Data privacy generally means the ability of a person to determine for themselves when, how, and to what extent personal information about them is shared with or communicated to others.
This personal information can be one’s name, location, contact information, or online or real-world behaviour. Just as someone may wish to exclude people from a private conversation, many online users want to control or prevent certain types of personal data collection.
As internet usage has increased over the years, so has the importance of data privacy. Websites, applications, and social media platforms often need to collect and store personal data about users in order to provide services. However, some applications and platforms may exceed users’ expectations for data collection and usage, leaving users with less privacy than they realised.
Other apps and platforms may not place adequate safeguards around the data they collect, which can result in a data breach that compromises user privacy.
As a business owner, what are the rights of your data subjects?
Your business is obligated to adhere to an approach of transparency of operational procedures that controls the collection and processing of personal information.
Businesses are obligated to collect personal information in a legal and reasonable way, for a specific reason and only if it is necessary for operations and to process the personal information obtained from clients, employees, suppliers, etc. (data subjects) only for the purpose for which it was obtained in the first place.
Businesses are further required to commit not to the processing of personal information obtained from data subjects in an insensitive, derogative discriminatory, or wrongful way that can intrude on the privacy of the data subject.
All data subjects of your business must be allowed to request access to certain personal information and may also request correction or deletion of personal information within the specifications of the Protection of Personal Information Act (POPIA).
Is your Business POPI Compliant?
Have a Data Privacy Policy in place unique to your own business and operations?
Do you have your clients, employees, suppliers, etc. consent to collect, process, store, and share their information?
Are your employees bound to your Data Privacy rules by means of a signed declaration?
Have your service providers signed an Operator’s Agreement when you share your clients' or employees' information with them (service providers like accountants, payroll administrators, software support businesses, etc.)?
Is your website, social media pages, or WhatsApp business account updated with your Data Privacy Policy?
Do you have and is it up-to-date, an IT Security Policy with measures in place?
Have you obtained reviewed recommendations from IT support with respect to other measures which must be considered in order to protect your data subject’s personal information?
Have you implemented an internal process concerning your company’s IT, devices, and email policies and procedures for all employees?
Have you appointed an Information Officer, registered the IO with the Information Regulator, and provided professional training in so far as - the role of an IO?
Have you implemented OPT-INS or OPT-OUTS when doing client canvassing or sending bulk communication to data subjects?
Has your entire workforce been trained on POPI, all business policies and procedures concerning POPI, and cyber risks? This must be done on a regular basis and not as a once-off.
What compliance have many business owners enforced since the inception of POPIA?
They copied a Data Privacy Policy from somewhere and not developed one unique to their business operations.
They implemented a data subject consent process.
Appointed Information Officers, registered with the Information Regulator, and trained the Officers professionally.
Implemented OPT-INS or OPT-OUTS when doing canvassing and when sending bulk communication.
Most businesses complied with the basic documentary POPIA requirements as outlined above but many businesses either ignored a proper review of their digital security measures and have not done much since or simply accepted that these are in order.
Even though everyone has heard about email interceptions and hackings, until a data breach, email interception, or internet virus actually presents itself in the business, very little or no action is taken pro-actively to ensure that employees are trained and that their devices and that of the business, and internet connections are properly secured.
Questions we should ask ourselves about data privacy:
How is it possible for email hackers to still get access to your and your data subjects' emails and therefore intercept information in order to steal deposits?
How is it possible for social media pages to still be hacked and your identity was therefore stolen on social media?
How many of us work from various locations and not only from a designated workplace?
How many of us work from our own cell phone devices, laptops, and tablets and have our work emails connected to all these devices?
How many of us log into Wi-Fi at home and then log onto the workplace or public place internet connection and therefore work off many internet connections in a day?
How many of us have sat through countless POPIA training sessions and have no or very little idea of what real POPIA compliance and digital security actually mean for us, our devices, and our internet connections?
How many of your data subjects expect you to ensure internet and email security and therefore simply switch on that device accessing the internet when arriving at your business premises?
Are we aware of the Regulatory requirement to review our POPIA Policy and other operation documents ANNUALLY? And how many of us have done that annual review?
Data privacy crime:
Traditional organised crime and cybercrime have historically been two separate divisions. However, one overarching message has emerged in the last 3 years: organised crime has gone digital, erasing the distinction between the two.
Hackers infiltrating computer networks for the sake of amusement or glory are no longer the norm in the present era of cybercrime. The digital economy’s growth and expansion have radically altered the criminal landscape.
Cybercriminals seek to join with criminal bosses who have the vision, power, and connections to carry out complicated, far-reaching schemes and hacks, much like traditional organised crime does. These cybercriminal kingpins are only becoming better at what they are doing.
The activities and business models of these global cybercrime syndicates are patterned after legitimate businesses. Security analysts believe they are educating new recruits, using collaborative programs, and even employing service agreements amongst the experts they hire.
Data breaches in South Africa:
To name but a few of the data leakages –
Master Deeds – 60 000 000 unique records exposed. The data featured personal, financial, and property ownership information. Along with names, ID numbers, and contact details, it included estimated income values, title deed numbers, bond amounts, property sale prices, company directorships held, and more.
Ster-Kinekor – 7 000 000 unique records exposed. There was a vulnerability in the back-end system of the old Ster-Kinekor website that allowed anyone to get the data: names, addresses, emails, phone numbers, and passwords of every user.
Liberty Life – 3 200 000 unique records exposed.
ViewFines – 934 000 unique records exposed.
The average cost per data breach - is R36 500 000 and the average days to identify a data breach is 150 days.
In South Africa, the three root causes of data breaches were identified:
Malicious or criminal attack (48%)
Human error (26%)
System glitches (26%)
On average, malicious, or criminal attacks took 191 days to identify and 62 days to contain. Human error breaches took 150 days to identify and 40 days to contain while system glitch breaches took 163 days to identify and 44 to contain.
How do drive-by download attacks work?
If you have ever asked yourself, “what is a drive-by download attack?”, you are more aware than most. Since they infiltrate so quickly even on “safe sites” most people have no clue how they got infected. There are two main ways malicious drive-by downloads get into your devices:
1. Authorised without knowing full implications – You take an action leading to infection, such as clicking a link on a deceptive fake security alert downloading a Trojan.
2. Fully authorised without any notification – You visit a site and get infected without any prompts or further action. These downloads can be anywhere, even on legitimate sites.
Knowing exactly what drive-by download is as important as knowing how to spot bait for an attack. Let us unpack each one of these methods to help you see possible red flags.
The hacker creates a vector for malware delivery – online messages, adverts, and legitimate program downloads.
You interact with the vector – by clicking a deceptive link, downloading software, etc.
Malware installs on your device – by failing to opt out of extra software or arriving at a malware-infested site.
The hacker successfully enters your device – malware takes unwanted control of your data.
Protecting you against Malware:
Malware, short for “malicious software” refers to a type of computer program designed to infect a legitimate user’s computer and inflict harm on it in multiple ways. Malware can infect computers and devices in several ways and comes in a number of forms, just a few of which include viruses, worms, Trojans, spyware, and more. It is vital that all users know how to recognise and protect themselves from malware in all of its forms.
How do I make sure my computer or network is malware free? The answer has two parts: Personal vigilance, and protective tools.
One of the most popular ways to spread malware is by email, which may be disguised to look as if it is from a familiar source such as a bank, or a personal email from a friend.
Be wary of emails that ask you to provide passwords. Or emails that seem to be from friends, but have only a message such as “check out this cool website!” followed by a link.
Personal vigilance is the first layer of protection against malware, but simply being careful is not enough. Because business security is not perfect, even downloads from legitimate sites can sometimes have malware attached. This means that even the most prudent user is at risk unless you take additional measures.
What is Phishing?
Phishing persuades you to take action that gives a scammer access to your device, accounts, or personal information. By pretending to be a person or organisation you trust, they can more easily infect you with malware or steal your credit card information.
In other words, these social engagement schemes “bait” you with trust to get your valuable information. This could be anything from a social media log in, to your entire identity via your ID number. These schemes may urge you to open an attachment, follow a link, fill out a form, or reply with personal information. By that logic, you must be on guard at all times which can be exhausting.
The most common scenario is as follows:
You open your email and suddenly an alert from your bank appears in your inbox. When you click on the link in your email, you are taken to a webpage that looks, more or less, like your bank.
Here is the catch: this site is actually designed to steal your information. The alert will say there is a problem with your account and ask you to confirm your login and password.
After entering your credentials on the page that appears, you are usually sent to the actual institution to enter your information a second time. By steering you to the legitimate institution, you don’t immediately realise your information was stolen.
Solutions to POPI compliance and security against data privacy breaches:
Update your business’s data privacy policy. This must be done annually.
Review your business’s employee IT, email, and devices policy. This must be done annually.
Ensure that your business has a proper non-disclosure third-party operator’s agreement in place and send this to your third-party service providers.
Review your business’s employee declarations which must be renewed annually.
Review your business’s IT cyber security measures. Pen them down so that they are measurable.
Obtain professional IT cyber security recommendations.
Review your business’s payment and social media rules. This is to be renewed annually.
Arrange formal staff training (with recordings and notes) to be presented annually.
POPIA non-compliance carries financial penalties:
As a business owner, you are legally responsible for the theft of your data subjects' information. If you fail to comply with the POPI Act, whether intentionally or accidentally, you can be liable for an administrative fine of up to R10 million.
If your data subjects are impacted by a data breach, POPIA even empowers them to take civil action for damages. Can your business afford this?
POPIA non-compliance can strain your reputation:
Few data subjects like giving up their personal information. When they do, they expect you to use it appropriately and protect it at all costs. A data breach can leave a major scar on your reputation. First, it shows a lack of consideration for your data subjects and can disrupt their positive experience with your business. Second, it will also present your business as one which is not tech-savvy or well-managed.
Would you be impressed by a company that has not taken the right precautions to protect your personal information?
POPIA non-compliance can lead to imprisonment:
Depending on how serious the breach is, you could face criminal prosecution. This could be up to 10 years imprisonment. There are signs that police will be enforcing this aspect of POPIA quite stringently. When Experian Africa experienced a data breach, the culprit was promptly arrested and charged with the crime.
NEED ASSISTANCE WITH POPIA COMPLIANCE? Contact the EOHCB Information Officer at popi-io@eohcb.com.