With the recent WannaCry and NotPetya attacks, South African businesses are feeling the effects of cyber attacks first-hand, but they may now also have a duty to their customers, according to Norton Rose Fulbright’s Kerri Crawford and Rakhee Bhikha.
“Barely recovering from the WannaCry ransomware attack, many across the globe now have to deal with the latest ransomware attack, NotPetya,” the legal experts said.
Originally thought of to be the Petya ransomware, security analysts quickly realised that the current cyber-attack was not designed to make money. It appears that NotPetya has actually just been designed to cause maximum damage, while disguising itself as ransomware.
“You know you’ve been affected by NotPetya if you receive a message that your files have been encrypted with a demand to pay $300 in Bitcoin.”
“Unlike with WannaCry there is no ‘kill-switch’ with NotPetya. A ‘kill-switch’ enables tech-wizards to infiltrate the malware and stop it from encrypting data or causing damage”.
The result is that the NotPetya ransomware has affected large organisations all over Europe and the US.
In South Africa, there is currently no legal obligation on companies to notify anyone, either a local authority or customers of the company, the experts noted.
Barring any confidentiality or similar contractual obligation that companies may have to customers, companies do not have to publicise their breach.
“However, once the Protection of Personal Information Act 2013 (POPI) commences there will be an obligation on organisations to report data breaches to the information regulator and customers; and once the Cybercrimes and Cybersecurity Bill is enacted there will be new offences created that will make cyber attacks and breaches illegal in South Africa.”
The pair noted, however, that South African companies with affiliates or headquarters in other jurisdictions may currently have notification obligations in terms of those foreign laws.
“Companies may also notify people potentially affected by a data breach as a policy decision or good practice, although proper legal and public relations advice should be taken before doing so.”