This type of crime could see victims hit with a R10 million fine in South Africa

 ·22 Jul 2023

Ransomware attacks are on the rise in South Africa – and there could be legal consequences for the victims of these attacks if they do not follow the correct procedures.

Ransomware is a type of malware that denies users access to their computer systems, whether by removing or deleting data, corrupting or encrypting it, or making it otherwise inaccessible.

Ros Lake and Victoria Pillay from Norton Rose Fulbright South Africa said it can be difficult to detect ransomware attacks until it is too late.

Lake and Pillay said that a person or organisation that uses ransomware will usually demand payment – typically in cryptocurrency – in exchange for a decryption key, which will give the affected user their data back.

Hacker groups, however, do not aim to destroy data (unless payment is not made) and function as illegal businesses that try to generate revenue.

Sophos’ The State of Ransomware in South Africa 2023 report said that 78% of South African organisations were hit by a ransomware attack last year – far higher than the 66% recorded for global respondents over the same period.

The concern for organisations that are hit with cybercrime is that they could face potential legal consequences under the Protection of Personal Information Act, 2013 (POPIA).

For example, the Information Regulator recently issued its first administrative penalty to, ironically, the Department of Justice and Constitutional Development (DOJCD), totalling R5 million.

The DOJCD failed to comply with an enforcement notice issued following the Information Regulator’s investigation into a cyber-attack where the DOJCD was locked out of its systems in September 2021.

Under POPIA, anyone processing personal information in South Africa must implement technical and organisational measures to protect that information.

However, the DOJCD failed to show that it renewed its anti-virus software, which led to the fine.

With ransomware attacks on the rise, Lake and Pillay have noted important things businesses that contain someone’s personal information should keep in mind.

Paying a ransom

The experts noted that it is not illegal to pay a ransom; however, businesses must weigh several ethical considerations against making such a payment.

For instance, the sharing of sensitive information to the public could be weighed against the possible funding of terrorists.

Moreover, businesses will have to act lawfully when considering paying a ransom. Listed companies must approach their board of directors for authorisation to pay the ransom.

Ransom payments are also usually made via cryptocurrency, and using liquid assets to purchase cryptocurrency should speed up the process. There are also exchange control considerations to make if the amount exceeds R10 million.

Moreover, due diligence and getting the proper legal advice are key before making such a payment, as a business will not want to create further legal challenges later on.

Who to tell

Suppose there are reasonable grounds to suspect a data breach. In that case, a business must notify the Information Regulator and data subjects whose personal information has been affected under POPIA.

The notification must be made in a specified formation and contain specific information for the data subjects to understand how it affects them and how they can protect themselves.

Although there is no specified time frame for these notifications to be made, organisations must do so quickly, as failure to report a security compromise could result in an administrative fine of up to R10 million or further legal action.

Moreover, organisations operating in regulated industries should note any sector-specific legislation, guidelines or codes of conduct which oblige them to notify the regulatory authorities if there has been a material impact on the business. This is especially key for companies in the banking and financial sector.

Once the Cybercrimes Act is fully implemented, financial institutions and communications service providers must notify the South African Police Service within 72 hours of becoming aware of the cyberattack – as any ransomware attack will result in numerous contraventions of the Cybercrimes Act.

What to do

There are several legal consequences for businesses affected by ransomware, which can arise several months after the attack.

Cybercriminals can often be in a system for many months before the affected businesses are aware of it.

“Given the prevalence of ransomware attacks, the cybersecurity community considers that it is not a matter of if, but when you are subject to a ransomware attack,” the experts said.

However, there are things that organisations can do to mitigate the risk of ransomware:

  • Maintain awareness of the critical networks and data which are crucial to keeping your business operational; ensure that frequent offsite back-ups are made of such data;
  • Implement patches and updates on all third-party software or applications as soon as you become aware of them being available;
  • Develop a data retention policy and regularly delete any data which is no longer relevant or necessary to carry out business functions, including personal information and intellectual property, or if necessary to keep that data, silo the information so that it can be kept separate from vulnerable systems;
  • Consider acquiring cyber liability insurance and develop and implement an incident response plan; designate key individuals with clearly defined roles to carry out the plan; and
  • Ensure that you have an alternative or backup communication method, especially when the attack affects email availability.

Read: These WhatsApp and social media posts can land you in legal trouble in South Africa

Show comments
Subscribe to our daily newsletter