Understanding your organisation’s data breach liability in terms of POPIA
Data breaches have become an everyday reality in the 21st century and have, alarmingly, impacted numerous respected, large enterprises. The recent incident involving a prominent South African insurance provider, reported on 06 June 2024, saw the exposure of personal information (PI) belonging to 19 of its clients. A few of the affected clients expressed their frustration on social media, questioning the insurance company’s remedial solutions for the aforementioned data breaches. This incident underscores the importance of understanding the responsibilities imposed upon a “responsible party” as outlined in the Protection of Personal Information Act 4 of 2013 (POPIA).
POPIA distinguishes between a “responsible party”, who determines the purpose and means of processing PI and an “operator”, who processes PI for a responsible party in terms of a mandate (Section 1 of POPIA). However, in the event of a data breach, the responsible party incurs full liability, and is accordingly encouraged to establish agreements with operators to address operator liability, if the data breach occurs as a result of the operator’s conduct (Section 21(1) of POPIA).
Prevention is Better than Cure
Under POPIA’s 7th Condition for lawful processing of PI, a responsible party must implement the security safeguards as outlined in Section 19 of POPIA, to ensure lawful processing of PI and to prevent data breaches. Section 19(2) of POPIA mandates responsible parties to:
- “identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control” (Section 19(2)(a)). Such risks include, inter alia, phishing, social engineering, bait and switch pop-up messages, viruses, and hardware keyloggers.
- “establish and maintain appropriate safeguards against the risks identified” (Section 19(2)(b)). Such safeguards include, inter alia, regularly training employees on POPIA awareness, ensuring emphasis on the prohibition of changing the company’s PC password, not inserting foreign flash disks into the company’s PC, not reconfiguring the company PC’s settings, and not outsourcing repairs of the company’s PC.
- “regularly verify that the safeguards are effectively implemented” (Section 19(2)(c). This requires an IT person and/or IT department to ensure the monitoring of data breach risk mitigation on the Company’s network.
- “ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards” (Section 19(2)(d). Such continual updates could includeanti-virus software updates, monthly or quarterly POPIA and cyber awareness training, and conducting continuous POPIA risk impact assessments and reports of POPIA risks, identified within the Company.
Other preventative measures include the appointment of an Information Officer within the Company (Section 55-56) as well as having an insurance policy in place for data breaches.
Remedying a Data Breach
Notwithstanding that prevention is indeed better than cure, section 22 of POPIA provides a comprehensive aid for data breach incidents. This provision underpins the security breach incident policy which needs to be established by a responsible party. Section 22(1), read with 22(2) and 22(4) of POPIA mandates responsible parties to, as soon as is reasonably possible after the discovery of a data breach, report the data breach incident to the Information Regulator, as well as to the data subjects affected by such compromise in writing. Section 22(5) further requires the notification of a data breach to data subjects to be effected in such a way that it:
- Describes the possible consequences associated with the security compromise and/or data breach
- Describes how the responsible party intends to act or has already acted to address the data breach
- Recommends measures to be taken by the data subject to mitigate the adverse effects of the breach
- Notifies the data subject of the identity of the unauthorised person/s responsible for the data breach, who may have accessed or acquired the PI.
Remember, compliance with POPIA is essential to avoid severe penalties, including fines of up to R10 million and imprisonment of up to 10 years – not forgetting the reputational damage to the company and loss of intellectual property. By prioritising compliance and implementing robust security measures, organisations can fortify their data protection frameworks and mitigate their risks of data breach incidents.
Commentary by Jodi Poswelletski | Director and Keitumetse Khutsoane | Candidate Attorney