In today's digital economy, no business is immune from cyber attacks or data breaches. Whether caused by human error, hacking or insider abuse, a data breach can expose sensitive customer information and trigger significant legal consequences.

In South Africa, data breach reporting obligations arise primarily under three central pieces of legislation:

  • Protection of Personal Information Act 4 of 2013 (POPIA),
  • Electronic Communications and Transactions Act 25 of 2002 (ECTA), and
  • Cyber ​​Crime Act 19 of 2020.

Failure to comply with these laws can result in regulatory investigations, heavy fines, and even imprisonment. This article highlights a business's breach reporting responsibilities, statutory requirements and penalties for non-compliance.

What constitutes a “security compromise” or breach?

Under Section 22 of POPIA, a “security compromise” occurs when there are reasonable grounds to believe that the integrity or confidentiality of personal information has been compromised through unauthorized access, acquisition, disclosure or loss.

Typical examples include:

  • hacking or ransomware attacks;
  • theft of devices containing personal data;
  • Accidental disclosure of customer information; Or
  • Unauthorized internal access to personal data.

The important thing is that the test is not certainty, but rather “reasonable grounds to believe” that a breach has occurred and that the data subject's personal information has been accessed by an unauthorized person. Therefore, certainty is not required, but potential exposure may also trigger reporting obligations.

Reporting Obligations under PoPIA

1. Duty to inform the information regulator and affected persons

Section 22(1) of POPIA places an explicit legal duty on the responsible party (the business determining why and how personal data is processed) to inform both:

  • information regulator, and
  • Each affected data subject, as soon as practicable after the breach is discovered.

Many businesses use third-party processors, such as an IT vendor or payroll company, to manage and process certain personal information on behalf of the business. Where the business uses an operator (such a third-party IT vendor), section 21(2) requires the operator to inform the business immediately upon becoming aware of a potential compromise. However, responsibility remains with the responsible party (being the business, which ultimately determines the purpose and means of processing personal information).

2. Form and contents of notification

As per section 22(5), the notification must contain:

  1. Description of the nature of the agreement;
  2. Details of the personal information affected;
  3. possible consequences of the violation;
  4. measures taken or proposed to address it; And
  5. Recommendations for data subjects to minimize potential harm.

The information regulator may direct that the notice be given in a particular form or even be made public if deemed necessary to protect other data subjects.

3. Notification time

While PoPIA does not prescribe any fixed time limit, section 22(1) requires that notification be “as soon as practicable”. Businesses may only delay reporting if immediate disclosure would adversely affect a criminal investigation (for example, if the SAPS or Hawks are involved).

Penalties and consequences under PoPIA

Under section 22 of PoPIA, failure by a business to notify the information regulator and affected data subjects as soon as possible after discovering a security compromise may amount to non-compliance with PoPIA obligations, which may amount to “interference with the protection of personal information” (under section 73), enabling the regulator to issue an enforcement notice in terms of section 95.

A responsible party who fails to comply with such enforcement notice commits an offense under section 103(1). Penalties for offenses under the Act are set out in section 107 (which distinguishes between offenses with higher and lower maximum sentences), and the regulator can also impose administrative fines under section 109 (subject to the safeguards of the Act, including a limitation on criminal prosecution).

Additionally, section 99 establishes a civil remedy that allows affected data subjects to claim compensation for losses suffered as a result of non-compliance.

ECTA's role in electronic security

The Electronic Communications and Transactions Act 25 of 2002 (ECTA) was South Africa's first comprehensive cyber law legislation.

ECTA included offenses related to unauthorized access, interception and interference with data. However, the relevant sections of ECTA (sections 85–88) were repealed with effect from 1 December 2021, and those substantive cyber crimes were consolidated and modernized under the Cyber ​​Crime Act 19 of 2020.

Today, unlawful access, unlawful interception, unlawful interference and related cyber crimes are prosecuted under the Cyber ​​Crimes Act (not ECTA) and specifically under Section 2 (Unlawful Access), Section 3 (Unlawful Interception of Data), Section 4 (Unlawful Acts in Respect of Software or Hardware Tool) and Section 5 (Unlawful Interference with Data or Computer Programme). Businesses should therefore look to the Cyber ​​Crime Act for criminal liability and reporting duties relating to unauthorized access to or interference with computer systems.

Cyber ​​Security Duties under Cyber ​​Crime Act 19 of 2020 for Electronic Communication Service Providers and Financial Institutions

While PoPIA focuses on the protection of personal information, the Cybercrime Act 19 of 2020 addresses the obligation to report unlawful computer activity and cyber crimes.

1. Duty to report cyber crimes

Under Section 54(1), an electronic communications service provider (ECSP) or a financial institution (as defined under the Financial Sector Regulation Act 9 of 2017) that becomes aware of a cybercrime such as unauthorized access, interception, or interference with data must report the crime to SAPS within 72 hours.

They must also preserve any information that may assist the investigation.

Failure to comply with this duty is an offense under section 54(3), punishable by a fine of up to R50,000.

2. Punishment for cyber crimes

The Cyber ​​Crime Act criminalizes various forms of cyber misconduct, including:

  • Unlawful access to data (section 2);
  • Unlawful Interception of Data (Section 3);
  • Unlawful interference with data or systems (Section 5);
  • Unlawful interference with a computer data storage medium or computer system (Section 6); And
  • Cyber ​​fraud, counterfeiting and extortion (Sections 8 to 10).

For businesses, this means that any breach involving unauthorized access or manipulation of computer data may not only trigger a PoPIA reporting, but in some circumstances, may amount to one. Crime Under Cyber ​​Crime Act.

Double obligation for businesses

Given the interplay between these three laws and the obligations to customers as data subjects, as well as the duties imposed by the law, businesses should adopt a proactive compliance strategy:

  1. As per section 55 of POPIA, appoint and register an information officer with the information regulator.
  2. Implement a data breach response plan specifying internal escalation, investigation and external reporting procedures.
  3. Train employees to identify and respond to data incidents.
  4. Enter into a written operator agreement that outlines the security and reporting duties required by PoPIA.
  5. Engage cybersecurity experts to test and improve your data security measures.
  6. Maintain an incident log and preserve all evidence of any compromise for potential reporting under both POPIA and the Cyber ​​Crime Act.

conclusion

For businesses, the consequences of a cyberattack extend far beyond the initial breach. A business faces double liability: firstly, it can be held accountable to data subjects (its customers or clients) for any losses it suffers as a result of the compromise of their personal information; Second, it must meet its reporting and compliance obligations under PoPIA and the Cybercrime Act.

Under Section 22 of PoPIA, any security compromise must be immediately reported to the information regulator and the affected data subjects. Similarly, the Cyber ​​Crime Act imposes a duty on electronic service providers and financial institutions to notify the South African Police Service about cyber crimes with strict timelines to ensure timely action.

In today's digital economy, where trust is a key driver of business success, managing the aftermath of a cyber incident requires more than remediation; It demands proactive administration, timely reporting and diligent compliance with legal obligations. For South African businesses, compliance with PoPIA and the Cybercrime Act is not optional; This is a necessity to ensure reputation, customer trust and sustainable growth. Contact a specialist at SchoemanLaw Inc today for advice, assistance or support.

https://schoemanlaw.co.za/our-services/technology-law-smart-contracts-and-cyber-law/

Categorized in:

Business News

Tagged in:

, , , , , , ,