POPIA: Do Interim Data Breaches Go Unpunished?

The Protection of Personal Information Act 4 of 2013 (“POPIA” or “POPI”) has been a hot topic in South Africa over the past year given the anticipation of the Act coming into full force. The commencement date of the Act is 1 July 2020, however a grace period was granted for organizations to become POPI compliant by 1 July 2021. Hence, there has been an ongoing conversation about POPI compliance- what this means for organizations and how data breaches will be dealt with from the effective date. Since the Act is only in full effect from 1 July 2021, what then are the consequences for data breaches that occurred during the interim period?

POPIA and the Information Regulator

POPIA aims to safeguard personal information when processed by public and private bodies. In order to do so the Act sets certain conditions that must be maintained as minimum requirements when personal information is processed. Additionally, organizations must appoint an Information Officer that ensures POPI compliance within the organization. The Act also makes provision for the establishment of the Information Regulator which is the statutory body responsible for-

  • Education: Includes promoting an understanding of the conditions for the lawful processing of personal information; undertaking educational programmes in relation to POPI; giving advice to individuals in the exercise of their rights regarding their personal information; and advising organizations on their obligations under the Act.
  • Monitoring and enforcing compliance: Ensuring compliance by public and private bodies with the provisions of the Act; researching and observing developments in information processing and computer technology; examining any proposed legislation that may affect POPI; and conducting assessments of public or private bodies to determine lawful processing of personal information in accordance with the set conditions.
  • Handling complaints: Investigating complaints about alleged violations of personal information and attempting to resolve such complaints through dispute resolution mechanisms.
  • Other aspects: Provision is made for the Information Regulator to issue codes of conduct and guidelines for the development of policies in relation to POPIA; to co-operate on a national and international basis with persons or bodies concerned with the protection of personal information; and to perform duties as required by the Promotion of Access to Information Act 2 of 2000 amongst others.

Data Breach Incidents

Experian:

In August 2020 Experian South Africa, a credit bureau, had a data breach exposing consumers’ personal information. Experian concluded an agreement for services with a company who was impersonated which resulted in Experian handing over personal information. Personal information about individuals leaked included contact information and employment information such as names and surnames, South African identity numbers, telephone numbers, email addresses, physical addresses, place of work, title at place of employment, employment start date and work contact details. Experian clarified that no personal consumer credit, financial or banking information was shared. However, a fraudster could use the information provided to defraud a person and convince them to share financial or banking information. Additionally, business information was shared including the names, physical addresses, registration dates, company registration details, general business information, company contact information and credit profile information of business entities. For approximately 24 000 businesses, bank account numbers were also shared. In total, the personal information of 24 million individuals and approximately 793 000 local businesses were compromised. To get to the bottom of the data breach, an investigation ensued including a security assessment, compliance assessment and risk assessment. Experian affirms that it continues to work closely with both law enforcement as well as the Regulators to ensure that the suspect is brought to justice. However, does Experian’s efforts to bring justice and resolve the data breach incident include collaboration with the Information Regulator?

ABSA:

In November 2020, an employee of ABSA Bank South Africa unlawfully made selected customer data available to an external platform and then sold it to third parties. The employee was a credit analyst at the bank who had access to risk modelling systems and sensitive client information. The personal information leaked included names and surnames, identity numbers, physical addresses, bank account details, contact details and description of financed vehicles. The data of approximately 200 000 customers were compromised. ABSA subsequently obtained High Court orders that enabled search and seizure operations and secured and destroyed all devices containing the data. Furthermore, ABSA dismissed the employee and brought criminal charges against the employee. According to their investigation, ABSA believes that the data was intended for telemarketing purposes. However, the personal information leaked may be used to commit fraud on those accounts. ABSA held that it may take further action against the recipients of the data once the full scope of the data breach is identified and all investigations are complete. ABSA has informed the Information Regulator about this data breach.

Virgin Active:

In May 2021 Virgin Active, a South African fitness group, was targeted by cyber-criminals. There was no indication that data had been removed by unauthorized third parties, however Virgin Active took their systems offline and suspended all online activities while resolving the issue. Additionally, they urged members to remain vigilant of any suspicious online activity. The nature and full extent of the cyberattack and possible data breach is still under investigation. Virgin Active has notified the Information Regulator of its cyberattack as a precaution.

QSURE:

In June 2021 QSURE, a South African insurance provider, was subject to a data breach in which customer data of QSURE’s clients, including insurers and brokers, were affected. The personal information accessed relates to policyholders who are clients of QSURE’s customers and includes banking details such as account holders’ names, bank account numbers and bank branch codes. This personal information had been exfiltrated from the company’s servers. There is now an increased risk of fraud and other possible identity crimes associated with this personal information. It is unclear how many records were exposed and how much data was compromised- the investigation is still ongoing. QSURE has reported the data breach to the Information Regulator and the Financial Sector Conduct Authority.

Procedure under POPIA

Under POPIA, when there has been a data breach the Information Regulator and the data subject must be informed. Therefore, the scope of the compromise can be determined and the integrity of the information system can be restored. Thereafter, civil and criminal investigations can proceed. Protective measures must be taken against the potential consequences of the compromise and an organization should implement their ‘data breach incident’ response plan as developed with the guidance of a legal advisor following the provisions of POPIA and the guidelines of the Information Regulator.

The Need for Clarification

POPIA guarantees the protection of personal information and tasks the Information Regulator with the duty to educate in this regard, monitor and enforce POPI compliance, and handle complaints amongst others. The Experian data breach is one example of a massive data breach that occurred during the grace period. The ABSA insider data leak, the Virgin Active cyberattack and the QSURE data breach indicates the occurrence of various types of data breaches during the grace period of which there may be others. Now that POPIA is in full force and knowing that it does not have retrospective effect, what then are the consequences for data breaches that occurred during the interim period? The Information Regulator ought to provide guidelines for clarification.

Centurion Law Group:

Centurion Law Group is a leading pan-African legal and energy advisory group. Centurion covers a full suite of practice areas. One of Centurion’s industry expertise is Telecommunications and Technology. In addition to this, Centurion’s core practice groups include Regulatory and Compliance; and IT & Data. Centurion Law Group is on top of POPI compliance and related matters. Get in touch with the Centurion team should you require any legal assistance or advice.

Author: Caitlin Naidoo, Centurion Law Group