Gautrain incident a reminder to SA businesses about increasing cybercrime attacks
Candice Sutherland, Cyber Liability Specialist at SHA.
The recent hacking of the Gautrain Management Agency’s systems by an IT specialist which could have given the suspect access to funds in excess of R800-million belonging to staff serves as a timely reminder to all local businesses about the increasing number and severity of cybercrime attacks on local businesses.
This is according to Candice Sutherland, Cyber Liability Specialist at SHA Specialist Underwriters - the largest liability underwriting management agency (UMA) in Southern Africa – who says that this type of breach could not only attract litigation from the victims but also a hefty fine from the information regulator established in terms of the Protection of Personal Information Act (“POPI”). “Many countries have privacy legislation in place similar to the POPI Act and businesses could face a severe fine if the company is found to have not properly secured the private data of its clients or employees.” Fortunately the crime in this particular case was prevented and also occurred before the Act has been fully implemented.
She explains that following any type of hacking incident the costs can rise quickly. “The company will need to investigate whether there was a breach and if so, how it occurred, whether it has been contained, what data was affected and to whom the data belongs. Legal and IT specialist advice is likely to be required as part of the investigation.”
If a breach did occur, the company will have to notify the Information Regulator of the breach and demonstrate what security measures it had in place and what remedial action will be taken, says Sutherland. “Legal advice will be required and there may be time limits on how quickly this needs to be done.”
Following this, the information regulator may decide on specifics regarding the action to be taken, she says. “Affected clients will have to be notified and the company may have to offer them further remediation services. The Regulator may also, depending on the severity of the breach, determine whether a fine is appropriate and if so, what the amount thereof will be. How these decisions are taken and how severe the penalty is, will depend on the Information Regulator and the regulations he/she will make under section 112 (2) of POPI.
The Information Regulator is the regulating authority that has been created by the POPI Act. The Act gives the Regulator extensive powers to investigate contraventions of the Act and fine responsible parties. Victims of data breaches will be able to lodge a complaint with the Regulator who will be able to take action on behalf of these complainants. The Information Regulator will regulate both POPI and The Promotion of Access to Information Act (“PAIA”) and will establish an Enforcement Committee which will consider all complaints referred to it and make findings.. Although those sections of POPI that relate to the Information Regulator have already commenced, the process to establish the Information Regulator is still underway and no-one has been appointed as yet. In addition to potential fines from the Information Regulator, the company may also face legal action taken by affected parties and the possibility of class action suits, she says.
“Whether the company has to defend itself against civil actions arising out of the failure to protect the private data of its customers, or whether it is facing enforcement action by the Regulator, , the company will always have to pay for notification expenses, crisis management expenses as well as legal costs. As a result, it is imperative for all businesses storing personal data to have effective Cyber Liability cover in place or they could face hefty financial repercussions or, worst case scenario, liquidation,” concludes Sutherland.
