Recently we wrote about what to do if you believe your data or personal information has been hacked. The question we now ask is whether or not companies are doing enough to secure our data, especially after an estimated 70 million identity numbers held by an estate agency were compromised. This data included highly sensitive information including our identity numbers, address history, credit status and employment history.
The reality is that our data is out there and hackers seem to always be one step ahead. While the companies that hold our data will have a responsibility to keep the information safe once the Protection of Personal Information Act (POPI) is in force, there is no way we can know whether they are taking sufficient measures and even if they do, there is no such thing as foolproof security.
In June, IBM Security, together with the Ponemon Institute, released the 2017 Cost of Data Breach Study: Global Overview which argued that South Africa had the highest probability of experiencing a data breach within the next 24 months.
Brennan Wright, spokesperson for identity verification company ThisIsMe, says we are living in an environment where our information is vulnerable and we as individuals need to be taking more responsibility about our data security. One of his concerns is that POPI has still not come into effect, leaving customers vulnerable when it comes to the protection of their personal information. POPI specifically requires companies holding our data to have appropriate and reasonable security measures in place to protect the information. Although many of the large financial institutions are already adhering to these recommendations, as they are not yet in law, no action can be taken against companies who are not adhering.
Consumers will be in control of their own data
Wright believes the enforcement of POPI would create a balance of power for consumers against businesses who have incentives to collect as much data on us as possible – often data that we may not have consented to providing. “We are trying to facilitate change for improved systems and tools to protect personal data. POPI aims to ensure that data is collected, stored and distributed according to the law. There will be no grey areas. If we request them to delete our data, they will be obliged to. POPI will put consumers in control of their own data,” argues Wright.
Kerri Crawford, senior associate at Norton Rose Fulbright South Africa says that the first round of public comment for the draft regulations under POPI has now been finalised, so we are awaiting an updated draft. Once the consultation and approval process is completed, the regulations will be promulgated and we are then likely to see the announcement of a commencement date for POPI.
Crawford says POPI will make it easier to hold a company accountable for a breach of personal data where the company has not taken reasonable measures to secure it, as consumers would have the recourse to lodge a complaint to the Regulator who could investigate the breach and issue fines. Crawford says global experiences of enforcing privacy laws have resulted in heavy fines, especially in the case of failing to train staff on how to treat personal information, such as a case where an employee left a work file with sensitive information on a commuter train. People affected could also claim for damages, however Crawford warns you would have to show that there was a loss to you due to the breach in security and that the company failed to take appropriate and reasonable measures to prevent the breach.
For example, on the day that domain service provider Hertzner was hacked earlier this month, I received an urgent email asking me to immediately pay and renew my domain name or my website and email would be suspended. The email contained my personal information, including my home address and contact details, making it look legit. Had I fallen for the scam and paid the money, I would have to prove that the information used came from the Hetzner breach and that Hetzner did not have adequate security measures in place.
Better technology around data protection
The good news is that the increased awareness around security means there are more technological advances around protecting our data. These include increased use of biometrics which is moving beyond just fingerprints to voice recognition and programs that can recognise your behaviour. Wright says ThisIsMe is helping businesses to mitigate fraud using its tamper-detection technology, which is more accurate than a face-to-face verification to enhance the FICA process. It has developed technology to verify that a real residence matches the stated address location, as well as patented real-time bank account verifications. Coupled with their solutions for businesses, ThisIsMe is helping the public to investigate whether our data has been breached, to set up alerts on our credit profile and to safely and securely store and share our identity data. They’ve also recently launched a tool that helps us identify others when transacting on Gumtree or dating sites.
However, no security measure is ever foolproof and there will always be an element of vulnerability as hackers find ways to exploit weaknesses. “While companies and governments can improve security, individuals need to be a lot more aware and alert about using secure and authentic sites and using strong passwords. We all need to take precautions,” says Wright.
This article first appeared in City Press.