NOMPU SIZIBA: Herbert Smith Freehills, specialists in technology and cyber attacks, have been running master classes on cyber attacks, data breaches and protection. This is an area of real importance for individuals and their privacy, and of course businesses that can be undermined by data breaches, with stories of offenders demanding a ransom for business to avoid key information being disseminated.
To tell us a bit more about the issues, I’m joined on the line by Rohan Isaacs, the head of technology and privacy practice at Herbert Smith Freehills. Thanks very much, Rohan, for joining us. How widespread are cyber attacks, and what sort of impact do they have on the affected businesses?
ROHAN ISAACS: They are extremely widespread and they’re increasing. There is a saying that been said in various different ways, and most people have heard it – it really boils down to “there are two kinds of businesses in the world, those that are going to be hacked and those that don’t know they’ve been hacked”. So it’s affecting every business, every person and merely a day goes by where …… for CEs an email or something like that attempting to precharge private cyber defences – whether it’s someone who is send you an email, trying to get access to your bank accounts, the ……. that go on ……. actual businesses that are under constant threat of attack. And it’s by cyberless clues …… .
NOMPU SIZIBA: I understand you have clients from the private and public sector, and you give advice on ICT matters. Just in a bit more depth, give us a flavour of the services that you provide to your clients.
ROHAN ISAACS: Cyber aside, what we do is we help clients understand the cyber risks, and we do a lot of training for clients. One of the very big areas of weakness is the staff of the company. Staff …… being liable …… doing something silly, switching on actions and some of them from an unknown email address, not critically looking at an email, for example, to determine whether it’s from a legitimate sender. We do a lot of training of staff.
Then, when data breaches happen, we work with clients to deal with the fallout. That is dealing with the public and how these came to be, explain to the public what has happened, as well as of course the legal liability attached to the date breach.
NOMPU SIZIBA: Here in South Africa there is the Protection of Personal Information Act. What does that say about businesses or organisations that hold people’s information, and their obligation in terms of the information they hold?
ROHAN ISAACS: For Popi, as the act you refer to, the first ting I think to say is that if operative solutions aren’t in force, although a lot of companies are behaving essentially as a …… force, but they have a need to demonstrate that they take privacy seriously.
What Popi does is it deals with personal information, which is essentially information that makes a living, natural person or a corporate person, a legal person, identifiable. And what it says is that one needs to take reasonable appropriate, technical and organisational measures to do things like prevent unauthorised access to personal information.
The Act was drafted broadly in that sense, as it should be. It doesn’t align to a particular standard, because standards change over time. Also, different industries may have varying requirements. What might be reasonable and appropriate in, let’s say, a banking or a medical environment, may differ from what is reasonable and appropriate in a retail environment.
Just one thing that people should know about this is that, if you have met the standards that Popi requires you to, then, despite that fact that you may suffer a data breach, you won’t be liable. So the quantum of the Act is not strict. It merely requires you to meet the standards of a reasonable and appropriate state. It you do that, you are covered.
NOMPU SIZIBA: When you advice companies about what sort of assistance they need to put in place, what do you advise them that they need, and does it usually come with a high price tag?
ROHAN ISAACS: What I tend to do is to stick to my knitting. I’m a lawyer and I don’t say that I’m sufficiently qualified to tell a client what technical systems to put in place. But I advise them to seek advice from IT security experts.
What I will say to them is, “You’ve got to assess the data that you hold and the kind of risks to which you are exposed, so you can determine what is reasonable and appropriate for you”. As I was saying just now, if you are a bank, for example, you probably wouldn’t do the same thing that a small retail store would do. Obviously you have more resources at your disposal generally to acquire high levels of security. You are potentially more at risk from cyber criminals. So I think you would look at it differently than a store reseller might. That’s really what I focus on when talking to clients.
NOMPU SIZIBA: Many thanks, Rohan, for your time this evening.