SAPS hack a wake-up call for the state and business
REPORTS this week of a cybersecurity breach of the South African Police Service’s (SAPS’s) website are a foretaste of bigger and more damaging information security breaches to come.
The state and business regularly downplay information security breaches. Major corporations and government institutions in places such as the US, the UK and Puerto Rico have lost millions of rand in financial and reputational damage as a result of cybersecurity breaches. We ignore the reality that losses of this magnitude will soon be happening in SA.
Three high-profile examples of cybersecurity breaches immediately come to mind. A breach of Sony’s PlayStation network saw the data of 100-million customers compromised. It has already cost Sony $200m, with 58 class action suits still outstanding. Google suffered an embarrassing cybersecurity breach when researchers demonstrated they could hack into Google’s Sydney office’s building-management system. A Puerto Rican electricity utility’s smart meters were hacked — resulting in the utility losing up to $400m a year.
The reasons for cyber attacks vary from stealing financial assets, intellectual property or sensitive information to making social or political statements, as was the case in the SAPS hack (the reason for this hack was apparently to protest the Marikana incident). The outcomes for the targets of such attacks are always negative and include: the cost of remedying the information security breach (for example, replacing the stolen assets, and if customers or third parties were affected, providing some sort of compensation to them to try to retain relationships with them after the incident); upgrades to cybersecurity systems and protection; the loss of customers or business; litigation; and reputational damage affecting customer or investor confidence.
The state and business seem to forget the statutory and best-practice recommendations that apply to them. Those that immediately come to mind (bearing in mind that certain industries and state departments have their own specific information-security provisions) are: the Protection of Personal Information Bill, which provides for the protection of personal information, the standards of protection to be applied and penalties for noncompliance; the Consumer Protection Act, which has similar provisions regarding the protection of consumer information and penalties; and chapter five of the King 3 Code Of Governance Principles for SA, dealing with the governance of IT.
If just the bill and the King code are considered, it becomes evident that the state and business can no longer afford to take cybersecurity lightly.
The bill contains a number of information-protection principles. It obliges a responsible party (such as the SAPS) to secure the integrity of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent the loss, damage or destruction of personal information and unlawful access to or processing of personal information. In doing so, the responsible party must have regard to generally accepted practices and procedures.
While the bill is not yet applicable, the King code may well apply to many. Paragraphs 32 and 33 of chapter five deal crisply with the legal aspects of IT risk management. They state: “IT legal risk arises from the possession, ownership and operational use of technology that may result in the company becoming a party to legal proceedings. When considering the company’s compliance with applicable laws, rules, codes and standards, the board should ensure that IT-related laws, rules, codes and standards are considered. Companies must comply with applicable IT laws and consider adherence to IT rules, codes and standards, guidelines and leading practices.”
The simple question a court will ask when considering an information security breach complaint, will be whether the party complied with IT rules, codes and standards, guidelines and leading practices. If the responsible party did not comply, then there may be various adverse consequences.
The day is fast approaching when a press release downplaying the seriousness of a cyber attack or information security breach, will not be enough to dispose of any reputational and financial damage to the state and business.
They would do well to heed the laws and standards.
Pierce is a partner at Phukubje Pierce Masithela Attorneys.