Legal updates and opinions
News / News
When the law says – confess!
by Ahmore Burger-Smidt, Head of Data Privacy Practice
The importance of a data breach plan
The South African society has read about, and some members unfortunately experienced, significant data breaches this year already. Even the Presidency’s website was targeted during July 2018. In a statement addressing the incident, Khusela Diko, who is President Cyril Ramaphosa’s spokesperson said that “we can confirm interference with the Presidency website. Our technicians are currently investigating the incident and looking to restore it to operation“.
The hackers identified themselves in the message as “Black Team X”. Another case of hacktivism occurred last year in August, when an infamous cyber group by the name of Anonymous targeted gov.za sites, revoking access to the pages for a weekend.
The lesson fortunately being learned is that it’s not a question of whether a company will experience a data breach, but when. The challenge is to ensure that companies are adequately prepared to successfully deal with a breach, and emerge from the experience wiser and far more robust in terms of knowledge, systems and processes. According to a recent Ponemon Institute study, data breaches are among the top three types of incidents that affect brand reputation.
The extent of stolen or leaked data is often unbelievable. Furthermore, the proactive detection of a data breach rely on advance threat intelligence capabilities and far too often a data breach is detected when it is reported in the media or the company informed by the person responsible for the breach that they have already been compromised.
Once a breach has been contained, organisations are faced with an immense clean-up operation, involving amongst others upgrading of systems, potential administrative fines and legal fees. It is undeniable that an uphill road lies ahead in terms of brand rehabilitation for those that manage to survive a data breach.
In terms of section 22 of the Protection of Personal Information Act, Act 4 of 2013 (“POPIA“), a company has a duty to notify the Information Regulator once a data breach took place. The notification must take place as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement and any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system. A data subject must also be notified (unless their identity cannot be established), where it has reason to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person. The POPIA states that a notification to the data subject may only be delayed if a public body responsible for the prevention, detection or investigation of offences or the Information Regulator determines that notification will impede a criminal investigation by the public body concerned.
The good news is that there is much that can be done ahead of time to prepare for a data breach and in so doing everyone can be prepared. It cannot be stressed enough how much time this will save later in trying to determine how to respond. It is imperative to determine which messages a company will communicate from the first disclosure of a data breach through to the final investigation and steps by the Information Regulator. Companies need to consider what to say about the proactive steps they are taking based on the nature of the incident and what customers or those affected need to do and how they intend to help their customers.
In order to be prepared a data breach team is required. The size of the data breach team and its composition depend on several factors. These include the size of the company, the industry involved and the complexity of the business. At many companies the response team includes at least one representative from each of the following areas:
- Human resources
- Information technology or data security
- Communications
- Risk management
- Legal
- Senior management
It is (will be) mandatory for companies to notify the Information Regulator of a data breach once the POPIA has been fully promulgated. Companies will not be able to shy away from this obligation.
Confession is an absolute duty in terms of POPIA. One should be clear on the content of a confession. A confession could very likely bring about unintended consequences. Preparation should never be underestimated.
Latest News
Constitutional subsidiarity: An important clarification
by Dakalo Singo, Director and Head of Pro Bono Constitutional subsidiarity is an important principle of South African law. While [...]
Franchisors Beware! The Competition Commission may come knocking soon
by Paul Coetser, Director and Head of Competition and Kwanele Diniso, Associate The franchising industry has long been a bone [...]
Mind the Conduct: A Guide to COFI – Part 6: COFI – What Really Changes?
by Hilah Laskov, Director Introduction In this article series, we take a deep dive into the South African Conduct of [...]
Remuneration governance under the amended Companies Act: A closer look at some of the key questions
by Kevin Trudgeon, Director and Helena Stoop, Senior Knowledge Lawyer 1. Introduction On 22 May 2026, a proclamation by President [...]
Does the Public Procurement Act provide for an effective dispute resolution mechanism?
by Sarah Moerane, Director and Koketso Rapoo, Senior Associate The National Treasury published the draft General Public Procurement Regulations and [...]
The shift in the evaluation criteria in South African public procurement
By Sarah Moerane, Director and Amogelang Magano, Senior Associate South Africa is in the midst of what could prove to [...]
