Popi Act delay leaves your data vulnerable
‘Digital security doesn’t get the attention it should in South Africa’
Department of Strategic Studies at Stellenbosch University, Noelle Cowling, says the National Treasury must start prioritising digital security.
“The discourse around cybersecurity seems to be driven by the legal fraternity and not technical experts. Without more tech capacity, you won’t be able to secure the fortress. The Cybercrimes Bill has been substantially adjusted, but the police’s hands are tied in terms of acting against cybercrimes. Many hacks of data, such as the Nedbank and Master Deeds, are hard to pursue until legislation is in force.”
She says, in the absence of the legislation, there’s no way to prosecute negligence.
“The impact of this Master Deeds breach will be felt for years to come, with millions of people’s information leaked online. This is ultimately a human and technological problem. The World Economic Forum estimates cybercrime 0.8% of GDP per annum – in an economy like ours, that’s really scary.”
UNCERTAINTY IN THE MARKET
Brian Pinnock, cybersecurity expert at Mimecast, adds the lengthy delay has created uncertainty in the market. “One concern is Popia will not be taken seriously by organisations because of the extended delay in bringing Popia into force from 2013 until today. Businesses are likely to be justifiably sceptical because of the continuing policy uncertainty surrounding Popia’s commencement.”
Organisations that invested heavily in privacy compliance processes and technology to prepare for Popia in 2013 have still not seen a real return on that investment, but Pinnock says it can take years to implement an effective data privacy compliance programme.
“Many organisations who have not yet invested in privacy programmes will not be prepared and ready to comply with the act.”
Popia, though, already imposes duties and obligations on businesses, says Russel Luck, technology attorney at Swifttechlaw, because it requires them to do what is “reasonably practicable” under the circumstances which means steps towards compliance should already commence.
Businesses would be foolish to wait for the legislature’s enforcement of Popia to take steps towards compliance, as this would not be considered “reasonably practicable” under the circumstances.
Cowling says bureaucrats have done their work – it’s time for the regulator and the cybersecurity hub to be capacitated.
“People in SAPS are trying unbelievably hard, but their hands are tied. The private sector is more to blame for the vicious data breaches. The Nedbank breach came via a third-party supplier that was engaged to do SMS marketing for them.
They passed over their database of clients. There has to be responsibility within the supply chain. In the EU, the onus is on the company, not the client. Here, the private sector is taking very little responsibility.
“Truth is, South Africa lacks cyber resilience and awareness within its population. Until more is done to protect personal information, such breaches will remain commonplace,” Cowling says.