13 April 2022
534
You have an online store through which you sell products. Although you have taken precautions, the risk of a cyber-attack remains a concern as you hear about more and more businesses that suffer attacks. Apart from the reputational risk which could be massive, you also wonder about legal consequences when you consider the impact of data protection legislation.
If you share the above concerns, hopefully this article will clarify some of the risks your business may face in the event of a cyber-attack. And don’t feel alone! With the rapid expansion of the digital landscape and the pace of change and new development, cybersecurity has become an immense concern even for large corporates and governments.
In South Africa, cybersecurity is mainly regulated by the Protection of Personal Information Act 4 of 2013 (“POPIA”) which applies to the personal information of data subjects and the Cybercrimes Act 19 of 2020 (“Cybercrimes Act”) specifically promulgated to provide protection against cybercrimes in general.
A cyber-attack can essentially be defined as an attack where the victim is the subject of a cybercrime. Chapter 2 of the Cybercrimes Act aligns with international best practices in its criminalisation of unwanted conduct and communication in cyberspace. According to this chapter, cybercrimes can include the unlawful accessing and unlawful acquisition and interception of data, spam and malicious communications as well as internet forgery and fraud. The Cybercrimes Act tries to advance cyber protection by criminalising a variety of acts as cybercrimes.
Although the Cybercrimes Act primarily prescribes penalties for the perpetrators of cybercrimes, it also provides that some offences may be dealt with in terms of POPIA. A responsible party who is found to have been in breach of POPIA may be liable for hefty administrative fines. Additionally, a responsible party may have civil action taken against them when they are in breach of POPIA, i.e., where they did not take reasonable steps to ensure compliance with POPIA.
Depending on the type of services that a business provides to its clients, the courts may expect responsible parties to demonstrate that they have fulfilled their duty of care, or that they have acted with the necessary skill, knowledge, and diligence to avoid cyber-attacks. Responsible parties and persons who are in control of information are also obligated to assist police officials in the investigation of cybercrime. Any person who obstructs or hinders such an investigation, commits an offence.
Importantly, what we can conclude from the above is that in addition to reputational damage, a business could also be liable for sanctions under POPIA even though they did not commit a cybercrime but was the victim thereof. This means that a business should assess their risk of attack and potential data breaches and implement the necessary measures to minimise this risk and repel cyber-attacks.
Also, should you experience a cyber-attack and possible data breach, a business should have an incident response plan in place to set out the steps the business will take to address the attack, notify stakeholders of the incident and report the cybercrime to the South African Police Service and cooperate with any investigation launched.
If the above sounds like a mouthful, the unfortunate reality is that it is. As the intensity and sophistication of cyber-attacks increase, so does the pressure on businesses intensify to be preventative and react correctly in the event of any attack. This is where come in. Contact us and we can arrange a sit-down with you to assess your business risks and advise you on what steps to take to address your risks effectively.
Disclaimer: This article is the personal opinion/view of the author(s) and is not necessarily that of the firm. The content is provided for information only and should not be seen as an exact or complete exposition of the law. Accordingly, no reliance should be placed on the content for any reason whatsoever and no action should be taken on the basis thereof unless its application and accuracy has been confirmed by a legal advisor. The firm and author(s) cannot be held liable for any prejudice or damage resulting from action taken on the basis of this content without further written confirmation by the author(s).