The identity numbers, phone numbers and employment details of 24-million South Africans made their way last year onto the dark web – a popular place for criminals to hang out on the internet.
The trove of information, accidentally made public by data firm Experian, should have been stored under lock and key, figuratively speaking, but it wasn’t. And earlier, in 2017, Master Deeds left 60-million personal details of South Africans on an easily accessible open web server.
Neither of these cases was a hack. Master Deeds did not store its information securely, and Experian simply handed the data over to fraudsters.
Both parties faced no consequences; they got away scot-free.
But had these cases of deep company negligence taken place after July 1 2021 they would not have gone unpunished. From this date businesses in SA need to comply with the Protection of Personal Information (Popi) Act.
The firms could have been slapped with a R10m fine and had a director spend 10 years in jail.
The world we live in has taken the security of our personal information beyond our control: you wake up one morning and find your details have been free for the taking. Breaches happen daily and could affect any database, from your favourite social network or hotel chain to a financial service or credit bureau.
And the financial impact is rising. IBM Security’s 2020 "Cost of a Data Breach Report" puts it at an average of R40.2m per breach for SA companies. Last year it took about 228 days to identify and contain a breach. Yet only 56% of organisations have deployed security automation.
Even though the Popi Act comes into effect next month, only 24% of businesses are aware of the privacy laws that will govern their marketing activities.
And despite businesses being aware of the dangers of customers’ data falling into the hands of third-party vendors, they are reliant on them for revenue generation and gathering customer insights, and aren’t always willing to act.
This is according to a survey recently conducted by World Wide Worx. It says 41% of businesses believe the Popi Act will have no effect on how companies operate, while 40% believe it will have a positive effect.
Andrew Bourne, regional manager for Zoho Africa, the firm that commissioned the research, points out that the information regulator — an independent body established in terms of the Popi act — is in place to enforce the law.
Companies that fail to comply will ultimately waste their own time and money, and if found guilty, could face fines or jail time. "The marketing and IT departments of all companies must pay close attention to Popi requirements and ensure that their marketing activities and technology are compliant and secure."
The steps they take will have to be adequate. "Free software is not secure enough." Firms that offer it usually make use of the data they are fed — and the regulator is likely to fault a company for its negligence, should it be found to have used it.
Popi’s main benefit is that it gives citizens more rights and control over personal information, including the rights to the access, correction and erasure of information. The new law also establishes eight minimum requirements for lawful processing of information, and creates a broad definition of personal information for comprehensive data subject protection, according to online security firm Mimecast.
But unlike the General Data Protection Regulation (GDPR) of the EU, Popi is not extraterritorial, says Miranda Nolan of Mimecast. "That means Popi applies only to organisations that are domiciled in SA or process data within its borders. On the other hand, inside the country Popi is broader in terms of whom it applies to than the European legislation. The GDPR protects people only, whereas Popi also protects juristic persons — companies and organisations."
Organisations will also face the risk of class action lawsuits, should they fail to secure information says Nolan. Popi allows people whose information has been compromised to sue an organisation, irrespective of what the organisation’s intent is.
The information regulator can assist with class actions, so that they can be brought without the "legal heavy lifting" that is usually involved, says Nolan.
"This is likely to make such cases more probable." Companies also face severe reputational damage if they fail to comply.
The act is a welcome development in information security, says Nadine Mather, senior associate at law firm Bowmans.
"Businesses, whether in the private or the public sector, will have to notify you of certain information before they collect your personal details.
"They must have a justifiable ground upon which to process your personal information, and will have to inform you if that information has been accessed by an unauthorised third party as a result of a data breach."
Happily, Popi may mean people receive fewer robot calls or SMSs, because it moves away from the current "opt-out" approach to direct marketing. Instead, people need to "opt in" via electronic communications, says Mather.
"SA is approximately 30 years behind other jurisdictions in implementing its privacy legislation.
"[But] like other countries, we remain vulnerable to the threat posed by data breaches." In a 2020 study SA was found to have the highest probability of experiencing a data breach, Mather says.
Popi will not only help ensure that individuals’ personal information is safeguarded, protected against data breaches and theft, and that it is processed lawfully, says Mather. "The act will also enable SA to participate in the global data economy."
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.