By Lizaan Lewis, Head of Legal at Altron Systems Integration
After many years of hearing about the Protection of Personal Information (POPI) Act and the effect it would have on businesses in terms of their responsibility to protect personal data, businesses have finally seen the warning shot fired by the Information Regulator. Get your house in order or you could easily be next to fall foul of POPI and pay a fine, suffer reputational damage, and even possible criminal liability.
The Information Regulator dishing out a R5-million fine to the Department of Justice and Constitutional Development ("Department") should cause pause for thought for all businesses that process personal information.
Fines can go up to R10-million and there can even be jail time if it is found that there was malicious intent leading to a data breach. In this instance, the Information Regulator fined the Department over a data breach that occurred about two years ago. The Information Regulator had initially sent an enforcement order to the Department, which was not adhered to, with the result being the country’s first fine issued in terms of the POPI Act. Perhaps the lesson in this is how easily this could have been averted, as it was found that the Department had not renewed licences for cyber security software - something seemingly so simple but which proved to open the door to the hackers.
The obligation in the event of a data breach is to prove that you did everything in your power to prevent the data breach. In other words, the Information Regulator needs a business to prove that it had put in its best effort to prevent a breach of personal data, and in the case of the Department, it was required to demonstrate the steps it had taken to rectify the problems. Not renewing licences for cyber security software may seem small, but the consequences can be huge.
No business is safe from hackers, and that cyber-crime is growing exponentially. The larger an organisation becomes, the more attractive it becomes to hackers. The Act, she says, refers to personal information and special personal information, which includes things such as medical records or biometric information, and that special personal information carries a higher degree of care by the responsible party.
There absolutely must be contingencies in place for businesses of all sizes. For example, a monitoring tool may not necessarily give you protection, but it will point you to where there was unusual activity, which could be the site of a data breach. The Information Regulator has been informed of thousands upon thousands of data breaches and so this fine is most certainly a warning shot for businesses across industries. If you haven’t yet, it is time to get your house in order.
In the modern digital world, cross-border movement of data is not unusual, and that the European Regulator has issued very big fines to household names for flouting obligations related to the General Data Protection Regulation (GDPR). Factor exchange rates and a fine from that body would be difficult for any organisation to stomach.
As an absolute starting point, businesses should ensure all their software licences are up to date. Just because they don’t see it affecting their business does not mean it shouldn’t be a priority. It’s important to understand that you need the correct software for your type of business, because not all firewalls or virus protection software are identical, and some are not suitable for certain types of organisations. This means that there must be a proper assessment of a business’s environment so that it can know exactly what protection is needed.
It may be easy to simply use Google to find tools, but that these may not be right for certain environments and may require specialised skills to use. The prudent thing to do would be to engage with industry experts who can immerse themselves into an environment and advise on exactly what the business needs, from systems to processes and tools.
In the event of a data breach, a business needs to have peace of mind that not only can it recover important data and continue its operations, but it must also be confident that it can prove to the Information Regulator that it did everything reasonably possible to prevent a data breach, while also having the capability and skills to mitigate against future attacks. Failing to do this turns a business into a sitting duck in an environment where the Information Regulator has shown its teeth.