While incidences of cyber attacks have been on the rise for a number of years, the outbreak of the Coronavirus ("COVID-19") pandemic globally, and the lockdowns imposed in many countries leading to large numbers of layoffs and people working from home, have led to a steep increase in cybercrime. The WHO reported in April 2020 that, since the start of the COVID-19 pandemic, it has seen a dramatic increase in the number of cyber attacks directed at its staff, and email scams targeting the public at large.  In South Africa, and according to global cybersecurity company Kaspersky, statistics show that in the week of 15 – 21 March 2020, hackers attacked up to 310 000 devices (up from a weekly average of 20 000 – 30 000 attacks per week).

More recently, on 9 June 2020 two more headlines hit the press:

  • Honda's global operations hit by cyber-attack”' – from details released by Honda, the company's ability to access it computer servers, emails and other internal systems was affected, as well as production systems outside of Japan.
  • Life Healthcare hit by cyber-attack” – while Life Healthcare is still carrying out an investigation into the incident, its admissions systems, business processing systems and email servers have been affected by the attack.

Any organisation faced with a cyber-attack or data-breach will incur costs and losses that could potentially cripple their businesses. Some examples of these costs and losses are:

  • Ransomware demands and payments: IT firm Atlas VPN recently released an analysis stating that 55% of companies studied had received a demand for ransom in the previous 12 months, and that more than 57% of those companies paid the ransom. The analysis also stated that the average amount of ransom demanded rose 300% since the beginning of 2018.
  • Business continuity costs: As evidenced by the recent press headlines, organisations face major disruptions and losses to their businesses due to cyber-attacks, including loss of income and profit from the date of the attack until networks are fully restored.
  • Liability for actions of employees: With the commencement date of the Protection of Personal Information Act 4, 2013 (“POPI”) fast approaching, it is important to note that POPI makes provision for a form of statutory vicarious liability for organisations in the event of a contravention of POPI by any of its employees. In particular, POPI provides that a civil action for damages may be instituted against the responsible party (the employer) irrespective of whether there is intent or negligence on the part of the responsible party.
  • Defence costs: there are a number of examples from around the world where companies have been embroiled in litigation for a number of years after being sued for damages arising from data-breaches, some being:
    • In the USA, the case of Enslin v Coca-Cola Company which arose from the actions of a rogue IT-employee who had been stealing old company laptops for a number of years, which contained sensitive personal details of employees of the company. Coca-Cola was sued by a former employee, Mr Enslin, who had discovered that his online accounts had been hacked and used to make unauthorised purchases. He alleged that Coca-Cola had an obligation to protect his personal information. While Coca-Cola was ultimately successful in the litigation, it took almost five years for the litigation to be resolved.
    • In the UK, the case of WM Morrisons Supermarkets plc v Various Claimants, which arose after Morrisons, a large supermarket chain in the UK, suffered a serious data-breach when the payroll data of nearly 100,000 employees (including names, addresses, dates of birth, national insurance numbers and bank details) was posted online by a disgruntled Morrisons' employee. A number of employees of Morrisons brought proceedings against Morrisons for damages. While the UK Supreme Court ultimately found in favour of Morrisons, holding that the employee's “wrongful conduct was not so closely connected with acts which he was authorised to do that, for the purposes of Morrisions' liability to third parties, it can fairly and properly be regarded as done by him while acting in the ordinary course of his employment”, it took more than four years' of litigation and a number of appeals, for the litigation to be finalised.

Bearing in mind the potentially enormous losses which businesses face due to cyber-attacks and that POPI, once in force, will oblige all organisations to report data-breaches, it is imperative for organisations to plan and to take such steps as are appropriate for managing, and mitigating the impact of, a cyber-event. This will include taking appropriate legal advice, implementing proactive, protective policies and procedures, and purchasing specific or tailored cyber-insurance policies intended to cover losses associated with data breaches or cyber-attacks. These include network or business interruption losses, third party liability losses, cyber extortion/ransomware demands and the costs of the appointment of various professionals such as forensic services and legal assistance.

ENSafrica provides comprehensive and full-service data-breach and forensic advice and assistance, including:

  • pre-breach services to assist with the protection of data privacy, the preparation of data-management and security policies, contracts and procedures for businesses, as well as information officer training services; and
  • post-breach services to assist with breach-response and mitigation of liability, breach notifications and regulatory investigations, and complex litigation matters involving data-breaches.

We also provide comprehensive coverage advice to clients in relation to cyber insurance policies. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.