Artwork for podcast Perspectives – Legal Voices on Business
Cybersecurity, Leadership, Risk, Regulations and Compliance
Episode 728th May 2022 • Perspectives – Legal Voices on Business • Fasken
00:00:00 00:14:49

Share Episode

Transcripts

Alice Letsoalo:

:

Welcome to Perspectives Fasken Legal Voices on Business.

Alice Letsoalo:

:

Hello, everyone. Thank you for joining us.

Alice Letsoalo:

:

In this latest episode of Fasken Perspectives, The Voice of Business Law.

Alice Letsoalo:

:

My name is Alice Letsoalo, a candidate attorney in the Dispute Resolution practice

Alice Letsoalo:

:

at Fasken. I am joined today by my colleagues who will introduce themselves.

Catherine Hendricks:

:

I'm Catherine Hendricks, a Candidate Attorney, also in the Dispute Resolution

Catherine Hendricks:

:

practice at Fasken.

Jessica Rajpal:

:

I am Jessica Rajpal, a partner in the Dispute Resolution practice at Fasken.

Catherine Hendricks:

:

On this episode, we will be talking about the relatively new kid on the block, cyber

Catherine Hendricks:

:

security. Today we'll be looking at governance risk and cyber crimes in so far as

Catherine Hendricks:

:

it relates to the Cyber Crimes Act, as well as the so-called Prince of data protection

Catherine Hendricks:

:

Papia. Then we will address how cyber security affects organizations.

Catherine Hendricks:

:

And in this part of our discussion, we intend to give a brief overview of key

Catherine Hendricks:

:

elements of contracts with service providers who ensure the overall cybersecurity hygiene

Catherine Hendricks:

:

of your organization.

Catherine Hendricks:

:

And so on that note, I'm going to hand it over to Alice.

Alice Letsoalo:

:

Thank you, Kath.

Alice Letsoalo:

:

So first things first is for us to define what corporate governance is as it relates to

Alice Letsoalo:

:

cyber security.

Alice Letsoalo:

:

And it is defined as a practice by which companies are managed and controlled and as

Alice Letsoalo:

:

also being concerned with holding the balance between economic and social goals and

Alice Letsoalo:

:

between individual and communal goals.

Alice Letsoalo:

:

So for purposes of our discussion today, we want to focus on the role that corporate

Alice Letsoalo:

:

governance has on the executive and our board level oversight in cyber security.

Alice Letsoalo:

:

And we do know that Jessica is going to touch on that for us a bit later.

Alice Letsoalo:

:

So we thought it would be an interesting topic to get into because usually when we

Alice Letsoalo:

:

consider corporate governance, we think about the elements of financial integrity,

Alice Letsoalo:

:

legal and regulatory compliance and et cetera.

Alice Letsoalo:

:

However, we do know that in the wake of cyber attacks, that has cost multiple

Alice Letsoalo:

:

enterprises millions.

Alice Letsoalo:

:

Corporate governance in the context of cyber security has also become increasingly

Alice Letsoalo:

:

important. So I think it begs the question of how cyber governance can be evolved in

Alice Letsoalo:

:

order to take into account the threats on our business operations.

Catherine Hendricks:

:

Yes. So some of the four major areas in which cyber governance can be evolved, namely

Catherine Hendricks:

:

inverting the cyber security leadership responsibility, adopting the right cyber

Catherine Hendricks:

:

security framework, addressing the organization structure.

Catherine Hendricks:

:

So let's start with the very first element, Jessica.

Catherine Hendricks:

:

What do we mean by inverting the cyber security leadership responsibilities?

Jessica Rajpal:

:

Kath I'm so glad we're having this conversation.

Jessica Rajpal:

:

If it isn't front and center of boardroom discussions, it certainly should be.

Jessica Rajpal:

:

What we know is that traditionally the approach to cyber security has been a bottom

Jessica Rajpal:

:

up approach, meaning that the IT team or an employee with experience is asked to identify

Jessica Rajpal:

:

cyber security defense mechanisms and to prepare response policies.

Jessica Rajpal:

:

These are usually developed as technical tools, but often have little regard to the

Jessica Rajpal:

:

operational implications in a business.

Jessica Rajpal:

:

It is, however, important to note that a cyber security governance model that is

Jessica Rajpal:

:

inverted to a top down approach may direct the directors and the management of the

Jessica Rajpal:

:

enterprise to establish a cyber security framework that takes into account the

Jessica Rajpal:

:

financial, legal, regulatory and reputational risks of a cyber attack.

Jessica Rajpal:

:

Using this information, a company can then curate the necessary technical tools to

Jessica Rajpal:

:

prevent such cyber attacks.

Jessica Rajpal:

:

And on that score, Kat, this should raise an alarm in the minds of executives about some

Jessica Rajpal:

:

of the legal and regulatory implications in respect of cyber security.

Jessica Rajpal:

:

More specifically, the Cyber Crimes Act is important.

Jessica Rajpal:

:

Directors must be aware, for instance, of what constitutes a cyber crime, what steps to

Jessica Rajpal:

:

take when one is faced with a cyber attack, specifically in relation to the to the Cyber

Jessica Rajpal:

:

Crimes Act and some of the protections that are available to them when faced with a cyber

Jessica Rajpal:

:

attack. Additionally, Catherine, and in accordance with the proclamation in the

Jessica Rajpal:

:

Gazette, we know that certain aspects of the Cyber Crimes Act came into operation on the

Jessica Rajpal:

:

1st of December 2021, and we now know that there are a few gazetted cyber crimes that

Jessica Rajpal:

:

are punishable by fine or imprisonment.

Jessica Rajpal:

:

These include unlawfully accessing a computer system or computer data storage

Jessica Rajpal:

:

medium, which allows the person to intercept data or interfere with data or the computer

Jessica Rajpal:

:

system and unlawfully intercepting data, for example, acquiring, viewing, capturing or

Jessica Rajpal:

:

copying any data that is non-public, so as to make it available to a person other than

Jessica Rajpal:

:

the lawful owner or the holder of the data.

Jessica Rajpal:

:

There are a few more, Kath, but I won't go into all of them today.

Alice Letsoalo:

:

And if I can just highlight that we also know that the South African police services, its

Alice Letsoalo:

:

members and also its investigators have now been given an extensive powers to search, to

Alice Letsoalo:

:

access, seize certain articles and investigate these cyber crimes.

Jessica Rajpal:

:

That's correct, Alice.

Jessica Rajpal:

:

And it is an interesting development that we are keeping an eye on.

Alice Letsoalo:

:

So bringing it back to the question of corporate governance with an action of the

Alice Letsoalo:

:

Cyber Crimes Act, we see a greater need for a cyber governance framework that takes all

Alice Letsoalo:

:

of this into consideration.

Alice Letsoalo:

:

Most notably absent, however, was the provision in the Act that imposes reporting

Alice Letsoalo:

:

obligations by financial institutions and electronic communications service providers.

Alice Letsoalo:

:

So as it currently stands, financial institutions and electronic communications

Alice Letsoalo:

:

service providers are not yet obliged to report cyber crimes within 72 hours to the

Alice Letsoalo:

:

SAPs after having become aware of the offence and to preserve any information that

Alice Letsoalo:

:

may assist the SAPs with its investigations relating to the alleged offences.

Alice Letsoalo:

:

Indeed, Kath. But I think equally as important to note is it will eventually come

Alice Letsoalo:

:

into effect some day in the future and so such enterprises must be aware of this and

Alice Letsoalo:

:

they must incorporate reporting procedures in their policies.

Alice Letsoalo:

:

Otherwise once it's in operation, this could actually lead to a fine of not exceeding

Alice Letsoalo:

:

50,000 rand.

Alice Letsoalo:

:

But I think it leads us nicely into our topic regarding Poppy or the Poppy Act,

Alice Letsoalo:

:

because more often than not, when we think of a cyber attack.

Alice Letsoalo:

:

There's a great possibility that this information was personal information or even

Alice Letsoalo:

:

special personal information as defined by Poppy, which was breached.

Jessica Rajpal:

:

Yes, Alice. So the Poppy Act and the Cyber Crimes Act are really meant to complement

Jessica Rajpal:

:

each other with the Poppy Act protecting personal information.

Jessica Rajpal:

:

And on the same token, one could view the Cyber Crimes Act as a means to also protect

Jessica Rajpal:

:

personal information and make data breaches punishable offences where offences relating

Jessica Rajpal:

:

to data, data breaches, ransomware attacks, cyber forgery and cyber extortion are likely

Jessica Rajpal:

:

to become prevalent.

Jessica Rajpal:

:

So Jas, Alice alluded to the reporting obligations that will come into effect in the

Jessica Rajpal:

:

foreseeable future in terms of the Poppy Act.

Jessica Rajpal:

:

What are some of the reporting duties that may exist under that legislation?

Jessica Rajpal:

:

So Kat, certain cyber crimes constitute reportable data breaches.

Jessica Rajpal:

:

And in terms of Poppy, what this means is that where there are reasonable grounds to

Jessica Rajpal:

:

believe that the personal information of a data subject has been accessed or acquired by

Jessica Rajpal:

:

an unauthorized person, the responsible party would, as a general rule, have to

Jessica Rajpal:

:

notify the information regulator and the relevant data subjects as soon as possible.

Catherine Hendricks:

:

You mentioned the information regulator with companies getting up to speed with their

Catherine Hendricks:

:

poppy compliance.

Catherine Hendricks:

:

Briefly recap our listeners on what exactly is the information regulator and what is

Catherine Hendricks:

:

their role in the space of data protection and cyber security.

Jessica Rajpal:

:

Absolutely, Kat.

Jessica Rajpal:

:

The information regulator is an independent body and it derives its mandate from section

Jessica Rajpal:

:

14 of the Constitution, which relates to the right to privacy as well as Section 32 of the

Jessica Rajpal:

:

Constitution, which involves the right of access to information.

Jessica Rajpal:

:

Among other things, the regulators empowered to monitor and enforce compliance by public

Jessica Rajpal:

:

and private bodies, which are referred to in poppy as responsible parties.

Alice Letsoalo:

:

And let's touch on some of the obligations imposed by the Poppy Act.

Alice Letsoalo:

:

What we know is that it makes it obligatory to comply with the conditions for lawful

Alice Letsoalo:

:

processing of personal information, and that it also places an obligation on responsible

Alice Letsoalo:

:

parties to disclose breaches of information and give the information regulator power to

Alice Letsoalo:

:

impose severe penalties where responsible parties fail to adequately protect

Alice Letsoalo:

:

information or fail to report data breaches.

Jessica Rajpal:

:

Yes. So in a nutshell, this would entail having an incident management plan that

Jessica Rajpal:

:

properly sets out the steps to determine whether a cyber crime constitutes a

Jessica Rajpal:

:

reportable breach.

Jessica Rajpal:

:

Having a robust breach detection investigation and internal reporting

Jessica Rajpal:

:

procedure. All of.

Jessica Rajpal:

:

This is critical for purposes of mitigating security risks.

Catherine Hendricks:

:

And what are some examples of a good cyber governance strategy Jess?

Jessica Rajpal:

:

So Katz just to name a few things, organizations need to clearly identify their

Jessica Rajpal:

:

cyber security obligations and goals.

Jessica Rajpal:

:

They need to develop and implement standards to subscribe to.

Jessica Rajpal:

:

And an example of this would be ISO 9001 2017, which is a standard that can be used as

Jessica Rajpal:

:

a platform on which to base effective cyber security programs.

Jessica Rajpal:

:

An organization would have to establish the appropriate internal processes and procedures

Jessica Rajpal:

:

to manage cyber risks, determine the necessary protocols to enforce compliance and

Jessica Rajpal:

:

quite importantly, equip its employees with the relevant resources and guidance to carry

Jessica Rajpal:

:

out the organization's cyber security.

Jessica Rajpal:

:

This would of course include ongoing training, etcetera.

Catherine Hendricks:

:

And I imagine mitigating a data breach would be quite difficult.

Catherine Hendricks:

:

Not only would an organization have to deal with the operational impact, but the

Catherine Hendricks:

:

reputational and legal implications as well.

Catherine Hendricks:

:

So what are some of the things that entities would have to be cognisant of in the instance

Catherine Hendricks:

:

of a data breach?

Jessica Rajpal:

:

Well, from a legal perspective, organizations need to be aware that a level of transparency

Jessica Rajpal:

:

is required by both the Cybercrimes Act and the Poppy Act.

Jessica Rajpal:

:

It was mentioned earlier that in terms of the Cyber Crimes Act, electronic service

Jessica Rajpal:

:

providers will be required to report cyber attacks within a specific period of time,

Jessica Rajpal:

:

although that provision hasn't yet been enacted.

Jessica Rajpal:

:

Then in terms of the Poppy Act, security measures must be put in place by responsible

Jessica Rajpal:

:

parties to ensure the integrity and confidentiality of personal information in

Jessica Rajpal:

:

its possession.

Jessica Rajpal:

:

In terms of the Act, responsible parties are required to notify the Information Regulator

Jessica Rajpal:

:

as well as any parties whose personal information has been accessed by by an

Jessica Rajpal:

:

unauthorised party in the event of a security compromise.

Jessica Rajpal:

:

Something important to note, Kat, is that there isn't a threshold in respect of

Jessica Rajpal:

:

reporting such compromises.

Jessica Rajpal:

:

In terms of Poppy.

Alice Letsoalo:

:

That's a very interesting point, Jess.

Alice Letsoalo:

:

So if one considers the implications of notifying the Information Regulator, one can

Alice Letsoalo:

:

then imagine that where an organization has faced a data breach but isn't confident about

Alice Letsoalo:

:

having established and enforced the appropriate protocols to prevent and mitigate

Alice Letsoalo:

:

such a breach, that organization may be reluctant to report this sort of crime.

Alice Letsoalo:

:

However, I think it's important that organizations are aware that a failure to

Alice Letsoalo:

:

report such incidents may very well expose them to a sanction under the Poppy Act.

Catherine Hendricks:

:

Absolutely. And what exactly should this notification entail?

Catherine Hendricks:

:

Jess?

Jessica Rajpal:

:

Well Kat, at the very least the identity of the unauthorized person who access the

Jessica Rajpal:

:

information. If this is known by the responsible party, the notification should

Jessica Rajpal:

:

provide details regarding the possible consequences of the breach, including details

Jessica Rajpal:

:

of the measures that the responsible party will take and recommendations of measures

Jessica Rajpal:

:

that should be taken by affected data subjects whose information has been leaked.

Jessica Rajpal:

:

Something else to note is that the information regulator could require that the

Jessica Rajpal:

:

responsible party publicise the data breach.

Catherine Hendricks:

:

Publicising something like that exposes organizations to serious reputational and

Catherine Hendricks:

:

financial harm.

Catherine Hendricks:

:

It's quite apparent that organisations really need to have a clear prevention and

Catherine Hendricks:

:

response plan when it comes to data breaches.

Catherine Hendricks:

:

There's a lot to consider protocols, mitigation strategies, very clear policies,

Catherine Hendricks:

:

adhering to the notification requirements.

Catherine Hendricks:

:

This really goes to show that the issue of cyber risk and crime can't be overemphasized

Catherine Hendricks:

:

in today's risk governance framework.

Alice Letsoalo:

:

Absolutely. I am so glad that we met today to share with our listeners some of the

Alice Letsoalo:

:

important factors to know from a legal perspective when it comes to data breaches.

Alice Letsoalo:

:

Jess, Kath, thanks so much for sharing your insights.

Alice Letsoalo:

:

I think that concludes our conversation for today.

Alice Letsoalo:

:

Thank you everyone for listening.

Jessica Rajpal:

:

Thank you very much, Alice.

Jessica Rajpal:

:

Goodbye all.

Catherine Hendricks:

:

Thanks so much, Alice.

Chapters

Video

More from YouTube