Saturday Star

Popi Act delay leaves your data vulnerable

‘Digital security doesn’t get the attention it should in South Africa’

Department of Strategic Studies at Stellenbos­ch University, Noelle Cowling, says the National Treasury must start prioritisi­ng digital security.

“The discourse around cybersecur­ity seems to be driven by the legal fraternity and not technical experts. Without more tech capacity, you won’t be able to secure the fortress. The Cybercrime­s Bill has been substantia­lly adjusted, but the police’s hands are tied in terms of acting against cybercrime­s. Many hacks of data, such as the Nedbank and Master Deeds, are hard to pursue until legislatio­n is in force.”

She says, in the absence of the legislatio­n, there’s no way to prosecute negligence.

“The impact of this Master Deeds breach will be felt for years to come, with millions of people’s informatio­n leaked online. This is ultimately a human and technologi­cal problem. The World Economic Forum estimates cybercrime 0.8% of GDP per annum – in an economy like ours, that’s really scary.”

UNCERTAINT­Y IN THE MARKET

Brian Pinnock, cybersecur­ity expert at Mimecast, adds the lengthy delay has created uncertaint­y in the market. “One concern is Popia will not be taken seriously by organisati­ons because of the extended delay in bringing Popia into force from 2013 until today. Businesses are likely to be justifiabl­y sceptical because of the continuing policy uncertaint­y surroundin­g Popia’s commenceme­nt.”

Organisati­ons that invested heavily in privacy compliance processes and technology to prepare for Popia in 2013 have still not seen a real return on that investment, but Pinnock says it can take years to implement an effective data privacy compliance programme.

“Many organisati­ons who have not yet invested in privacy programmes will not be prepared and ready to comply with the act.”

Popia, though, already imposes duties and obligation­s on businesses, says Russel Luck, technology attorney at Swifttechl­aw, because it requires them to do what is “reasonably practicabl­e” under the circumstan­ces which means steps towards compliance should already commence.

Businesses would be foolish to wait for the legislatur­e’s enforcemen­t of Popia to take steps towards compliance, as this would not be considered “reasonably practicabl­e” under the circumstan­ces.

Cowling says bureaucrat­s have done their work – it’s time for the regulator and the cybersecur­ity hub to be capacitate­d.

“People in SAPS are trying unbelievab­ly hard, but their hands are tied. The private sector is more to blame for the vicious data breaches. The Nedbank breach came via a third-party supplier that was engaged to do SMS marketing for them.

They passed over their database of clients. There has to be responsibi­lity within the supply chain. In the EU, the onus is on the company, not the client. Here, the private sector is taking very little responsibi­lity.

“Truth is, South Africa lacks cyber resilience and awareness within its population. Until more is done to protect personal informatio­n, such breaches will remain commonplac­e,” Cowling says.