Appropriate data protection fundamental in South African cybersecurity laws

20th November 2019 By: Schalk Burger - Creamer Media Senior Contributing Editor

Reasonable and appropriate technical and organisational measures to protect personal information are fundamental to comply with South African information privacy laws, notwithstanding the impossibility of completely preventing cybersecurity breaches, law firm Herbert Smith Freehills cybersecurity and privacy consultant Rohan Isaacs said on Wednesday.

The Protection of Personal Information (PoPI) Act stipulates that organisations that process and/or store customers’ personal information must take appropriate steps to protect that information.

Whether these measures were in place in the event of data loss or a leak would be central to the liability of the organisation, including fines.

However, organisations must also consider the sensitivity of the information in question because PoPI does distinguish between personal information and special personal information, which includes health, social, religious, sexual and political information, to which more restrictive obligations apply.

While there are no separate penalties stipulated for the loss of special personal information, PoPI does limit the grounds on which this information must be captured, processed, stored and shared as compared with ordinary personal information.

South Africa was lagging behind developed countries and developing peers and had to implement PoPI to keep up, he added.

The rapid pace of development and adoption of connected technologies is dramatically increasing the complexity of the environment.

This means that breaches cannot be completely prevented, but companies must take steps to protect data. Organisational measures to facilitate protection of personal information, such as cybersecurity training and awareness drives among staff, are part of the appropriate measures organisations should take to protect personal information.

New threats are continuously developed and new attack vectors used, making it impossible for any company, and any cybersecurity service providers, to guarantee that no breach or leak will occur, explained Isaacs.

There is also increasing demand for cybersecurity insurance. In most cases, the insurance covers against losses suffered as a result of data breaches as well as provides first response assistance in the event of a data breach. This includes forensic information technology services, preliminary legal advice and public relations advice.

“When a cybersecurity breach and data loss occurs, the manner in which organisations communicate details of a breach or data loss with affected parties becomes very important,” he said.

Companies that are transparent with clients and business partners about the incident and their efforts to contain and mitigate the impacts tend to limit the reputational impacts most effectively, he illustrated.

Further, information and its appropriate protection varies by industry and company, which must be considered when determining whether reasonable and appropriate measures are in place to protect data.

Meanwhile, policing cybercrime is difficult and the nature of cybercrimes – anonymous and borderless – necessitates a collaborative and international approach.

There is some capacity in South Africa, such as under the cybercrime unit of the Directorate of Priority Crime Investigation, as well as in private sector organisations and industry bodies, to detect and investigate cybercrimes.

The latest version of the Cybercrimes Bill, which was adopted in November 2018 but has not yet been passed by the National Council of Provinces, includes clauses for requesting and/or sharing information with foreign States in compliance with the International Cooperation in Criminal Matters Act, as well as clauses that allow for South African courts to have limited extraterritorial jurisdiction where offences are committed outside of South Africa.

The Cybercrimes Bill also states that information and communications service providers and financial institutions that become aware that one of their computer systems was involved in a cybercrime must report the offence to the police within 72 hours and preserve any evidence related to the offence.