Directors beware of obligations and liabilities under POPIA

Legal Development 15 April 2021 15 April 2021
Africa
Data Protection & Privacy

Cyber security and adequate data protection have become key focus areas for company boards across the world.

Considering the recent surge in high-profile cyber incidents and the significant financial and reputational impact on affected companies in South Africa, directors need to be mindful of the obligations and potential liabilities that may arise under POPIA.

In this article we explore the relevant sections of South Africa's data protection legislation and consider the implications of cyber risks for directors and officers in South Africa.

Background and context

The Covid-19 pandemic has proved to be a fertile breeding ground for cyber criminals who have taken advantage of the vulnerabilities arising from companies who have been required to restructure their operations, often very quickly and with a remote workforce.

Cyber threats are becoming more sophisticated, more durable (often a targeted attack can be executed over several months) and more expensive, in terms of costs of remediation and associated ransom demands. The unfortunate reality is that no business, director or officer is immune to the risks and consequences of a cyber-attack – in fact, directors and officers may become leading targets of a raft of regulatory and administrative actions following a cyber event, particularly where such incidents lead to the loss of valuable data.

Legislative framework for data protection in South Africa

South Africa's cyber legislation framework is undergoing a significant transition.

South Africa's data protection legislation, the Protection of Personal Information Act 4 of 2013 ("POPIA"), came into force fully on 30 June 2020 (after a long gestation period) and we are currently within the twelve-month grace period afforded to all persons to ensure compliance with the legislative conditions for lawful processing of personal information by 1 July 2021.

POPIA's intended purpose is multi-faceted – it includes giving effect to the constitutionally-entrenched right to privacy, regulating the processing of personal information, entrenching rights and remedies to safeguard against processing that is not in accordance with POPIA and establishing measures to ensure respect for and to promote, enforce and fulfil the rights protected by POPIA. It brings South Africa’s data protection framework in line with other significant global privacy and data protection laws, such as the EU’s General Data Protection Regulation.

Enforcement of POPIA is in the hands of the Information Regulator, whose mandate is to serve as the regulatory body empowered to investigate data breaches and monitor statutory compliance within South Africa.

Security and reporting obligations

Section 19 of POPIA places stringent obligations on responsible parties (i.e. those who process personal information) to secure and safeguard the integrity and confidentiality of personal information in their possession, by taking both appropriate and reasonable technical and organisational measures including:

Identifying all reasonably foreseeable internal and external risks.
Establishing and maintaining appropriate safeguards against those risks.
Regularly verifying that such safeguards are effectively implemented.
Ensuring that the safeguards are continually updated in response to new risks.

Naturally, the responsibility to implement and monitor these measures falls to the board of the company and its designated officers.

Section 22 of POPIA also imposes mandatory reporting obligations on responsible parties in the event of a data security compromise. Where a responsible party has reason to believe that the personal information of a data subject has been accessed or acquired by an unauthorised person, it is obligated to notify the Information Regulator and all identifiable data subjects.

It is imperative that the relevant parties be notified as soon as reasonably possible after a data breach. The urgency of the notification must be assessed taking into consideration the needs of law enforcement, as well as the steps and processes which may be required to establish the severity of the breach and to restore any compromised information systems.

Notification of a data security compromise may only be delayed in very limited circumstances. Any such delay must be considered by the Information Regulator (or other public body tasked with the prevention, detection or investigation of offences) and deemed necessary on the basis that such notification would obstruct a criminal investigation.

The notification under section 22, which must be in writing, should set out enough information to allow the data subject to take steps to safeguard against the potential consequences of the data security breach, including:

If known, the identity of the perpetrator who may have accessed the personal information.
A description of the potential implications of the data security compromise.
An account of the steps which the responsible party has taken, or intends on taking, in response to the breach.
A recommendation as to the steps and/or processes which can be employed and/or adopted by the data subject to alleviate the consequences of the data security breach.

Ultimately, it will fall to the board of the company to ensure that these reporting obligations and requirements, both to the Information Regulator and to the affected data subjects, are complied with.

There may also be additional statutory reporting obligations in the event of a ransomware attack or where there is an extortion demand for stolen data – for instance, in terms of section 34 of the Prevention and Combating of Corrupt Activities Act, 2004.

Civil remedies and fines

Notably, any breach of the processing conditions, including the reporting obligations under section 22, is by virtue of section 73 deemed to constitute an interference with the protection of personal information. This may in turn lead to potentially significant liabilities under section 99 of POPIA.

A data subject (or the Information Regulator, at the data subject's request) may, in terms of section 99, institute a civil action for damages against a responsible party where there has been a breach of section 73.

It is particularly noteworthy that Section 99 applies irrespective of whether there is intent or negligence on the part of the responsible party. In other words, POPIA introduces strict liability for a responsible party.

Section 99(3) further contemplates an award that is "just and equitable", including aggravated damages in a sum to be determined within the discretion of the court. It is unclear at this stage how our courts will apply its discretion to such just and equitable relief, and this legislative uncertainty will require clarification by our courts over time.

Section 99(2) does provide some relief in the event of a data security compromise. In terms of this section, a responsible party may raise certain defences against an action for damages, including:

Vis major (which refers to some or other irresistible force or event which cannot be reasonably anticipated, avoided or controlled);
Consent by the plaintiff;
Fault on the part of the plaintiff;
The fact that, with reference to the circumstances surrounding the breach, compliance was not reasonably practical; or
The fact that an exemption was granted by the Information Regulator (which applies in limited circumstances as set out in section 37).

In addition to the possibility of civil claims and damages, POPIA also provides for administrative fines.

Section 109 provides that where it is alleged that a responsible party has committed an offence in terms of POPIA an infringement notice must be delivered to that person. In terms of section 109(2)(c) the infringement notice must specify the amount of the administrative fine payable. This amount is currently capped at an amount of R10 million.

Under section 109(3) when determining an appropriate fine, the Information Regulator must consider various factors including the failure to perform a risk assessment or a failure to operate good policies, procedures and practices to protect personal information.

Section 109(3)(g) accordingly makes it clear that the board of the company must ensure that regular risk assessments, and appropriate policies and processes are implemented to safeguard against the risk of administrative fines.

Section 109(2)(c) and (3)(g) are of particular importance for directors and officers. A failure to execute the required risk assessments (which ultimately becomes the responsibility of the board) can result in a hefty R10 million fine and potentially also trigger liability claims against directors and officers.

Conclusion

Cybersecurity has undoubtedly become one of the leading D&O liability concerns both locally and internationally.

Directors have a responsibility to exercise due care, skill and diligence and this extends to effective data privacy and protection and compliance with POPIA. In addition, in terms of the business judgment principle encapsulated in the Companies Act 2008, directors are required to take reasonably diligent steps to become informed about a matter. It is accordingly not enough for directors and officers to simply delegate responsibility to their IT managers when it comes to cyber threat mitigation and regular and effective monitoring and oversight is required.

POPIA imposes a number of obligations on data handlers, which in turn requires that board members take steps to safeguard against digital risks and data breaches - failing which they face exposure to a host of potential liabilities in the form of regulatory enforcement action, civil proceedings and fines.

This emergent risk frontier is likely to lead to new types of litigation against boards and directors by affected data subjects, shareholders and other affected parties.

Legal notice: The contents of this article should not be construed as formal legal advice from Clyde & Co. Readers are advised to consult legal professionals for guidance on POPIA and the implications thereof.

End

Download Insight