If the discussion around data security wasn’t pertinent enough, the data breach, or hack, against the digital infrastructure of the City of Johannesburg (CoJ) on 28 October 2019, has certainly brought the discussion to the fore. A group of hackers gained access to the cities online client-facing platform and demanded 4 Bitcoin, failing which they would release all the private data to which they had access. South African law as it relates to data security and Cyber Law has been woefully inadequate for the longest time.

The Electronic Communications and Transactions Act (ECT), combined with various aspects of our Common Law has been bolstered with the very recent finalisation of the Protection of Personal Information Act (PoPI) in December 2018 as well as much needed amendments to the ECT. A new version of the Cyber Crimes Bill, passed by the National Assembly in November 2018, provides a far more robust set of measures than the original 2015 Bill, but, of course, is still not in effect.

While we wait for the entirety of the legal framework to catch up, the first quarter of 2019 saw a 22% increase in cyber-attacks and according to AON’s 2019 Global Risk Management Survey places Cyber Attacks and Data Breaches as the eight biggest risks, which is projected to move up to third position in the next few years. Experts tout the rise in cyber-attacks to a natural symptom of economic growth and the synonymous rise in connectivity on the African continent.

Off the back of the most recent attack against the CoJ, it is crucial that we understand our rights and duties under the current framework and how this will be affected in the future with the advent of a more rigorous legislative framework.

The ECT provides for a set of principles which govern the protection of personal information. Although these principles are not compulsory, it seems that the ECT amendment bill, once passed, will see that adherence to these principles will be compulsory.  These principles, relating to privacy, essentially require that personal information must be obtained with informed consent. These aspects will be replaced by PoPI once that piece of legislation is enacted.

For now, the ECT bares some teeth in the form of criminal sanctions against the unauthorised access to, interception of or interference with data. Cyber related extortion, fraud and forgery are also listed as criminal offences along with a wide array of activities which would allow the state to follow criminal prosecution. Importantly the ECT also criminalises so-called denial of service of attacks, which for the CoJ and its users is a welcome addition as the city was forced to shut its systems down to prevent the ‘Hackers’ from causing any further harm.

In this most recent attack against the CoJ, the hackers held the city to ransom, which, in terms of the ECT is defined as extortion. If these hackers face trial and are found guilty, they may have to pay a fine or face imprisonment for up to five years.

The concern, however, is the limited legislative scope for victims of the crime being able to seek compensation for any harm or loss suffered as a result of the data breach. Claims against Institutions holding persons private information are based on a combination of the Constitution and the common Law view of privacy. If the data breach is a result of negligence or a lack of adequate security in place to guard against breaches in security, then each victim could potentially have some form of claim against the allegedly negligent institution. Fortunately, most institutions hold some form of third-party insurance and which should then compensate innocent parties for loss suffered.

The hope is that once the legislative framework is in force with PoPI and the Cyber Crimes Bill, institutions will have to work hard towards taking positive steps to ensure that the information they hold is being held safe. Institutions are liable to face significant penalties if their systems are found wanting, but whether the watchdog institutions will have the muscle to strictly enforce the terms of these new pieces of legislation is not yet clear. Indeed, the new PoPI regulations do not seem to present any new rigorous challenges to most companies existing framework.

Nevertheless, companies should still take active measures to ensure that their data and cyber systems are properly secured to prevent possible breaches of security. Companies should have a planned response to deal with any possible breach, and ensure that any risks that can’t be mitigated against are covered by appropriate insurance policies. In these uncertain times, it also becomes imperative that terms of use, terms and conditions and policies surrounding privacy and data protection are designed in such a way to protect the company and its users from breaches in data security.

Written by Reenen Lombard, SchoemanLaw Inc, www.schoemanlaw.co.za