Data breaches: practical considerations

South Africa

All organisations are vulnerable to cyber-attacks. Cybercriminals will attack any organisation from which they can possibly profit or benefit (be it financially or otherwise). This is a pressing local issue as there are an unprecedented number of cyber criminals targeting South African organisations and governmental authorities, with South Africa having the third-highest number of cybercrime victims in the world in 2020 at a cost of R2.2 billion a year[1]. It seems, therefore, that it is not a matter of if an organisation will suffer a data breach, but when.

There are several ways, constantly evolving, in which an organisation may be targeted by cyber criminals, with the most common threats in South Africa being online scams, digital extortion, business email compromises, ransomware attacks and botnets. Even a small data breach can cause massive damage to any organisation and time is of the essence when an organisation becomes aware of a breach. Not only will swift incident response limit the extent of the breach, but it may also demonstrate to customers and regulators that an organisation takes information security seriously. There are some practical considerations to be kept in mind when responding to a data breach incident.

Preparation is essential to effectively managing incident response. In order to respond timeously to a data breach, a number of skill sets must be immediately available to an organisation. For example, legal professionals are required to guide an organisation through the regulatory maze applicable in any breach while IT forensic specialists should be on-hand for identification, containment and eradication of the breach. The quicker the eradication of the source of the breach, the more limited the damage will be and the quicker systems can be restored. Further, IT Forensic specialists and legal advisers will need to communicate in order to determine what defensive action the IT professionals may lawfully take to counter the attack to avoid being in breach of the Cybercrimes Act No 19 of 2020 (“Cybercrimes Act”) themselves. In addition, the services of a PR team may also be required by an organisation to manage any reputational damage and advise on media announcements. 

In addition, several notification requirements become relevant when a data breach occurs. Section 22 of the Protection of Personal Information Act No 4 of 2013 (“POPIA”) stipulates the timeframe for notification to the Information Regulator (being the regulatory body responsible for oversight of, amongst others, organisations’ compliance with POPIA) and data subjects in the event of a breach. This notification must take place “as soon as reasonably possible” not only after the actual discovery of a breach, but also after the development of reasonable grounds to believe that there has been a breach. The Information Regulator has yet to give an indication on the meaning of “as soon as reasonably possible”, but it is useful to take guidance from notification timeframes in leading data protection standards, such as the GDPR, which stipulates a 72-hour notification period. It is also important to keep in mind that there is an interplay between the notification requirements in terms of POPIA and the Cybercrimes Act in certain instances. While not yet in effect, section 54 of the Cybercrimes Act stipulates that electronic communications service providers (such as internet service providers) and financial institutions must notify the South African Police Service (“SAPS”) no later than 72 hours after becoming aware of the breach, failing which they could face a fine of up to R50 000. Further, in terms of POPIA, should the SAPS require, a responsible party may delay notifying data subjects of the data breach only due to the investigative requirements of SAPS or if the Information Regulator determines that notification will impede a criminal investigation. It is important, therefore, to obtain legal advice regarding how these notification obligations may apply to your organisation prior to making such notifications.

In certain instances, a data breach may also trigger a reporting obligation in terms of section 34 of the Prevention and Combating of Corrupt Activities Act No 12 of 2004 (“PACCA”). Section 34 of PACCA provides that a person in a “position of authority” who knows or suspects that an incident of fraud, theft, corruption, forgery or uttering of a forged document, or extortion involving an amount of R100,000 or more is required to report this to the Directorate of Priority Crimes Investigation (i.e. the Hawks). Failure to report in terms of this section is also an offence and carries the penalty of a fine or imprisonment of up to 10 years. A data breach may in some instances trigger these obligations and it is, therefore, important to seek legal advice as soon as possible. Section 29 of the Financial Intelligence Centre Act No 38 of 2001 (“FICA”) requires reporting of both suspicious or unusual transactions, on the one hand, and suspicious or unusual activities, on the other. What activity constitutes these types of transactions is specifically listed in FICA. The reporting period in relation to section 29 of FICA is “as soon as possible” but no longer than 15 days. Therefore, it is important to obtain legal advice to determine whether this obligation may arise in relation to a data breach. 

An additional notification requirement to consider is any potential notification requirements under any Cyber Liability Insurance policy owned by an organisation. Such policies usually cover losses due to cyber-attacks as well as privacy investigations or lawsuits following an attack and may have specified notification requirements and periods.

Illustrated by the above, navigating incident response can be complex. Preparation is, therefore, the best defence to limiting the damage done by any potential data breach. To avoid losing precious time through being unprepared in the face of a data breach, an organisation must plan for the worst-case scenario and ensure it is equipped with all the knowledge and support needed to navigate a data breach effectively.

Takeaways:

  • All organisations are vulnerable to data breaches, with a high number of South African incidents, which are on the rise

  • Having the rights skillsets on hand to assist with incident response is crucial

  • Organisations must be aware of the various applicable notification requirements

  • Know how the law applies to you specifically by asking us for a legal opinion or interpretation of the law.



[1]According to Interpol’s African Cyberthreat Assessment Report, October 2021