Data security matters if you want to sleep soundly at night

Rushda Khan and Jashmine Desai | Compliance Division

South Africa has experienced an alarming number of security compromises or data breaches in recent years. The South African Information Regulator (the Regulator) has received more than 330 reports/complaints since July 2021 against various companies. These complaints have been lodged by data subjects whose personal information has been compromised.

The increased wave of security compromises recently experienced in South Africa has propelled the Regulator to launch a unit within its office known as the Security Compromise Unit.

The Security Compromise Unit

One of the primary functions of the Regulator is to oversee and monitor compliance with information protection legislation by private and public sector companies to prevent, among other incidents, data breaches.

Therefore, in the event of a security compromise or in an instance where the Regulator believes that certain processing has not complied with any conditions for the lawful processing of personal information, the Regulator has the authority to conduct its own assessment/investigation. Some of the more widely known own-initiative assessments conducted by the Regulator to date include the  WhatsApp, TransUnion and the Department of Justice and Constitutional Development data breaches.

The Security Compromise Unit will conduct comprehensive investigations and/or assessments into security compromises experienced and furnish reports inclusive of findings and recommendations against companies entrusted to safeguard the personal information of consumers. These reports are issued in terms of the Protection of Personal Information Act (POPIA).

Consequences of non-compliance with POPIA

South Africa’s data privacy legislation, POPIA, sets out strict requirements for companies to abide by in order to ensure that the personal information of all data subjects is adequately protected.  Many organisations have implemented various measures in order to comply with the Act and avoid fines, criminal prosecution and potential reputational risk. Infringement of POPI may have significant and lasting consequences for a business.

POPIA makes provision for fines of up to R10 million and imprisonment of up to 10 years, depending on the seriousness of the offence. The Regulator has yet to issue any such fine since the enforcement of POPIA. The Chair of the Regulator, Pansy Tlakula, has expressed that the Office prefers to engage with the errant companies and allow them to remedy a data breach before imposing fines.

The Regulator’s Security Compromise Unit will concentrate on those companies who have weak control systems which fail to protect consumer’s sensitive information or fail to take corrective action once a data breach has occurred.

Regulator’s Approach

The Regulator has taken a patient stance in issuing fines till now.  However, they are now in the stage of conducting investigations and assessments with the establishment of the Security Compromise Unit and this may lead down the route of the issuing of fines.

Companies are able to submit an appeal against the Regulator’s sanctions and/or enforcement notices by approaching the high court to set aside or vary the notice.

South African organisations who have fallen prey to data breaches and data leaks.

Credit bureau TransUnion’s data compromise became the second biggest data breach in South Africa. The Brazilian hacker group N4aughtysecTU claimed to have stolen 4TB of data from TransUnion made up of the personal records of 54 million South Africans and South African Businesses.

In August 2020 a consumer, business and credit information services agency, Experian, experienced a data breach that exposed the personal information of 24 million South Africans and 793 749 business entities.

In September 2021, South African banks such as, First National Bank, Absa, Standard Bank and African Bank, acknowledged that some of their customers’ information was compromised by the cyber-attack on debt recovery solutions provider Debt-IN Consultants.

Last December, property firm Lightstone and Standard Bank confirmed they had suffered a data breach, exposing personal data of property owners. It was stated that this data was acquired through the LookSee online platform.

More recently, Dis-Chem pharmacy and retailer Shoprite suffered a data compromise exposing the personal details of millions of consumers.

Conclusion

In light of all the security compromises that have occurred, it is imperative that organisations responsible for the protection of personal information take every reasonable precaution to ensure that the risk of data breaches and security compromises is minimised as far as possible.  Organisations must also take heed of their obligation to notify the Regulator and the affected data subjects of a data breach as soon as possible after the incident.  Companies that are found to be non-compliant with POPIA may find themselves facing grave consequences that can have far-reaching impact on the directors as well.