8 August 2018
South Africa has experienced no fewer than four significant data breaches involving consumer’s personal information held by businesses, in the preceding ten months alone. There is currently no legislation in effect in South Africa which compels a business to disclose data breaches to any authority or to the persons affected thereby, meaning there could well be other instances of data breaches that have simply not been brought to the public’s attention.
These leaks of personal information have highlighted the need for robust cyber security systems, particularly when sensitive personal information is held by a business. Unfortunately, even the most advanced of cyber security systems are susceptible to hacking, provided cybercriminals are given enough time and resources. It is therefore important to know what the law requires in the event of a security compromise.
The provisions of the Protection of Personal Information Act No. 4 of 2013 (POPI) dealing with security compromises have not come into effect as yet but are expected to soon.
Once the relevant provisions of POPI come into effect, a person or business that is responsible for personal information (responsible party) will, in the event of a security compromise, have to notify the Information Regulator as well as any parties whose personal information have been accessed or acquired by an unauthorised party.
The notification must, at the very least, contain the following information:
The Information Regulator may also require the data breach to be publicised.
If the personal information of individuals in the European Union (EU) is affected by a data breach in South Africa, the General Data Protection Regulation (GDPR), which came into effect on 25 May 2018, requires the responsible party to notify the supervisory authority in the EU without undue delay, and at the latest within seventy-two hours after having become aware of the security breach.
The notification in this case must:
It is the responsibility of all responsible parties to ensure that they are ready for the privacy laws which have become pervasive in recent times and therefore it is essential that these parties consult with an attorney who is proficient in data privacy law for assistance.