The recent hijacking of a courier van carrying South African citizens’ UK visa application forms has brought to the fore the issue of liability for the loss of these documents, especially if these documents containing sensitive and personal information are used to commit identity theft.
This is according to Candice Sutherland, business development consultant at SHA Specialist Underwriters, who says it is crucial for businesses dealing with people’s personal information to ensure the safety and security of those documents. “This is particularly important in light of the rise in identify theft, paired with the pending implementation of the Protection of Personal Information Act (POPI).”
In this case, the custodian of the information is the British High Commission, who the applicants entrusted their documentation to, says Sutherland. “However, it appears that the courier company may be liable to the Commission. The applicants may seek redress from the Commission and the Commission from the courier company, so both parties could potentially be held liable.”
She says the direct financial losses would include the cost of the visa, as well as the cost of replacing all original paperwork, such as marriage certificates. “The consequential loss of this sort of breach could be catastrophic for the applicants concerned. The documentation stolen can be used for years to come to open accounts, purchase black market items and commit identity theft.”
It is important for businesses that store customer and employee personal details to have a comprehensive cyber-insurance policy in place, she says. “A cyber policy covers first party and third party theft of data. The policy can respond to theft of data in paper format too – not just electronic data.”
This type of cover is especially important in light of POPI whereby companies seen to not have taken the necessary precautions could face fines up to R10-million or 10 years in prison, says Sutherland.
As soon as the effective date for the sections of the Act pertaining to enforcement have been published and the Regulator has been appointed the penalties can be enforced, she says. “The Act makes provision for both fines and prison sentences for criminal offences related to the Act and civil remedies such as damages awards for contraventions. The Act also makes provision for ‘aggravated’ damages which is an award over and above the amount required for financial redress.”
She says that the section of POPI pertaining to the establishment of an Information Regulator (Part A of Chapter 5) has been declared effective but there is no indication of the date that the Regulator will be appointed. “There has been speculation that the implementation may be postponed due to budgetary constraints, but this is mere speculation.”
Should anyone fall victim to this type of crime, it is highly recommended that they immediately institute credit monitoring on all accounts in order to detect any suspicious activity or changes, Sutherland adds.