Cyber risks and POPI - a changing game
Cyber risks could be the next big trigger for lawsuits against directors. This will be triggered if they fail in their duty of care by not taking preventative measures against risks such as phishing, improper data manipulation or data loss. These directors could be held responsible for company and shareholder losses.
With this in mind, it is mandatory to consider the implications for directors.
The role of POPI in the industry
There are many reasons why the Protection of Personal Information Act (POPI) deserves board level attention. POPI creates many areas of legal uncertainty, so compliance is not something that can swiftly and definitively be achieved. Directors need to understand the issues and stay on top of them, as well as on any changes to the Promotion of Access to Information Act regulations.
A proclamation published in Government Gazette 37544 on 11 April 2014 declared that the following sections of POPI came into effect on the same date, and thereafter the regulations made under the Act may still need to be finalised:
• section 1, which deals with definitions,
• part A of chapter 5, which focuses on the establishment of the information regulator,
• section 112, which refers to regulations, and
• section 113, which refers to the procedure for making regulations.
Areas to watch
POPI will no doubt have a major impact on the industry, some of the key areas to take notice of include:
Data collection
• Explicit permission needs to be given for collection and use before data is collected.
• Data can only be collected from public domain; no more rental database lists, and no inside information lists.
Data use and storage
• Companies must do the minimum with collected information, and always in line with the original reason for collecting it.
• Companies must protect against unauthorised access, accidental destruction, theft and information leaks.
Data sharing
• Companies must keep the types of information specified by the Act physically secure, and restrict access to it in line with the Act.
Any company utilising technology as a platform or for business support has exposure, making the threat to directors universal. Financial institutions in particular though need to be very concerned due to the dependence on the confidentiality of their data and the overall exposure relating to online banking.
Throwing the book at directors
In the world of Directors and Officers (D&O) litigation, settlements and/or court awards are generally understood to be non-indemnifiable. This means that the individual defendants, the directors and officers, cannot be held harmless by the company, but instead would have to pay these amounts out of their own pockets, in the absence of D&O insurance.
Some alleged breaches of duty to the organisation for which management are liable include: knowing the company’s customers were vulnerable to attack, and yet failed to implement appropriate security measures, knowing that the company’s less than industry standard security systems and unreasonably vulnerable technologies would render its customers an aim of attacks by third-parties and failing to take corrective measures to update systems/technologies, and knowingly, recklessly, or with gross negligence failing to implement a system of internal controls to protect customers’ personal and financial information; and causing or allowing the company to conceal the scope of the data breach.
Examples of damages that could follow include lost earnings, increased expenses and injunctive relief.
Over and above the direct loss from technology abuses, there are risks to the management of companies relating to how well they protect their clients against attacks.
Directors could find themselves being sued by employees or shareholders for not taking appropriate measures to prevent hacking, for example, for failing to provide back up for lost data. This is adding another layer of risk to directors who need to take action to protect the assets of their business against cyber-crime or else face being sued.
