While South Africa currently does not have specific data protection legislation in force, it should, however, be noted that the European Union General Data Protection Regulation ("GDPR") (which came into force in May last year), in certain instances, directly applies to South African companies. The GDPR places onerous requirements on "controllers" and "processors", including that personal data must be processed in a manner that ensures appropriate security of such data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Fines for non-compliance with the GDPR range from EUR20-million to 4% of worldwide turnover.

In addition, once the South African Protection of Personal Information Act 4 of 2013 ("POPI") – which was based on the GDPR's predecessor – becomes fully effective, an organisation will be obliged to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to, or unauthorised destruction of personal information, as well to prevent unlawful access to or processing of personal information. POPI is not prescriptive as to the exact security measures to be undertaken, but the organisation is obliged to have due regard to generally accepted information practices and procedures which may apply to it generally or may be required in terms of specific industry or professional rules and regulations. Further, POPI also imposes a mandatory requirement on responsible parties to notify the Information Regulator of security compromises. Notwithstanding POPI not being entirely in force and effect, the office of the Information Regulator is proactively monitoring companies that have endured security compromises, and is currently receptive to responsible parties voluntarily reporting security compromises to the Information Regulator.

Here are a few DOs and DON'Ts which are key to assisting organisations in dealing with any data-breach or cyber-attack:

  • Don't only react to cyber threats: be realistic, anticipate them and plan for them by preparing a comprehensive incident response plan for your organisation.
  • Do ensure that your staff and contractors undergo cybersecurity awareness training and remember that people are often the weakest link in cybersecurity.
  • Do instil a culture of awareness of cybersecurity within your organisation.
  • Do follow the steps set out in your incident response plan to avoid panic, to ensure effective crisis management and to mitigate any losses following a cyber-event.
  • Do consider insurance cover: appropriate insurance cover is available to mitigate losses to your organisation following a cyber-event (both for first party costs associated with breach notifications, credit monitoring for customers and for business interruption costs, as well as for third party liability and certain fines), and any cyber insurance policy will require timely notification to your insurer (before any outside vendors are engaged or certain expenses incurred by your organisation in managing a cyber-event). Do set up an experienced response team, made up of your Information Officer, IT staff members and cybersecurity experts, HR professionals, PR representatives and legal counsel, to address the damage caused by the breach.
  • Do switch to backup servers (if available and unaffected by an attack). Switching off the infected servers will not help fix the damage. The response team must analyse (and even preserve) evidence from the attack to mitigate the impact of a breach and to find a solution.
  • Do isolate the breach to minimise the number of affected systems, contain the problem and prevent it from infecting other systems.
  • Do investigate and manage the breach and be mindful of the ramifications of a cyber-breach which can extend beyond IT systems. HR and PR response team members may need to address any impact on employees and customers.
  • Do document the processes and findings of the response team. These are useful in strengthening cyber security, in addressing regulatory and legal requirements, as well as managing the concerns of staff and customers.
  • Do take steps to prevent future attacks and consider using cyber-security specialists in this regard. Such specialists may cost more than an in-house team, but are often more effective and have access to state-of-the-art technology.
  • Don't pay a ransom: often, attackers set a low ransom demand to tempt businesses to pay it, offering a short-term solution to the immediate problem. Paying a ransom may, however, leave the organisation open to future attacks. Hiring a cyber-security consultant to investigate and remedy the problem is often a more profitable long-term solution. Also, remember to consider the terms of your cyber insurance policy in relation to demands for ransom and to give timely notification to your insurer.
  • Don't become so preoccupied with the breach that you overlook the legal consequences, including mandatory breach notifications, and consider seeking help from specialist data-protection attorneys.

Training events

POPI, PAIA, GDPR and Information Officer training

ENSafrica's data protection and regulatory experts, Era Gunning and Ridwaan Boda, will be hosting a one-day seminar in Cape Town, Durban and Johannesburg in October and November 2019. This training will focus on practical compliance with POPI, the POPI Regulations, the Promotion of Access to Information Act ("PAIA"), as well as the EU General Data Protection Regulation ("GDPR"). The seminar covers the general application of POPI and sets out practical steps in order to start implementing POPI/PAIA/GDPR compliance in the organisation. For more information on this training, please click here.

Cyber Breach Training for Financial Services Providers

In order to assist financial services providers in the preparation of their Cyber Incident Response Plans, ENSafrica's POPI experts, Era Gunning and Ridwaan Boda, and cyber insurance expert, Nicole Gabryk, are offering half-day in-house training sessions focusing on regulatory and practical compliance with the security provisions in POPI. For more information on this training, please click here.

High-level training on the rapidly-changing financial regulatory landscape in South Africa

Various ENSafrica specialists join forces to provide a 2 to 3 hour high-level overview to the board (or other stakeholders) of financial services providers on the dramatic overhaul of the financial regulatory landscape. For more information on this training, please click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.