Massive data breach in SA: Did Experian do enough?
By Ahmore Burger-Smidt
JOHANNESBURG - In mid-August 2020, 23.4 million South Africans' personal information was compromised.
The data breach was announced by Experian South Africa (Experian) on August 19 in a statement to the effect that:
"Our investigations indicate that an individual in South Africa, purporting to represent a legitimate client, fraudulently requested services from Experian. The services involved the release of information which is provided in the ordinary course of business or which is publicly available
Following this incident, Experian South Africa stated that the authorities including, National Credit Regulator and the Information Regulator, and other major stakeholders were notified; and the perpetrator of this data breach was apparently identified and an Anton Piller order was obtained against him which effectively "impounded" the hardware and software used to carry out the data breach. Furthermore, the misappropriated data was secured and deleted.
Correctly, Experian issued a notification to the Information Regulator, but is this enough?
Experian stated that "no consumer credit or consumer financial information was obtained", but what information was then the subject of the breach?
We are unclear as why a period of three months expired prior to the announcement of the actual data breach. We also cannot comprehend whether such information was divulged elsewhere prior to Experian taking cognisance of the data breach.
Sadly, the above is one of the "known" four major data breaches in South Africa in the preceding eight months of 2020 alone, and will, no doubt, not be the last data breach for 2020. Unfortunately, this worrying increase in data breaches does not correlate with an increase in preparedness by companies. In fact, many companies are woefully underprepared.
The financial impact of a data breach is undoubtedly one of the most immediate and hard-hitting consequences that companies will have to deal with. There are clear examples of companies having faced significant financial damage post a data breach. This is exactly what happened to Yahoo after it was confronted with a data breach in 2013.
The breach only became known in 2016 when the company was about to be bought over by US telecoms company Verizon. The acquisition went ahead with the company buying Yahoo doing so at a discounted rate of an estimated around $350 million (R5.5 billion) less than the original asking price.
Research demonstrates that the costs associated with data breaches continue to rise. The problem with cyber-attacks is that no matter how much you do to combat them, there is always a good chance that one may happen.
If we consider phishing scams and other malicious communications, we know that these invite devastating attacks and are introduced by employees.
Phishing scams are typically sent as emails that prompt users to click on a malicious link loaded with spyware or malware that allows the bad actor to siphon off data from the company’s network whenever they please.
Combating these attacks requires equipping employees with tools, education, and training as this will help companies to defend against these threats in the future. Furthermore, not having in place robust processes to be followed prior to releasing personal information poses a risk and can contribute to the risk of releasing personal information to someone you think you know.
The so-called silver-lining to these data breaches have accentuated the need for robust legislative dictates applicable to businesses which process personal information. The Protection of Personal Information Act 4 of 2013 (Popi) clearly spells out the expectations of the Information Regulator once a data breach occurs.
Popi seeks to give effect to the right to privacy enshrined in section 14 of the Constitution of the Republic South Africa, 1996. The preamble of Popi posits that the right to privacy includes the right to protection against the unlawful collection, retention, dissemination and use of personal information. Popi places an obligation on companies to process personal information responsibly, this includes the protection against data breaches.
Popi provides that a responsible party, which is defined as a person or business which processes personal information, will be obliged in the event of a data breach to notify the Information Regulator as well as affected parties within a reasonable time after the discovery of the compromise. Section 22 of Popi provides that the notification must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise, including the following:
• a description of the possible consequences of the security compromise;
• adescription of the measures that the responsible party intends to take or has taken to address the security compromise;
• a recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
if known to the responsible party, the identity of the unauthorized person who may have accessed or acquired the personal information.
The undeniable reputational and financial harm arising from a data breach is significant, in addition to the disruption that a data breach may have to a business's operations. The provisions of Popi relating to data breaches will strengthen the hands of the authorities to fight against data breaches in South Africa, but this is not enough.
Responsible parties must ensure that they have an appropriate data breach response plan in place. This data response plan must comply with the notification requirements contained in section 22 of Popi. Responsible parties must take it upon themselves to train and equip staff about Popi and the dangers associated with data breaches.
Ahmore Burger-Smidt is a director and head of the Data Privacy Practice Group, Werksmans Attorneys.