records dating back to the 1990s.

Experts have insisted that accessing the database did not require any hacking.

It was Australian IT security expert Troy Hunt who brought the leak to the media’s attention. A concerned citizen had shared the leak with him in March.

Hunt stated that these data sets are exactly the kind criminals would need to perpetrate identity theft and that he was shocked at the scale of the leak.

The leak is a significant breach and it has been recommended that South African consumers be vigilant about any strange or irregular activity regarding credit applications or their bank accounts. 

The company that is allegedly responsible for the lax security is a Pretoria-based real estate franchise holding company named Jigsaw Holdings. The company houses subsidiaries like Realty1, ERA and AÏDA.

Experts allege that the data sets were originally sourced from a credit bureau. The database is said to have been hosted as a service for real estate companies. And the website on which the data was hosted is said to have had virtually no security measures.

However, the lack of security is not the only talking point. Some critics have also started to ask other questions. Is it, for example, appropriate for a real estate company to have had all this data in the first place?

South Africans will also likely be angered to find out that there is really no consequence for the guilty party in this data leak. 

South Africa has a law that is designed to protect South Africans in cases like this.

It is called the Protection of Personal Information Act (PoPI Act), however, it is not in full effect yet. President Jacob Zuma has signed it into law, but it has not been fully implemented.

It is expected that the PoPI Act will be fully implemented in the first half of next year. 

As part of the act, the Information Regulator was set up in December 2016 and Advocate Pansy Tlakula was appointed as the chairperson. Consumers can now turn to the regulator to report misuse of their data.

The regulator, which reports to Parliament, has extensive powers to investigate and fine guilty parties and will regulate both the PoPI Act and the Promotion of Access to Information Act (PAIA).

Under this law, companies can be fined up to R10m or its directors could face jail terms for a leak of the nature of this recent example.

Under PoPI, the on-selling of data sets without the consumer’s consent will be outlawed, as will enriching of data sets without consent.

Enriching of data is important for marketers, as the data’s use decays rapidly as it becomes out of date. Constantly updating the data is therefore ideal.

Hopefully a leak of this scale, one that has dominated headlines for days, will drive home to South Africans just what is at risk when you willingly hand over your data to companies.

It hopefully will also inspire a drive to hold companies that collect data and profit off data to account, as – let’s be honest – often many of us are forced to hand over our data to access a service. It’s done reluctantly, even if we technically consent.

The nature of human behaviour is that all too often people ignore risks and dangers until they have personally been affected. This shock of the experience as a victim provides the motivation to take action.

So the question really is: Will South Africans wait until the groundswell of identity-theft victims reaches a deafening cacophony?

Or will this leak push us to start rethinking the relationship between ourselves, our data and the companies out there trying to sell us stuff?

Just think about what your bank account or your credit record could tell a stranger about you.

The probability is almost 100% that there are companies that know more about your day-to-day life than some of your friends and family.

Should accessing simple services require this level of intimacy?

This article originally appeared in the 16 November edition of finweek. Buy and download the magazine here.

Brent Crude
All Share
Top 40
Financial 15
Industrial 25
Resource 10
All JSE data delayed by at least 15 minutes morningstar logo
Company Snapshot
Voting Booth
Do you think it was a good idea for the government to approach the IMF for a $4.3 billion loan to fight Covid-19?
Please select an option Oops! Something went wrong, please try again later.
Yes. We need the money.
11% - 1351 votes
It depends on how the funds are used.
73% - 8799 votes
No. We should have gotten the loan elsewhere.
16% - 1941 votes