With the recent WannaCry and NotPetya attacks, South African businesses are feeling the effects of cyber attacks first-hand, but they may now also have a duty to their customers, according to Norton Rose Fulbright’s\u00a0Kerri Crawford and Rakhee Bhikha.<\/p>\n
“Barely recovering from the WannaCry ransomware attack, many across the globe now have to deal with the latest ransomware attack, NotPetya,” the legal experts said.<\/p>\n
Originally thought of to be the Petya ransomware, security analysts quickly realised that the current cyber-attack was not designed to make money. It appears that NotPetya has actually just been designed to cause maximum damage, while disguising itself as ransomware.<\/p>\n
“You know you\u2019ve been affected by NotPetya if you receive a message that your files have been encrypted with a demand to pay $300 in Bitcoin.”<\/p>\n
“Unlike with WannaCry there is no \u2018kill-switch\u2019 with NotPetya. A \u2018kill-switch\u2019 enables tech-wizards to infiltrate the malware and stop it from encrypting data or causing damage”.<\/p>\n
The result is that the\u00a0NotPetya ransomware has affected large organisations all over Europe and the US.<\/p>\n
In South Africa, there is currently no legal obligation on companies to notify anyone, either a local authority or customers of the company, the experts noted.<\/p>\n
Barring any confidentiality or similar contractual obligation that companies may have to customers, companies do not have to publicise their breach.<\/p>\n
“However, once the Protection of Personal Information Act 2013 (POPI) commences there will be an obligation on organisations to report data breaches to the information regulator and customers; and once the Cybercrimes and Cybersecurity Bill is enacted there will be new offences created that will make cyber attacks and breaches illegal in South Africa.”<\/p>\n
The pair noted, however, that\u00a0South African companies with affiliates or headquarters in other jurisdictions may currently have notification obligations in terms of those foreign laws.<\/p>\n
“Companies may also notify people potentially affected by a data breach as a policy decision or good practice, although proper legal and public relations advice should be taken before doing so.”<\/p>\n