By Wade O’Connor, Candidate Attorney and Caitlin Wilde, Partner
Since the dawn of the internet, cybercrime has been an ever-present threat. As technology develops, so too does its users’ capabilities.
President Cyril Ramaphosa has described COVID-19 as an ‘Invisible enemy’, however, 2021 could pose a new threat in the form of an ‘invisible criminal’.
With employees being forced to work remotely due to the national lockdown, many have found themselves in an unfamiliar working environment and many of whom could find themselves falling victim to online scams and cybercrimes, which would put their employer’s, their customers’ and their own private information at risk.
As the year progresses, where possible, businesses will be forced to continue working remotely which for most, means moving much of their business online. A further complicating factor is the proposed 2020 enactment of the remaining provisions of the Protection of Personal Information Act No. 4 of 2013 (“POPI”), which will see businesses having to institute further security measures to protect their customers’ private information or risk penalties and/or imprisonment.
Latest movement on POPI’s enactment
In January 2020, Pansy Tlaluka, Chairperson of the Information Regulator (“Regulator”), stated that the Regulator was lobbying for the remainder of POPI to be effective by early April 2020 – this request has yet to be confirmed by President Ramaphosa, possibly due to the sudden emergence of COVID-19 taking priority.
However, on 3 April 2020, the Regulator released a guidance note stating that it was aware that not all sections of POPI were in effect and further expressed its support for the need to process data users’ private information in order to prevent the spread of COVID-19. The guidance note provides that in certain situations, Electronic Communication Service Providers may provide the Government with location-based data, which may be used to trace individuals who have come in contact with persons who have tested positive for COVID-19.
With no confirmed enactment date, we have yet to receive a compliance deadline by which organizations will have to have the necessary security measures in place. However, businesses should be proactive about instituting such measures as some authorities believe we could see the remaining sections of POPI become effective by June 2020.
Organizations’ obligation to protect their customer’s private information
The impact of commencement:
Owing to COVID-19, the commencement date of the remaining provisions of POPI remains uncertain. However, once POPI is fully enacted, public and private organisations will have a total of 12 months from such enactment date to become fully compliant therewith. Further, each organisation will be financially responsible for their required security measures.
Until such commencement date, the public’s personal information remains at risk and organisations cannot be held liable for contraventions in terms of POPI.
Duties and obligations:
POPI places various obligations on businesses to prevent the unlawful access to, or use of, their customer’s private information. Businesses will be proactively required to:
- Prevent the loss of, damage to, or unauthorised destruction of, customers’ personal information; and
- Prevent the unlawful access to, or processing of, customers’ personal information.
Furthermore, section 69 of POPI dictates that businesses looking to use individuals’ personal information for direct marketing purposes through unsolicited electronic communications will be found to be in contravention of it.
Penalties for non-compliance:
Chapter 11 of POPI provides for penalties and administrative fines for non-compliance therewith, regardless of whether such non-compliance was intentional or negligent.
Section 107 provides that contravention of certain sections of POPI may result in imprisonment for a period of up to 10 years. Alternatively, and in some cases in addition to imprisonment, non-compliance could result in an administrative fine of up to R10 million, as provided for in section 109. Business owners and employees must be mindful of such potential consequences.
COVID-19 and Cybercrimes
COVID-19 brings with it a wave of change and uncertainty. The economic effect that COVID-19 has had, and will have, will force individuals to find other means by which they can supplement their income.
With more people working from home than ever before, cybercriminals will find it easier to target employees and gain access to their organisations’ private information. Most individuals cannot guarantee a secure internet connection, such as with a VPN, at home and some might fall prey to online scams which may not have occurred, had such cyber-attacks occurred whilst employees were at their places of employment where cyber security measures are likely to have been more stringent.
As previously mentioned, POPI does not currently criminalise negligent access to customers’ private information. However, businesses could see themselves fall victim to cybercriminals’ ransom demands in return for businesses regaining control of their customers’ private information, also known as cyber extortion. Reputational damage and a loss of confidence in organisations could also be at stake in such circumstances, as many individuals and businesses, understandably, would not want to provide personal information if the security of their data cannot be guaranteed.
With the likelihood that the remaining sections of POPI will be enacted in 2020, already struggling businesses will be placed under greater financial pressure to upgrade their information security measures. Business owners could find themselves stuck between a rock and hard place, as many might have only a few months to choose between upgrading their security systems or risking being in contravention of the recently enacted provisions.