https://www.polity.org.za
Deepening Democracy through Access to Information
Home / Legal Briefs / All Legal Briefs RSS ← Back
Infrastructure|Risk Management|SECURITY|Service|Systems|Infrastructure
Infrastructure|Risk Management|SECURITY|Service|Systems|Infrastructure
infrastructure|risk-management|security|service|systems|infrastructure
Close

Email this article

separate emails by commas, maximum limit of 4 addresses

Sponsored by

Close

Article Enquiry

Breaches in Data Security – Rights and Responsibilities


Close

Embed Video

Breaches in Data Security – Rights and Responsibilities

Breaches in Data Security – Rights and Responsibilities

27th November 2019

ARTICLE ENQUIRY      SAVE THIS ARTICLE      EMAIL THIS ARTICLE

Font size: -+

If the discussion around data security wasn’t pertinent enough, the data breach, or hack, against the digital infrastructure of the City of Johannesburg (CoJ) on 28 October 2019, has certainly brought the discussion to the fore. A group of hackers gained access to the cities online client-facing platform and demanded 4 Bitcoin, failing which they would release all the private data to which they had access. South African law as it relates to data security and Cyber Law has been woefully inadequate for the longest time.

The Electronic Communications and Transactions Act (ECT), combined with various aspects of our Common Law has been bolstered with the very recent finalisation of the Protection of Personal Information Act (PoPI) in December 2018 as well as much needed amendments to the ECT. A new version of the Cyber Crimes Bill, passed by the National Assembly in November 2018, provides a far more robust set of measures than the original 2015 Bill, but, of course, is still not in effect.

Advertisement

While we wait for the entirety of the legal framework to catch up, the first quarter of 2019 saw a 22% increase in cyber-attacks and according to AON’s 2019 Global Risk Management Survey places Cyber Attacks and Data Breaches as the eight biggest risks, which is projected to move up to third position in the next few years. Experts tout the rise in cyber-attacks to a natural symptom of economic growth and the synonymous rise in connectivity on the African continent.

Off the back of the most recent attack against the CoJ, it is crucial that we understand our rights and duties under the current framework and how this will be affected in the future with the advent of a more rigorous legislative framework.

Advertisement

The ECT provides for a set of principles which govern the protection of personal information. Although these principles are not compulsory, it seems that the ECT amendment bill, once passed, will see that adherence to these principles will be compulsory.  These principles, relating to privacy, essentially require that personal information must be obtained with informed consent. These aspects will be replaced by PoPI once that piece of legislation is enacted.

For now, the ECT bares some teeth in the form of criminal sanctions against the unauthorised access to, interception of or interference with data. Cyber related extortion, fraud and forgery are also listed as criminal offences along with a wide array of activities which would allow the state to follow criminal prosecution. Importantly the ECT also criminalises so-called denial of service of attacks, which for the CoJ and its users is a welcome addition as the city was forced to shut its systems down to prevent the ‘Hackers’ from causing any further harm.

In this most recent attack against the CoJ, the hackers held the city to ransom, which, in terms of the ECT is defined as extortion. If these hackers face trial and are found guilty, they may have to pay a fine or face imprisonment for up to five years.

The concern, however, is the limited legislative scope for victims of the crime being able to seek compensation for any harm or loss suffered as a result of the data breach. Claims against Institutions holding persons private information are based on a combination of the Constitution and the common Law view of privacy. If the data breach is a result of negligence or a lack of adequate security in place to guard against breaches in security, then each victim could potentially have some form of claim against the allegedly negligent institution. Fortunately, most institutions hold some form of third-party insurance and which should then compensate innocent parties for loss suffered.

The hope is that once the legislative framework is in force with PoPI and the Cyber Crimes Bill, institutions will have to work hard towards taking positive steps to ensure that the information they hold is being held safe. Institutions are liable to face significant penalties if their systems are found wanting, but whether the watchdog institutions will have the muscle to strictly enforce the terms of these new pieces of legislation is not yet clear. Indeed, the new PoPI regulations do not seem to present any new rigorous challenges to most companies existing framework.

Nevertheless, companies should still take active measures to ensure that their data and cyber systems are properly secured to prevent possible breaches of security. Companies should have a planned response to deal with any possible breach, and ensure that any risks that can’t be mitigated against are covered by appropriate insurance policies. In these uncertain times, it also becomes imperative that terms of use, terms and conditions and policies surrounding privacy and data protection are designed in such a way to protect the company and its users from breaches in data security.

Written by Reenen Lombard, SchoemanLaw Inc, www.schoemanlaw.co.za

 

EMAIL THIS ARTICLE      SAVE THIS ARTICLE ARTICLE ENQUIRY

To subscribe email subscriptions@creamermedia.co.za or click here
To advertise email advertising@creamermedia.co.za or click here

Comment Guidelines

About

Polity.org.za is a product of Creamer Media.
www.creamermedia.co.za

Other Creamer Media Products include:
Engineering News
Mining Weekly
Research Channel Africa

Read more

Subscriptions

We offer a variety of subscriptions to our Magazine, Website, PDF Reports and our photo library.

Subscriptions are available via the Creamer Media Store.

View store

Advertise

Advertising on Polity.org.za is an effective way to build and consolidate a company's profile among clients and prospective clients. Email advertising@creamermedia.co.za

View options

Email Registration Success

Thank you, you have successfully subscribed to one or more of Creamer Media’s email newsletters. You should start receiving the email newsletters in due course.

Our email newsletters may land in your junk or spam folder. To prevent this, kindly add newsletters@creamermedia.co.za to your address book or safe sender list. If you experience any issues with the receipt of our email newsletters, please email subscriptions@creamermedia.co.za