Cyber-attacks are described as any destructive and deliberate conduct or attempt by an individual or organisation, in order to gain unauthorised access to an information system of another individual or organization. The intention of such attacks is, to "...disable, disrupt, destroy or control computer systems or to alter, block, delete, manipulate or steal the data held within the attacked network system."

The most common forms of cyberattacks are:

  • Malware: This occurs when the vulnerable network is breached, usually when a user clicks a dangerous link or email attachment and then installs a malicious software as a result. This thus results in key components of the network being blocked and harmful/ malicious software/s being installed. The worst-case scenario is that certain components could be disrupted, and the system therefor becomes compromised and thus non-functional. The various types of malwares include: Viruses, Trojans, Worms, Ransomware and Spyware.
  • Phishing: This is a form of a cyber-attack which occurs when fraudulent communications come from reputable sources (mostly through emails). The objective of this cyberattack is to pinch (steal) private and sensitive data e.g.) banking pins and login information of the user (victim). This is the most common form of cyber-attack.
  • Man-in-the-middle attack (MitM): Commonly known as the eavesdropping attack, whereby the attacker intercepts into a two -party transaction. Then after they steal private information and data. This form of attack is mostly done through unsecure public Wi-Fi, the attacker than intercepts between the visitor's device and network. As a result, the visitor naively passes all information through the attacker.
  • Zero-day Exploit: This form of attack occurs when there has been a new network weakness which has been recently announced and a solution has not been yet implemented. Attackers target the disclosed vulnerability during this window of time.
  • Password Attack: This form of attack which occurs when user's password/s are targeted and attackers gain entry to confidential data and network systems of the user, this includes the ability to manipulate and control the attacked data or systems.

If Personal Information is leaked, it is reportable to the Information Regulator

The Information Regulator of South Africa is a body which is empowered to monitor and enforce compliance of the Protection of Personal Information Act ("POPI Act).

The POPI Act aims to promote the protection of personal information of natural and juristic persons. In terms of section 22 of the POPI Act if there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify the Information Regulator and the data subject and provide a comprehensive notification of the type of breach.

Therefore, this means the responsible party in terms of the POPI Act bears the onus to provide the Information Regulator and the relevant data subjects with a report of the breach. This is because should a breach occur the responsible party is liable to the affected data subjects for civil claims mainly in the form of damages, notwithstanding the fact that they can also be liable to the Information Regulator in the form of an enforcement action (If the necessary notification guidelines stipulated in the POPI Act are not followed). Therefore, if a natural or juristic persons' personal information is leaked through a form of cyber-attack the responsible party will have an obligation to report it to the Information Regulator.

When must a Breach be Reported to the Information Regulator and Data Subject?

When a breach has occurred on a network system, a notification must be made to the Information Regulator and data subjects as soon as reasonably possible. The Information Regulator determines that a 'reasonable time' to report a breach is determined on a case-to-case basis, based on the type and severity of the breach.

The notification must be of such a nature that it provides sufficient information to data subjects in order to enable them to take protective measures against the potential consequences of the breach discovered.

The exception to this general rule occurs only when the Information Regulator decides that such a notification will hinder a criminal investigation conducted by a public body. Such a public body must be responsible for the prevention, detection or investigation of offenses relating to the POPI Act. The determination of the abovementioned exception by the Information Regulator must be in writing and communicated to the data subjects in a prescribed manner.

What are the Consequences of Failure to Report a Breach to the Information Regulator?

The failure to report a breach to the Information Regulator and could lead to a juristic or natural person being fined in terms of section 107 of the POPI Act, this is because a person whose network has compromised has an obligation to protect personal data. In terms of section 107(1)(a) any person convicted of an offence could face a fine or imprisonment for a period not exceeding 10 years, or both a fine and imprisonment. In addition, in terms of section 107(1)(a) the person convicted may be fined or imprisoned for a period not exceeding 12 months.

What do Business Owners need to do?

It is of outmost importance that natural and juristic persons, document their findings of the breach of personal information and the process they followed in establishing the breach. This is a legal requirement in terms of the POPI Act and not only assists them in strengthening their cyber security measures, but it also establishes a platform to manage the concerns of the Information Regulator and their employees and clients.

In addition, natural and juristic persons ought to take the necessary steps avoid future attacks. This could be done by them utilizing the services of credible cyber security specialists.

Finally, natural and juristic persons should be open to the idea of taking insurance cover for such cyber-attacks, to lessen potential damages or losses after their networks have been attacked and breached.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.