South Africans are increasingly at risk of falling victim to identity theft, fraud and other forms of cyber crime – as was the case in October last year, when the largest data breach of private citizens in South Africa’s history saw the personal data of over 30 million people leaked online.
According to Fatima Ameer-Mia, senior associate at Cliffe Dekker Hofmeyr, there is currently no legislation in force which compels a business to disclose such data breaches to its information security.
“Across the world, data is a very valuable resource and the commercialisation and monetisation of data is therefore big business,” she said.
“Businesses in South Africa, however, tend to have particularly poor information security practices in place, which puts them at greater risk to opportunistic cyber criminals,” Ameer-Mia said.
The legal expert said that under current South African law, legal recourse against cybercrime is fairly limited.
“The only circumstances under which compensation may be payable is if an individual is able to prove monetary loss and causality (ie the breach caused you to lose money) and succeeds with a delictual claim, whereby they claim for damages from the individual or organisation who caused the data breach.
“In this case, however, the claimant will have to go to court, which is usually a complicated and costly exercise,” she said.
A delictual claim is awarded when a person receives monetary compensation for losses suffered. For a delictual claim to succeed, the person making the claim (the claimant) or attorney must prove that:
- The action of the other individual or organisation was wrongful because it caused harm to the claimant or their property.
- The individual or organisation performing the action was negligent (was at fault) or acted intentionally.
- The claimant suffered loss which can be given a monetary value (such losses are called damages).
- The monetary loss (damages) was suffered as a result of the action of the negligent individual or organisation i.e. the action of the negligent individual or organisation caused the monetary loss.
While South Africans are still restricted in their rights following a data breach, this is expected to change when the Protection of Personal Information Act (“POPI”) comes into force, said Ameer-Mia.
“The notification of data breaches in South Africa is governed by POPI, and while POPI has been promulgated, its substantive sections are not yet in effect.”
“Only once these substantive sections become legally binding, do we expect to see businesses change their approach to the protection of customer and employee data, as this will mean that an organisation which is involved in a data breach situation may be subject to an administrative fine, penalty or sanction,” Ameer-Mia explained.
“Furthermore, POPI will provide remedies and a complaint channel for those compromised by the unlawful processing of personal information,” she added.
However she said that she was hopeful that the recent data breach will provide the impetus for government to take positive action with regards to implementing the legislative and regulatory framework around data protection and cybersecurity.
“In the long run, implementing a regulatory framework which protects citizens and allows for healthy economic development will benefit all parties – consumers, businesses and the government alike,” she said.