Data Breaches: What is Required?

South Africa has experienced no fewer than four significant data breaches involving consumer’s personal information held by businesses, in the preceding ten months alone. There is currently no legislation in effect in South Africa which compels a business to disclose data breaches to any authority or to the persons affected thereby, meaning there could well be other instances of data breaches that have simply not been brought to the public’s attention.

These leaks of personal information have highlighted the need for robust cyber security systems, particularly when sensitive personal information is held by a business. Unfortunately, even the most advanced of cyber security systems are susceptible to hacking, provided cybercriminals are given enough time and resources. It is therefore important to know what the law requires in the event of a security compromise.

The provisions of the Protection of Personal Information Act No. 4 of 2013 (POPI) dealing with security compromises have not come into effect as yet but are expected to soon.

Once the relevant provisions of POPI come into effect, a person or business that is responsible for personal information (responsible party) will, in the event of a security compromise, have to notify the Information Regulator as well as any parties whose personal information have been accessed or acquired by an unauthorised party.

The notification must, at the very least, contain the following information:

  1. A description of the possible consequences of the security compromise;
  2. A description of the measures taken or proposed to be taken by the responsible party to remedy the security breach;
  3. A recommendation of the measures that any party whose personal information was leaked in the security compromise should take in order to mitigate the possible adverse effects of the security compromise;
  4. The identity of the unauthorised person, if known, who accessed or acquired the personal information.

The Information Regulator may also require the data breach to be publicised.

If the personal information of individuals in the European Union (EU) is affected by a data breach in South Africa, the General Data Protection Regulation (GDPR), which came into effect on 25 May 2018, requires the responsible party to notify the supervisory authority in the EU without undue delay, and at the latest within seventy-two hours after having become aware of the security breach.

The notification in this case must:

  1. Describe the nature of the breach;
  2. State the categories and number of persons affected by the breach;
  3. State the contact details of the data protection officer where further information can be obtained;
  4. Describe the likely consequences of the breach; and
  5. Describe the measures taken or proposed to be taken by the Company to remedy the breach, including measures to mitigate its possible adverse effects.

Having regard to the reputational and financial harm associated with a data breach, not to mention the disruption that it can cause to a business’s operations, responsible parties should ensure that they have adequate cybercrime insurance cover as well as a data breach response plan in place. The data breach response plan should form part of a business’s data privacy policy and should cover the aforementioned notification requirements.

It is the responsibility of all responsible parties to ensure that they are ready for the privacy laws which have become pervasive in recent times and therefore it is essential that these parties consult with an attorney who is proficient in data privacy law for assistance.