Less than two months after the commencement of the Protection of Personal Information Act (POPI), South Africa has suffered a massive data breach with about 24-million individuals and 800 000 companies exposed by the Experian hack.

Under POPI, Experian is required to notify the Information Regulator. In addition, unless Experian has been notified by the Information Regulator or an authority investigating the crime not to do so, the credit bureaux is also required to notify every person and company whose personal information has been compromised.

Dealing with such a large loss of data, and so many affected data subjects, is plainly no easy task. The organisation will have complex legal obligations towards the public and, at the same time, needs to ensure that it avoids actions that result in unnecessary liability.

Data breaches are becoming more frequent in nature. This highlights the critical need for companies to adopt robust data breach response plans, which have been tested, so that their reaction is swift, compliant and coordinated. Part of this plan is to thoroughly analyse corporate data to intrinsically understand what data the organisation has and where that data is. This allows organisations to quickly assess the information lost, and who the affected data subjects are. Organisations should do this as soon as possible, and as part of a full POPI compliance exercise.

There are reports that the perpetrator of the Experian hack has been caught. Currently, South Africa does not have a comprehensive law regulating cybercrimes. The Cybercrimes Bill has been passed in Parliament, and is currently awaiting the president’s signature. This Bill creates specific offences, including hacking, and imposes additional reporting obligations on financial institutions.
The Experian hacker will have to be prosecuted under existing and rather outdated laws. However, once the Cybercrimes Bill is in force, prosecution of these crimes should become significantly more effective.