Experian data breach – new law to clamp down on future hacks in South Africa

 ·21 Aug 2020

Less than two months after the commencement of the Protection of Personal Information Act (POPI), South Africa has suffered a massive data breach.

Approximately 24 million individuals and 800,000 companies have had their personal information held by the credit bureau Experian hacked.

Under POPI, Experian is required to notify the information regulator, says law firm Herbert Smith Freehills.

In addition, unless Experian has been notified by the information regulator or an authority investigating the crime not to do so, Experian is also required to notify every person and company whose personal information has been compromised, the firm said.

“Data breaches are becoming more frequent in nature. This highlights the critical need for companies to adopt robust data breach response plans, which have been tested, so that their reaction is swift, compliant and coordinated.

“Part of this plan is to thoroughly analyse corporate data to intrinsically understand what data the organisation has and where that data is.

“This allows organisations to quickly assess the information lost, and who the affected data subjects are. Organisations should do this as soon as possible, and as part of a full POPI compliance exercise,” the firm said.

While there are reports that the perpetrator of the Experian hack has been caught, currently South Africa does not have a comprehensive law regulating cyber crime, said Herbert Smith Freehills.

However, on 1 July the National Council of Provinces (NCOP) passed the Cybercrimes Bill, which now awaits president Cyril Ramaphosa’s assent.

“This bill creates specific offences, including hacking, and imposes additional reporting obligations on financial institutions.

“The Experian hacker will have to be prosecuted under existing and rather outdated laws. However, once the Cybercrimes Bill is in force, prosecution of these crimes should become significantly more effective.”

Obligations on businesses 

Law firm Cliffe Dekker Hofmeyr said that the Cybercrimes Bill does not simply prescribe offences and penalties to regulate criminal conduct but also imposes obligations on businesses in general and on electronic communications service providers (ECSPs) and financial institutions in relation to the commission of cyber crime.

“ECSPs and financial institutions will have obligations in relation to (i) the reporting of cyber crimes and (ii) the preservation of evidence in relation to the commission of cyber crime,” said

“Any ECSPs or financial institutions that fail to comply with such obligations could be found guilty of an offence and be liable on conviction to a fine not exceeding R50,000.”

Businesses who may fall victim to a cyber crime or who, for example, have an employee who commits a cyber crime, are required to offer cooperation and assist law enforcement officials in any investigations they may conduct, the firm said.

“Such businesses may be required to comply with search warrants and/or maybe called to comply with directions issued by the court to furnish particulars to the court relating to the computer systems involved in a cyber crime and/or may be requested to comply with court directions to preserve data or evidence relevant in a cyber crime investigation.”


Commentary by Rohan Isaacs and Tatum Govender of Herbert Smith Freehills.

Additional commentary by Preeta Bhagattjee (director), Aphindile Govuza (senior associate) and Liam Sebanz (associate designate) of law firm Cliffe Dekker Hofmeyr.

Read: Standard Bank, Absa and FNB respond to massive data breach in South Africa

Show comments
Subscribe to our daily newsletter