As cybercrime increasingly affects South Africans, a number of new regulations, locally and internationally seek to protect citizens’ information.
Following the breach of financial services group Liberty Holdings [JSE:LBH] last week and a demand for a “ransom” for the sensitive information held by the insurer, Andrew Chester, managing director of Ukuvuma Cyber Security said that this could be the first South African incident subjected to the European new data laws, the General Data Protection Regulation (GDPR) which came into effect on May 25.
Liberty must conform to GDPR regulations because of its European stakeholders and the legislation requires companies to send out breach notifications to their clients, according to Chester.
The GDPR is a set of wide-ranging regulations regarding sensitive consumer data which aims to change the way information belonging to European citizens is used and stored.
South African companies will need to implement the GDPR, according to Protection of Personal Information Act (PoPIA) expert, Dr Peter Tobin who warned at a conference in SA earlier this week that any organisation that deals with the data of any European resident is impacted by it.
SA legislation not yet fully enacted
While the GDPR legislation is already in place in Europe, local legislation, the PoPI Act which has extensive powers to investigate and fine responsible parties is yet to be fully enacted.
According to law firm Michalsons, the majority of the act will only commence at a later date, to be proclaimed by the president. As there is a one-year grace period, the PoPIA deadline might only be set for the end of 2019 or in 2020.
“It wasn't a matter whether their companies would be hacked, it’s a matter of when,” said Jocelyn Miley, Central Europe spokesperson for Blancco Technology, a data management company.
The Information Regulator requested information from Liberty about the breach on Monday but chairperson Advocate Pansy Tlakula told parliamentarians in April that despite having received 180 complaints since October 2016, it has been unable to enforce and settle them as the body lacks regulatory powers.
Meanwhile, Liberty has remained mum on many of the details of the breach, citing a police investigation.
The company has urged clients to take “precautions” related to the protection of data, Liberty’s spokesperson Sydney Mbhele told Fin24 on Wednesday.
Mbhele said in these situations, people could try take advantage and people should be aware that the company will never send emails to Liberty insurance policy holders asking them to change their passwords.
He added that it is good practice to select a strong password for accounts and to change them regularly.
On Monday, Fin24 reported that Arthur Goldstuck, MD of World Wide Worx advised Liberty clients their online banking details and any other systems which could have the same passwords as their Liberty accounts.* Sign up to Fin24's top news in your inbox: SUBSCRIBE TO FIN24 NEWSLETTER