FANews
FANews
RELATED CATEGORIES
Category Legal Affairs
SUB CATEGORIES General | 

What legal recourse is available to South African cybercrime victims?

08 November 2017 Fatima Ameer-Mia, Cliffe Dekker Hofmeyr
Fatima Ameer-Mia, Senior Associate within the Technology and Sourcing practice at Cliffe Dekker Hofmeyr.

Fatima Ameer-Mia, Senior Associate within the Technology and Sourcing practice at Cliffe Dekker Hofmeyr.

Following the largest data breach of private citizens in South Africa’s history, which saw the personal data of over 30 million people leaked online, South Africans are increasingly at risk of falling victim to identity theft, fraud, and other forms of cybercrime.

One of the major challenges from a legal standpoint at present, according to Fatima Ameer-Mia, Senior Associate within the Technology and Sourcing practice at Cliffe Dekker Hofmeyr, is that there is currently no legislation in force which compels a business to disclose such data breaches to its information security.

“Across the world, data is a very valuable resource and the commercialisation and monetisation of data is therefore big business. Businesses in South Africa, however, tend to have particularly poor information security practices in place, which puts them at greater risk to opportunistic cyber criminals. Until a regulatory framework is established which criminalises cybercrimes, providing the impetus for businesses to implement more robust information security measures and disclose any data breaches experienced, South Africa will continue to be a high risk country with regards to cyber and information security threats.”

Under the current South African law, Ameer-Mia says that legal recourse against cybercrime is fairly limited. “The only circumstances under which compensation may be payable is if an individual is able to prove monetary loss and causality and succeeds with a delictual claim*, whereby they claim for damages from the individual or organisation who caused the data breach. In this case, however, the claimant will have to go to court, which is usually a complicated and costly exercise.”

She says that this is expected to change when the Protection of Personal Information Act, 2013 ("POPI") comes into force. “The notification of data breaches in South Africa is governed by POPI, and while POPI has been promulgated, its substantive sections are not yet in effect."

“Only once these substantive sections become legally binding, do we expect to see businesses change their approach to the protection of customer and employee data, as this will mean that an organisation which is involved in a data breach situation may be subject to an administrative fine, penalty or sanction,” Ameer-Mia explains.

“Furthermore, POPI will provide remedies and a complaint channel for those compromised by the unlawful processing of personal information,” she adds.

Ameer-Mia says that, as a starting point, to protect both themselves and their customers, companies need to safeguard the data collected and held by them, and be more transparent about instances where this data may be breached. “This starts with a risk assessment in terms of critically evaluating what data they hold, where they get it from, why they hold it, how they use it and who has access to such data."

“Once this understanding has been established, businesses can then turn to the technical and organisational measures they currently have in place (or have to put in place) to safeguard such data against unlawful access.”

She concludes that hopefully, the recent data breach will provide the impetus for government to take positive action with regards to implementing the legislative and regulatory framework around data protection and cybersecurity. “In the long run, implementing a regulatory framework which protects citizens and allows for healthy economic development will benefit all parties – consumers, businesses and the government alike.”

Quick Polls

QUESTION

How effective do you think technology is in improving compliance processes for FSPs?

ANSWER

Very effective – it streamlines and automates processes
Somewhat effective – helps but can't solve all issues
Not effective – technology can't replace proper oversight
fanews magazine
FAnews October 2024 Get the latest issue of FAnews

This month's headlines

The township economy: an overlooked insurance market
FSCA regulates crypto assets: a new era for investors
Building trust: one epic client experience at a time
Two-Pot System rollout underlines the value of financial advice
The future looks bright for construction
Subscribe now