Cape Town - Following the largest data breach of private citizens in South Africa’s history, which saw the personal data of over 30 million people leaked online, South Africans are increasingly at risk of falling victim to identity theft, fraud, and other forms of cybercrime.
One of the major challenges from a legal standpoint at present, according to Fatima Ameer-Mia, senior associate within the technology and sourcing practice at Cliffe Dekker Hofmeyr, is that there is currently no legislation in force which compels a business to disclose such data breaches to its information security.
“Across the world, data is a very valuable resource and the commercialisation and monetisation of data is therefore big business. Businesses in South Africa, however, tend to have particularly poor information security practices in place, which puts them at greater risk to opportunistic cyber criminals," says Ameer-Mia.
"Until a regulatory framework is established which criminalises cybercrimes, providing the impetus for businesses to implement more robust information security measures and disclose any data breaches experienced, SA will continue to be a high risk country with regards to cyber and information security threats.”
Under the current SA law, Ameer-Mia says legal recourse against cybercrime is fairly limited.
“The only circumstances under which compensation may be payable is if an individual is able to prove monetary loss and causality and succeeds with a delictual claim, whereby they claim for damages from the individual or organisation who caused the data breach. In this case, however, the claimant will have to go to court, which is usually a complicated and costly exercise.”
She says this is expected to change when the Protection of Personal Information Act (POPI) comes into force.
“The notification of data breaches in South Africa is governed by POPI, and while POPI has been promulgated, its substantive sections are not yet in effect."
“Only once these substantive sections become legally binding, do we expect to see businesses change their approach to the protection of customer and employee data, as this will mean that an organisation which is involved in a data breach situation may be subject to an administrative fine, penalty or sanction,” explains Ameer-Mia.
Furthermore, POPI will provide remedies and a complaint channel for those compromised by the unlawful processing of personal information.
Ameer-Mia says, as a starting point, to protect both themselves and their customers, companies need to safeguard the data collected and held by them, and be more transparent about instances where this data may be breached.
“This starts with a risk assessment in terms of critically evaluating what data they hold, where they get it from, why they hold it, how they use it and who has access to such data," she says.
“Once this understanding has been established, businesses can then turn to the technical and organisational measures they currently have in place (or have to put in place) to safeguard such data against unlawful access.”
She concludes that hopefully, the recent data breach will provide the impetus for government to take positive action with regards to implementing the legislative and regulatory framework around data protection and cybersecurity.
“In the long run, implementing a regulatory framework which protects citizens and allows for healthy economic development will benefit all parties – consumers, businesses and the government alike.”
SUBSCRIBE FOR FREE UPDATE: Get Fin24's top morning business news and opinions in your inbox.