We have been speaking of hacking and ransomware for a while and it just grows and continues to make news.
In a recent case in England, a small to medium-sized entity (SME) was fined GBP 60,000 (over R1m) for failing to take “basic steps” to prevent hackers from gaining access to clients’ personal information, including their banking details.
It is important for South Africa, despite the Protection of Personal Information Act (POPI) not yet being effective, as personal information is protected by our constitutional right to privacy. In any case negligence in protecting this information, if it leads to loss, could expose you to a substantial damages claim.
A UK case illustrates the danger
A video hire company with more than 26,000 customers had a coding error on its login page. This enabled a hacker to gain access to the names, addresses and bank account details of its customer data base.
Authorities found that the company had failed to take “basic steps” to protect customer information. These “basic steps” were:
- Adequate testing on their website would have revealed the coding error,
- Customer passwords were simple and prone to attack, and
- Their decryption key was not secure. These keys more effectively hide security algorithms as hackers are aware of most algorithms.
What is “personal information”?
“Personal information” has several definitions in South African law, but POPI, even though it is yet to commence, suggests that it will cover information such as:
- A person’s name (including where applicable a juristic person e.g. a company),
- Contact details,
- Sexual orientation,
- Personal views,
- Private correspondence,
- Health records,
- Employment records,
- Financial records,
- Biometrics (DNA, fingerprints) etc.
Check your systems now!
POPI has been promulgated but is waiting for the government to gazette a date for it to be fully effective (after which a one year grace period will commence). The administrative fines for transgressions will then be up to R10m. That is in addition to your existing risk of being sued for millions in damages.
It pays to ensure now that personal information under your control is adequately protected to prevent any chance of being sued for negligence. This will also help you get ready for POPI.