In a recent case in England, a small to medium-sized entity (SME) was fined GBP 60,000 (over R1m) for failing to take “basic steps” to prevent hackers from gaining access to clients’ personal information, including their banking details.
It is important for South Africa, despite the Protection of Personal Information Act (POPI) not yet being effective, as personal information is protected by our constitutional right to privacy. In any case negligence in protecting this information, if it leads to loss, could expose you to a substantial damages claim.
A UK case illustrates the danger
A video hire company with more than 26,000 customers had a coding error on its login page. This enabled a hacker to gain access to the names, addresses and bank account details of its customer data base.
Authorities found that the company had failed to take “basic steps” to protect customer information. These “basic steps” were:
- Adequate testing on their website would have revealed the coding error,
- Customer passwords were simple and prone to attack, and
- Their decryption key was not secure. These keys more effectively hide security algorithms as hackers are aware of most algorithms.
What is “personal information”?
“Personal information” has several definitions in South African law, but POPI, even though it is yet to commence, suggests that it will cover information such as:
- A person’s name (including where applicable a juristic person e.g. a company),
- Contact details,
- Sexual orientation,
- Personal views,
- Private correspondence,
- Health records,
- Employment records,
- Financial records,
- Biometrics (DNA, fingerprints) etc.
Check your systems now!
POPI has been promulgated but is waiting for the government to gazette a date for it to be fully effective (after which a one year grace period will commence). The administrative fines for transgressions will then be up to R10m. That is in addition to your existing risk of being sued for millions in damages.
It pays to ensure now that personal information under your control is adequately protected to prevent any chance of being sued for negligence. This will also help you get ready for POPI.
This article is a general information sheet and should not be used or relied upon as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your financial adviser for specific and detailed advice. Errors and omissions excepted (E&OE)