South Africa has seen a massive spike in cyber-attacks in recent years, with a 22% increase in the first quarter of 2019 alone according to Kaspersky Lab, a global security company. The 2018 Allianz Risk Barometer report has rated cyber-related incidents, including data breaches, as the number one risk to South African businesses.
In South Africa, apart from industry specific requirements imposed on certain companies, eg PCI compliance, there are two pieces of legislation that deal specifically with data protection and cybersecurity:
- the Protection of Personal Information Act 4 of 2013 ("POPI"), which is expected to come into force before the end of 2019 (certain provisions relating to the establishment of the Information Regulator ("Regulator") and the making of Regulations under POPI have, however, come into force on 11 April 2014). The Regulator was appointed on 1 December 2016 and the final Regulations were published on 14 December 2018; and
- the Cybercrimes Bill, 2018 ("Cyber Bill") which creates several offences, including hacking and the unlawful interception of data.
In addition, bodies such as the South African Reserve Bank ("SARB") have imposed strict requirements to notify the SARB in the event of material information technology and cyber incidents. See our previous article in this regard.
Non-compliance with POPI by the Information Officer (which, as a general rule, is automatically the head of an organisation) may, upon conviction of certain offences created under POPI and PAIA, lead to imprisonment, a fine, or both. The duties of information officers (set out in section 55(1) of POPI and regulation 4 of the POPI Regulations) include ensuring that a compliance framework is developed, implemented, monitored and maintained and that a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information (including security safeguards). POPI also imposes a mandatory requirement on responsible parties to notify the Information Regulator of security compromises. Notwithstanding POPI not being entirely in force and effect, the office of the Information Regulator is proactively monitoring companies that have experienced security compromises, and is currently receptive to responsible parties voluntarily reporting security compromises to the Information Regulator.
It should also be noted that the General Data Protection Regulation ("GDPR") (which replaced the EU Directive in May 2018), in certain instances, directly applies to South African companies. The GDPR places onerous requirements on "controllers" and "processors", including that personal data must be processed in a manner that ensures appropriate security of such data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Fines for non-compliance with the GDPR range from EUR20-million to 4% of worldwide turnover.
Data breaches have a significant impact on business, in addition to the legal implications for businesses. According to IBM's 2019 Cost of a Data Breach Report, in which 21 South African companies participated, costs arising out of data breaches rose by over 12% (to an average total cost of R43.3-million). The report also found that the mean time to contain a data breach increased from 40 to 56 days. Apart from the direct impact of a data breach being costly, the indirect costs in dealing with a data breach can be astronomical. A good example of this is the Equifax case, where the costs of dealing with a major data breach exceeded USD2-billion.
In the face of a cyber-attack, an Incident Response Plan is vital for any business, in order to proactively anticipate as well as mitigate any legal exposures, to reduce the cost of any data breach as well as to reduce the time taken to contain a data breach.
A strong Incident Response Plan must consider a wide range of issues particular to each business, including:
- allocation and designation of roles and responsibilities within the business in response to a data breach;
- categorisation of incidents according to the personal information and data exposed and the number of data subjects affected;
- mitigation of the effects of a security compromise;
- communication with data subjects and other affected persons;
- reporting obligations to bodies such as the SARB and the Information Regulators office; and
- provision for regularly testing of the plan on a "fire drill" type basis.
Don't forget about cyber insurance: any incident response plan must include a summary of the relevant insurance cover, as well as the notification requirements to the cyber insurer. This is because any cyber insurance policy will require timely notice of the data breach/cyber-attack and may require the consent of the insurer before any outside vendors are engaged by a company faced with a cyber-event. Timely notice is essential as expenses incurred prior to notice may not be covered. General counsel or outside counsel should promptly report the incident to the insurance carrier.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.