In 2014, 974-million company records were lost or stolen in South Africa alone – which is 31 records every second and according to Camargue Underwriting Managers, MD, Mitch Marescia, with more than a third of South Africa’s companies experiencing data breaches, it is clear there is an immediate and pressing need for organisations to get to grips with POPI.
With many of the provisions already in effect, and recognising its complexity and the implications for falling short of the imminent requirements of the Act, Camargue has launched a new electronic guide to POPI – Protection of Personal Information Made Easy – which can be downloaded at no cost from the Group’s website.
The new ebook’s eight chapters cover a vast array of topics associated with POPI, including legal definitions, dealing with data leaks, processing personal information and children, direct marketing, and the penalties for non-compliance to name but a few. Marescia says, “It’s practical, easy to digest, and cover to cover – an instructive and illuminating read. POPI aims to protect companies and consumers from the dangers associated with personal information falling into the wrong hands as a result of such data breaches, and businesses who handle personal information must do so in accordance with the Act. It’s hoped that POPI Made Easy will do just that – simplifying the process for corporates.”
The penalties for non-compliance with POPI includes fines of up to R10-million or imprisonment depending on the offence; prison sentences vary and are under 12 months for lesser offences and up to 10 years for gross offences.
“POPI is not to be taken lightly. Ignorance will not cut it when it comes to defending negligence,” says Marescia. “And with DDOS attacks and ransomware continuing to spread and infect devices around the globe – it’s clear that criminals will keep reinventing and do whatever they can to exploit vulnerabilities and find new ways to attack, breach and steal.”
Data breaches risk exposing consumer’s personal information and opening them up to identity theft and fraud which was what lead to Target CEO’s resignation in December 2013 after the company announced that 110 million customers’ personal information had been breached. More than 40 million customers had their encrypted pin numbers, credit card and debit card numbers, card expiration dates, as well as the embedded code on the magnetic strip stolen. A further 70-million customers’ personal information which included names, addresses, email addresses and phone numbers were also compromised.
In another high profile case, despite nearly 60 000 security alerts being set off in the four month period between July and October 2013, luxury department Neiman Marcus only discovered the data breaches in January 2014. The retailer was in compliance with standards meant to protect transaction data when the attack occurred but 350 000 customers’ credit card information was stolen and of these 9200 have been used fraudulently since the attack [as of May 2014].
Marescia says that these examples of cybercrime serve to demonstrate just how at risk of data breaches companies have become as a result of online predators and hacking in recent years – and confirming the massive scale on which they can occur. “Cybercrime is a new kind of terrorism – a form of warfare. This is not something that’s going to go away; it must be managed and a culture of awareness must be cultivated by corporates.”
Marescia concludes, “Just because it can’t be seen doesn’t mean it’s any less real and companies big and small must take measures to manage, mitigate and migrate their risks. Boardroom to the basement education is needed to minimise the likelihood of being the victim of a cyber-attack that could lead to data breaches, financial devastation, and corporate reputation damage. A cyber instant response plan is also mandatory.”