South African companies have been hit by several high-profile data breaches in the last year or two, but it was the recent Facebook event that really focused the minds of South Africans on the risks and obligations when dealing with clients’ personal information.
This is the view of Ahmore Burger-Smidt, partner at Werksmans Attorneys and co-author of the book A Commentary on the Protection of Personal Information Act, which was launched last week.
Even more recently insurance giant Liberty was held to ransom by malicious cyber-attackers who threatened to release “critical information” of “top clients”. Liberty refused to pay the ransom and seemed to have survived without major damage.
Burger-Smidt says that almost half of all cyber attacks in South Africa are malicious, roughly a quarter are the result of human error, and the balance are due to system failures.
She says quantifying the potential cost of a data breach should not only be viewed in terms of the cost of buying new encryption software, doing a bit of training or risk assessment.
Any data breach brings about both internal and external costs. Internal cost relates to the time it takes to get to the root cause of an attack, and a malicious attack could be more costly to solve than a system glitch. Human error can, on occasion, be attributed to disgruntled or careless employees, Burger-Smidt adds.
The true cost of a data breach, however, would include that of customers leaving the company, the increased cost of acquiring new customers and the impact on company growth as a result.
In light of this, data protection should be elevated to an exco level and be part of the strategic thinking in a company, rather than being left to “the IT team sitting in a corner”.
Businesses should have a data breach plan in place and know what to do immediately when such a breach occurs.
The correct timely response could mitigate the cost should such a breach occur, Burger-Smidt says. “The corporate message post a data breach is vital. It must be prepared in advance, because once it happens, there is no time to lose. What a company says is extremely important and should not create the impression that it had a laissez-faire approach to data protection.”
But where does a business owner start?
Burger-Smidt says it is vital to first understand what information the business holds. This could be more involved than one might expect.
The next question relates to what the business does with such information, including where it is housed and at what point it exits the business.
These questions could best be answered by people within the company, Burger-Smidt says. Driving the process in-house empowers staff to keep the data protection risk map updated continuously in an efficient way, she adds.
Werksmans has developed an online tool that enables companies to map the lifecycle of information in detail.
The tool makes it easy for users to superimpose the requirements of the Protection of Personal Information (PoPI) Act on the data management system within a company and identify the vulnerabilities or hotspots. It also gives companies guidance about the staff who should be included in the core team for PoPI compliance.
Burger-Smidt says the compliance burden in terms of PoPI can seem intimidating. If one breaks it down, however, it is not that daunting. Eat the elephant one bite at a time, so to speak.
South Africa is behind the rest of the world in terms of protecting personal information, with PoPI regulations not being finalised and the information regulator not yet fully operational, she adds.
The book she co-authored discusses the protection of personal information and provides insight into the practical meaning of legislation in this regard for every business.
It also interprets it within the broader legislative landscape and links it to the European General Data Protection Regulations (GDPR), which has been implemented in the European Union and is regarded as the international gold standard for data protection.
The book gives practical examples to enable the reader to fully understand the impact of the legislation on business.
Brought to you by Werksmans Attorneys.
* Moneyweb will be hosting a webinar with Burger-Smidt about data privacy law on July 17. To read more about it and to register, click here.