Alice Letsoalo:
:Welcome to Perspectives Fasken Legal Voices on Business.
Alice Letsoalo:
:Hello, everyone. Thank you for joining us.
Alice Letsoalo:
:In this latest episode of Fasken Perspectives, The Voice of Business Law.
Alice Letsoalo:
:My name is Alice Letsoalo, a candidate attorney in the Dispute Resolution practice
Alice Letsoalo:
:at Fasken. I am joined today by my colleagues who will introduce themselves.
Catherine Hendricks:
:I'm Catherine Hendricks, a Candidate Attorney, also in the Dispute Resolution
Catherine Hendricks:
:practice at Fasken.
Jessica Rajpal:
:I am Jessica Rajpal, a partner in the Dispute Resolution practice at Fasken.
Catherine Hendricks:
:On this episode, we will be talking about the relatively new kid on the block, cyber
Catherine Hendricks:
:security. Today we'll be looking at governance risk and cyber crimes in so far as
Catherine Hendricks:
:it relates to the Cyber Crimes Act, as well as the so-called Prince of data protection
Catherine Hendricks:
:Papia. Then we will address how cyber security affects organizations.
Catherine Hendricks:
:And in this part of our discussion, we intend to give a brief overview of key
Catherine Hendricks:
:elements of contracts with service providers who ensure the overall cybersecurity hygiene
Catherine Hendricks:
:of your organization.
Catherine Hendricks:
:And so on that note, I'm going to hand it over to Alice.
Alice Letsoalo:
:Thank you, Kath.
Alice Letsoalo:
:So first things first is for us to define what corporate governance is as it relates to
Alice Letsoalo:
:cyber security.
Alice Letsoalo:
:And it is defined as a practice by which companies are managed and controlled and as
Alice Letsoalo:
:also being concerned with holding the balance between economic and social goals and
Alice Letsoalo:
:between individual and communal goals.
Alice Letsoalo:
:So for purposes of our discussion today, we want to focus on the role that corporate
Alice Letsoalo:
:governance has on the executive and our board level oversight in cyber security.
Alice Letsoalo:
:And we do know that Jessica is going to touch on that for us a bit later.
Alice Letsoalo:
:So we thought it would be an interesting topic to get into because usually when we
Alice Letsoalo:
:consider corporate governance, we think about the elements of financial integrity,
Alice Letsoalo:
:legal and regulatory compliance and et cetera.
Alice Letsoalo:
:However, we do know that in the wake of cyber attacks, that has cost multiple
Alice Letsoalo:
:enterprises millions.
Alice Letsoalo:
:Corporate governance in the context of cyber security has also become increasingly
Alice Letsoalo:
:important. So I think it begs the question of how cyber governance can be evolved in
Alice Letsoalo:
:order to take into account the threats on our business operations.
Catherine Hendricks:
:Yes. So some of the four major areas in which cyber governance can be evolved, namely
Catherine Hendricks:
:inverting the cyber security leadership responsibility, adopting the right cyber
Catherine Hendricks:
:security framework, addressing the organization structure.
Catherine Hendricks:
:So let's start with the very first element, Jessica.
Catherine Hendricks:
:What do we mean by inverting the cyber security leadership responsibilities?
Jessica Rajpal:
:Kath I'm so glad we're having this conversation.
Jessica Rajpal:
:If it isn't front and center of boardroom discussions, it certainly should be.
Jessica Rajpal:
:What we know is that traditionally the approach to cyber security has been a bottom
Jessica Rajpal:
:up approach, meaning that the IT team or an employee with experience is asked to identify
Jessica Rajpal:
:cyber security defense mechanisms and to prepare response policies.
Jessica Rajpal:
:These are usually developed as technical tools, but often have little regard to the
Jessica Rajpal:
:operational implications in a business.
Jessica Rajpal:
:It is, however, important to note that a cyber security governance model that is
Jessica Rajpal:
:inverted to a top down approach may direct the directors and the management of the
Jessica Rajpal:
:enterprise to establish a cyber security framework that takes into account the
Jessica Rajpal:
:financial, legal, regulatory and reputational risks of a cyber attack.
Jessica Rajpal:
:Using this information, a company can then curate the necessary technical tools to
Jessica Rajpal:
:prevent such cyber attacks.
Jessica Rajpal:
:And on that score, Kat, this should raise an alarm in the minds of executives about some
Jessica Rajpal:
:of the legal and regulatory implications in respect of cyber security.
Jessica Rajpal:
:More specifically, the Cyber Crimes Act is important.
Jessica Rajpal:
:Directors must be aware, for instance, of what constitutes a cyber crime, what steps to
Jessica Rajpal:
:take when one is faced with a cyber attack, specifically in relation to the to the Cyber
Jessica Rajpal:
:Crimes Act and some of the protections that are available to them when faced with a cyber
Jessica Rajpal:
:attack. Additionally, Catherine, and in accordance with the proclamation in the
Jessica Rajpal:
:Gazette, we know that certain aspects of the Cyber Crimes Act came into operation on the
Jessica Rajpal:
:1st of December 2021, and we now know that there are a few gazetted cyber crimes that
Jessica Rajpal:
:are punishable by fine or imprisonment.
Jessica Rajpal:
:These include unlawfully accessing a computer system or computer data storage
Jessica Rajpal:
:medium, which allows the person to intercept data or interfere with data or the computer
Jessica Rajpal:
:system and unlawfully intercepting data, for example, acquiring, viewing, capturing or
Jessica Rajpal:
:copying any data that is non-public, so as to make it available to a person other than
Jessica Rajpal:
:the lawful owner or the holder of the data.
Jessica Rajpal:
:There are a few more, Kath, but I won't go into all of them today.
Alice Letsoalo:
:And if I can just highlight that we also know that the South African police services, its
Alice Letsoalo:
:members and also its investigators have now been given an extensive powers to search, to
Alice Letsoalo:
:access, seize certain articles and investigate these cyber crimes.
Jessica Rajpal:
:That's correct, Alice.
Jessica Rajpal:
:And it is an interesting development that we are keeping an eye on.
Alice Letsoalo:
:So bringing it back to the question of corporate governance with an action of the
Alice Letsoalo:
:Cyber Crimes Act, we see a greater need for a cyber governance framework that takes all
Alice Letsoalo:
:of this into consideration.
Alice Letsoalo:
:Most notably absent, however, was the provision in the Act that imposes reporting
Alice Letsoalo:
:obligations by financial institutions and electronic communications service providers.
Alice Letsoalo:
:So as it currently stands, financial institutions and electronic communications
Alice Letsoalo:
:service providers are not yet obliged to report cyber crimes within 72 hours to the
Alice Letsoalo:
:SAPs after having become aware of the offence and to preserve any information that
Alice Letsoalo:
:may assist the SAPs with its investigations relating to the alleged offences.
Alice Letsoalo:
:Indeed, Kath. But I think equally as important to note is it will eventually come
Alice Letsoalo:
:into effect some day in the future and so such enterprises must be aware of this and
Alice Letsoalo:
:they must incorporate reporting procedures in their policies.
Alice Letsoalo:
:Otherwise once it's in operation, this could actually lead to a fine of not exceeding
Alice Letsoalo:
:50,000 rand.
Alice Letsoalo:
:But I think it leads us nicely into our topic regarding Poppy or the Poppy Act,
Alice Letsoalo:
:because more often than not, when we think of a cyber attack.
Alice Letsoalo:
:There's a great possibility that this information was personal information or even
Alice Letsoalo:
:special personal information as defined by Poppy, which was breached.
Jessica Rajpal:
:Yes, Alice. So the Poppy Act and the Cyber Crimes Act are really meant to complement
Jessica Rajpal:
:each other with the Poppy Act protecting personal information.
Jessica Rajpal:
:And on the same token, one could view the Cyber Crimes Act as a means to also protect
Jessica Rajpal:
:personal information and make data breaches punishable offences where offences relating
Jessica Rajpal:
:to data, data breaches, ransomware attacks, cyber forgery and cyber extortion are likely
Jessica Rajpal:
:to become prevalent.
Jessica Rajpal:
:So Jas, Alice alluded to the reporting obligations that will come into effect in the
Jessica Rajpal:
:foreseeable future in terms of the Poppy Act.
Jessica Rajpal:
:What are some of the reporting duties that may exist under that legislation?
Jessica Rajpal:
:So Kat, certain cyber crimes constitute reportable data breaches.
Jessica Rajpal:
:And in terms of Poppy, what this means is that where there are reasonable grounds to
Jessica Rajpal:
:believe that the personal information of a data subject has been accessed or acquired by
Jessica Rajpal:
:an unauthorized person, the responsible party would, as a general rule, have to
Jessica Rajpal:
:notify the information regulator and the relevant data subjects as soon as possible.
Catherine Hendricks:
:You mentioned the information regulator with companies getting up to speed with their
Catherine Hendricks:
:poppy compliance.
Catherine Hendricks:
:Briefly recap our listeners on what exactly is the information regulator and what is
Catherine Hendricks:
:their role in the space of data protection and cyber security.
Jessica Rajpal:
:Absolutely, Kat.
Jessica Rajpal:
:The information regulator is an independent body and it derives its mandate from section
Jessica Rajpal:
:14 of the Constitution, which relates to the right to privacy as well as Section 32 of the
Jessica Rajpal:
:Constitution, which involves the right of access to information.
Jessica Rajpal:
:Among other things, the regulators empowered to monitor and enforce compliance by public
Jessica Rajpal:
:and private bodies, which are referred to in poppy as responsible parties.
Alice Letsoalo:
:And let's touch on some of the obligations imposed by the Poppy Act.
Alice Letsoalo:
:What we know is that it makes it obligatory to comply with the conditions for lawful
Alice Letsoalo:
:processing of personal information, and that it also places an obligation on responsible
Alice Letsoalo:
:parties to disclose breaches of information and give the information regulator power to
Alice Letsoalo:
:impose severe penalties where responsible parties fail to adequately protect
Alice Letsoalo:
:information or fail to report data breaches.
Jessica Rajpal:
:Yes. So in a nutshell, this would entail having an incident management plan that
Jessica Rajpal:
:properly sets out the steps to determine whether a cyber crime constitutes a
Jessica Rajpal:
:reportable breach.
Jessica Rajpal:
:Having a robust breach detection investigation and internal reporting
Jessica Rajpal:
:procedure. All of.
Jessica Rajpal:
:This is critical for purposes of mitigating security risks.
Catherine Hendricks:
:And what are some examples of a good cyber governance strategy Jess?
Jessica Rajpal:
:So Katz just to name a few things, organizations need to clearly identify their
Jessica Rajpal:
:cyber security obligations and goals.
Jessica Rajpal:
:They need to develop and implement standards to subscribe to.
Jessica Rajpal:
:And an example of this would be ISO 9001 2017, which is a standard that can be used as
Jessica Rajpal:
:a platform on which to base effective cyber security programs.
Jessica Rajpal:
:An organization would have to establish the appropriate internal processes and procedures
Jessica Rajpal:
:to manage cyber risks, determine the necessary protocols to enforce compliance and
Jessica Rajpal:
:quite importantly, equip its employees with the relevant resources and guidance to carry
Jessica Rajpal:
:out the organization's cyber security.
Jessica Rajpal:
:This would of course include ongoing training, etcetera.
Catherine Hendricks:
:And I imagine mitigating a data breach would be quite difficult.
Catherine Hendricks:
:Not only would an organization have to deal with the operational impact, but the
Catherine Hendricks:
:reputational and legal implications as well.
Catherine Hendricks:
:So what are some of the things that entities would have to be cognisant of in the instance
Catherine Hendricks:
:of a data breach?
Jessica Rajpal:
:Well, from a legal perspective, organizations need to be aware that a level of transparency
Jessica Rajpal:
:is required by both the Cybercrimes Act and the Poppy Act.
Jessica Rajpal:
:It was mentioned earlier that in terms of the Cyber Crimes Act, electronic service
Jessica Rajpal:
:providers will be required to report cyber attacks within a specific period of time,
Jessica Rajpal:
:although that provision hasn't yet been enacted.
Jessica Rajpal:
:Then in terms of the Poppy Act, security measures must be put in place by responsible
Jessica Rajpal:
:parties to ensure the integrity and confidentiality of personal information in
Jessica Rajpal:
:its possession.
Jessica Rajpal:
:In terms of the Act, responsible parties are required to notify the Information Regulator
Jessica Rajpal:
:as well as any parties whose personal information has been accessed by by an
Jessica Rajpal:
:unauthorised party in the event of a security compromise.
Jessica Rajpal:
:Something important to note, Kat, is that there isn't a threshold in respect of
Jessica Rajpal:
:reporting such compromises.
Jessica Rajpal:
:In terms of Poppy.
Alice Letsoalo:
:That's a very interesting point, Jess.
Alice Letsoalo:
:So if one considers the implications of notifying the Information Regulator, one can
Alice Letsoalo:
:then imagine that where an organization has faced a data breach but isn't confident about
Alice Letsoalo:
:having established and enforced the appropriate protocols to prevent and mitigate
Alice Letsoalo:
:such a breach, that organization may be reluctant to report this sort of crime.
Alice Letsoalo:
:However, I think it's important that organizations are aware that a failure to
Alice Letsoalo:
:report such incidents may very well expose them to a sanction under the Poppy Act.
Catherine Hendricks:
:Absolutely. And what exactly should this notification entail?
Catherine Hendricks:
:Jess?
Jessica Rajpal:
:Well Kat, at the very least the identity of the unauthorized person who access the
Jessica Rajpal:
:information. If this is known by the responsible party, the notification should
Jessica Rajpal:
:provide details regarding the possible consequences of the breach, including details
Jessica Rajpal:
:of the measures that the responsible party will take and recommendations of measures
Jessica Rajpal:
:that should be taken by affected data subjects whose information has been leaked.
Jessica Rajpal:
:Something else to note is that the information regulator could require that the
Jessica Rajpal:
:responsible party publicise the data breach.
Catherine Hendricks:
:Publicising something like that exposes organizations to serious reputational and
Catherine Hendricks:
:financial harm.
Catherine Hendricks:
:It's quite apparent that organisations really need to have a clear prevention and
Catherine Hendricks:
:response plan when it comes to data breaches.
Catherine Hendricks:
:There's a lot to consider protocols, mitigation strategies, very clear policies,
Catherine Hendricks:
:adhering to the notification requirements.
Catherine Hendricks:
:This really goes to show that the issue of cyber risk and crime can't be overemphasized
Catherine Hendricks:
:in today's risk governance framework.
Alice Letsoalo:
:Absolutely. I am so glad that we met today to share with our listeners some of the
Alice Letsoalo:
:important factors to know from a legal perspective when it comes to data breaches.
Alice Letsoalo:
:Jess, Kath, thanks so much for sharing your insights.
Alice Letsoalo:
:I think that concludes our conversation for today.
Alice Letsoalo:
:Thank you everyone for listening.
Jessica Rajpal:
:Thank you very much, Alice.
Jessica Rajpal:
:Goodbye all.
Catherine Hendricks:
:Thanks so much, Alice.