Interview on SABC's Network Show: Marco discusses what legal recourse consumers have in the case where their data privacy has been compromised.
What is a data breach, and in these instances what do we mean by data?
Simply put, a data breach is when sensitive or confidential information is accessed by an individual who is unauthorised to do so.
The reference to data entails anything which has sensitive or private information – this can include financial information such as credit card or bank account details, personally identifiable information such as names, identity numbers, health status, email addresses and passwords and for corporates, would also include trade secrets and intellectual property.
Do you think that data leaks can be truly contained if the information has already gone out?
Sufficiently containing a data breach depends on the nature of the attack and the system(s) affected but I think that in most instances, unfortunately once data is leaked it is difficult to adequately and truly contain the extent to which the leak has spread.
What would those that steal this data want to do with it?
In most cases the data obtained is used for financial gain. After the data has been accessed, hackers have a variety of ways to monetise it:
- the may use your stolen data by using it themselves to make purchases or commit fraud on your name; the data could be sold in bulk on the dark web;
- in some instances hackers can use your stolen data as extra leverage to encourage you to pay a ransom;
- it is also not uncommon for hackers to launch attacks on large corporations and sell the stolen data (such as IP or trade secrets) to competitor companies.
How can organisations and businesses better protect the data they have been entrusted with?
So there are a number of ways in which organisations can better protect the data they process. There is no one size fits all approach to this question but certain basic measures would include the following:
- I think that first and foremost, it is important for organisations to identify what data needs to be protected - knowing what data to protect would be easier for you to build your defences;
- the next would be to educate your employees – this would entail holding continuous training or seminars that will inform employees about their responsibilities in respect of protecting data under their control;
- frequently evaluate your IT systems and security protections in place and ensure that the data which needs to be protected is sufficiently encrypted for data protection; and
- lastly, organisations should focus on adopting and enforcing a variety of data protection policies and procedures throughout the organisation – this would include for example include BYOD and incident management or reaction policies.
How much of a problem are data leaks or breaches in South Africa?
I believe that in this day and age, the frequency as well as the impact of data breaches in South Africa will unfortunately become more prevalent.
Over the past few years the significant increase in data breaches in South Africa has been on the rise and just last month we saw South Africa's largest ever data breach with the Experian leak. It is becoming more apparent that data breaches and cyberattacks are becoming one of the most significant risks facing organisations with the threat that organisations could stand to loose millions as a result of these risks, notwithstanding the harm which may be caused to the individuals whose information has been leaked.
What legal recourse do consumers/entities that fall victim to breaches have?
Such consumers or entities would have certain legal recourse directly in terms of the Protection of Personal Information Act (or POPI as it has been commonly been referred to).
So just briefly, POPI is legislation enacted in South Africa which gives effect to everyone's constitutional right to privacy and regulates how organisations may collect, process, store and share personal information.
What this means is that POPI gives consumers specific rights in respect of organisations handling their personal information and it gives consumers greater control over their personal information.
These rights under POPI enable affected parties to lodge a complaint with the Information Regulator should a data breach occur on account of an organisation not taking appropriate steps to protect the data under its control. The Information Regulator is the authority tasked to monitor compliance under POPI and would have certain powers to investigate data breaches.
In addition to lodging a complaint against an organisation, POPI also enables a affected data subject to institute a civil action for damages in a court against the organisation who failed to comply with POPI.
From a legal aspect what should happen to organisations that fail to keep their promise of protecting people's data?
From a legal perspective and in terms of POPI, where a data breach occurs, there exists an obligation on the organisation to report the breach to (i) the Information Regulator; and (ii) to each and every affected data subject impacted by the breach.
If the Information Regulator conducts an investigation and finds any organisation guilty of contravening POPI, the organisation could face a fine of up to R10m or 10 years in imprisonment, or both.
These penalties would be in addition to any civil damages claims instituted by a party effected by the data breach.
In your opinion, do you think Experian had done all it can to keep user's data safe?
I believe that it is difficult to comment on whether Experian had in fact sufficient data protections mechanisms in place to prevent the data leak as this has not been disclosed but I do believe however that after the breach was identified, Experian did take appropriate steps in my view to correctly notify the Information Regulator of the data breach as required in terms of POPI, as well as obtaining a court order which resulted in securing the hardware storing the information and the deletion thereof.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.