Old Mutual client cries foul over leaked e-mails
Victim of identity theft sounds alarm on personal detail communications unprotected by passwords
MALEFETSANE Kotsi is a decent sort — something for which a major South African financial institution, and one of its clients, can be grateful.
Had the 34-year-old business analyst from Krugersdorp been even the slightest bit dodgy, and abused the stranger’s confidential personal information that was e-mailed to him in error, things could have turned nasty.
Luckily for Old Mutual and its oblivious customer, Mr K — whose name, ID number, address and banking details were included in the savings policy communication e-mailed to Kotsi — this vital information has gone no further.
But Mr K’s e-mail was not the first Kotsi has received in error from Old Mutual in the past two years. In 2014, he was sent a benefit review e-mail for another unknown person, Mr M. Last year, he was sent the same man’s retirement annuity fund statement.
Fortunately, unlike Mr K’s e-mail, the earlier communications from Old Mutual were password-protected.
“Old Mutual is sending other clients’ confidential information to the wrong recipients,” Kotsi said, after alerting me to the issue.
“I am worried that my information might be sent to some random stranger. How does one go about addressing such issues?”
Kotsi was a victim of identity theft two years ago after losing his ID book. By the time he had been alerted to it, the fraudster had opened store accounts, applied for a loan and secured a bank credit card in his name.
Old Mutual, on investigating the matter, told me that both client K and M shared the reader’s first name and — because the e-mail addresses were very similar — had inadvertently supplied Kotsi’s address to the company. Kotsi holds a funeral policy with Old Mutual.
Ursula van der Westhuizen, a spokeswoman for the company, said both customers had been contacted and their e-mails corrected.
But why wasn’t Mr K’s e-mail password protected — like the others?
“We use password protection for the bulk of our customer correspondence and are in the process of applying password governance to all our electronic contracts and statements. We envisage to have this completed by August,” said Van der Westhuizen.
Is that good enough, I asked, considering that the Protection of Personal Information Act — which safeguards the confidentiality and integrity of private information — has already been enacted and is awaiting commencement?
“Although Popi was enacted in November 2013, none of the conditions [for lawful processing of personal information] are effective yet and the information regulator, who will enforce the legislation, must still be appointed.”
Old Mutual was reliant on customers to provide it with correct contact information.
“It remains in customers’ best interests to play an active role in their relationships with service providers,” said Van der Westhuizen.
I’m not convinced. As much as consumers have a responsibility to ensure they give the correct details to information processors, mistakes on both sides can and do happen. Besides, the right to privacy is a constitutional one, long entrenched. Surely there’s a huge duty of care for the service provider to ensure the safety of private information?
Certainly when Popi’s operative provisions come into force — sadly still about two years away — Old Mutual, along with all data processors, will be answerable to the regulator. Under
DATA RISK: If your personal information gets into the wrong hands, your bank accounts could be cleaned out Popi, processors are bound to tell the regulator, and the consumer affected, of any and all breaches. Consumers themselves can call on the regulator to investigate on their behalf.
Mark Heyink, an information security consultant and lawyer, believes the delay in implementing Popi is an enormous injustice to consumers.
“The criminal provisions of Popi are inoperative at this stage but in so far as the data subject and responsible parties go, these parties should already be applying these principles,” said Heyink, who was part of the South African Law Reform Commission which researched the act in 2002.
“In the financial sector, none of this is new. But for the most part, it’s being ignored.”
Heyink said each case had to be judged on its own merits but that Kotsi’s case suggests negligence on Old Mutual’s part.
“It could be argued that Old Mutual had a duty to secure the information correctly. Why does it password protect some e-mails and not others? And it’s surely had a lot of time to get its checks and balances in place.
“Old Mutual would be able to raise the defence under Popi that it was the customer’s fault [the same defence can be raised constitutionally] but it would be up to the regulator to decide if, on the facts, the responsible party was sufficiently diligent in protecting the data subject’s personal information,” he said.
Without Popi, a consumer like Mr K could still fight Old Mutual in court based on his consti- tutional right to privacy but it would be a tough and costly battle to face alone. Having the Popi regulator do it instead is a different matter.
“The limit to the sanction that the regulator may impose is an administrative fine of R10-million,” said Heyink. “But the real penalty is reputational risk.”
However, with the stance on privacy hardening here and abroad, brand damage following data breaches is a threat corporate South Africa should be falling over itself to mitigate.
“The more sensitive the information a responsible party processes and the more potential for harm from a breach, the more careful it should be,” said Heyink.
If your ID or passport has been lost or stolen, or you sus- pect you’re a victim of ID theft/impersonation, contact the SA Fraud Prevention Service at www.safps.org.za for assistance.
Tune in to Power 98.7’s Power Breakfast (DStv audio 889) at 8.50am tomorrow to hear more from Megan
Brand damage following data breaches is a threat corporate South Africa should be falling over itself to mitigate
WORRIED: Malefetsane Kotsi received e-mails intended for other Old Mutual clients