Know Your Rights: How “Private” is your Information really?

Also published on my blog at: 

https://www.mindsinsync.co.za/index.php/2015/07/27/know-your-rights-how-private-is-your-information-really-and-what-can-you-do-about-it/

 

 

Depending on where you are in the world right now:

Good Morning!

Good Night!

Good Afternoon!

Etc. etc.

 

I recently wrote an article called Bullies in Your Life – Know Your Rights (accessible: https://www.dhirubhai.net/pulse/bullies-your-life-know-rights-nikki-pahliney?trk=mp-reader-card). In this post I explore the fact that very few people actually know what their rights are in relation to workplace aggression, hostility and/or bullying. In my mind bullying, no matter what form it comes in, is a type of abuse and infringes upon a person’s basic human rights.

 

Having spoken to several individuals regarding the concept of abuse in the corporate world and in wake of the recent Ashley Madison saga, I’ve decided to continue with my thread of “Knowing Your Rights”. Today I will be chatting to you about the privacy of your information.

 

Over the past few months I have realised that laws (at the very least in South Africa) tend to really confuse people! When someone throws legal jargon at you, you probably don’t fully comprehend the concepts they are talking about. Worst of all, in many circumstances you may even believe every single thing the person is saying, just because they sounded “intelligent” whilst saying it! But, it doesn’t mean they are correct and that is why I believe you need to know your rights.

 

 

To make it easy, I will be approaching a number of different topics over the next few weeks (and perhaps months – who knows!) to hopefully provide some clarity around certain legal concepts and ideas. I will be using examples from my own experience and I will also mention a few significant cases that friends and family have discussed with me, excluding, of course, the confidential stuff. Feedback will be MUCH appreciated! And, if there is a particular topic surrounding one’s rights which may be of interest to you, please don’t hesitate to pop me a mail at [email protected].

 

OK let’s get started! Oh yes, please take note that I am not a legal professional of any sort; I am merely a concerned individual who hopes to share some of my knowledge with you around your basic rights. Thus, please do not take what I am saying as the absolute gospel and also do your own homework. But in the interim, I will do my utmost to try and relay the facts to you in the most straightforward manner. After all, the more you know, the better you will be able to stand up for yourself when the time comes. Also – for some strange reason I really enjoy doing my homework around these things!

 

First thing to note: I will be discussing the privacy of your information as it relates to South Africa, although I may throw in a few references to the United States and/or United Kingdom.

 

Your right to the privacy of your information seems like such an obvious thing. Yet, with the globalised world we live in today and the fact that pretty much every website, product and/or company has some type of disclaimer requesting your permission to share your personal information with “third party companies”, it is darn scary how easy it is for pretty much anyone to gain access to your personal information. Nonetheless, when entering into any form of contract with a company for a product or service, you generally always have the option to tick the little box to share your information, or not.

 

 

In these cases be careful and read everything. Some companies are a bit sneaky and use confusing wording. Thus, it is really necessary to concentrate when you are reading the sentence next to each little tick-box. In some cases, ticking the box (or checking the box, as the Americans would say) means that you agree to your information being shared with third parties. Whereas in other cases not un-ticking / unchecking the box means that you agree to your information being shared with third parties. If you are like me, you never tick that little box or leave the box ticked!

 

But how safe is your information really? And what aspects of your information? And are there any South African laws you can turn to, that govern privacy of your information? Please forgive me for my generalisation, but In the United States any Tom, Dick and Harry can sue another person for a transgression of their rights and that especially includes privacy of information. According to Forbes some of the MAJOR data/information breaches in the United States over the past 24 months include:

1. Major Retailer “Target reported that 40+ million debit and credit card numbers had been stolen during the holiday shopping time last year” Forbes [referring to end 2013].
2. The following companies reported breaches of between 1 million to 5 million debit and credit card records of customers: Neiman Marcus, White Lodging, Sally Beauty, Michaels, 11 different Casinos, Staples, etc.
3. The following companies reported breaches of 10 million and upwards of debit and credit card and/or personal records of customers: 22.8 million private records within the New York area, Home Depot (56 million), JPMorgan Chase (76 million households and 7 million small businesses), eBay (145 million) and Adobe (152 million records).

 

The consequences? Billions and billions of dollars to address consumer compensation, jacked-up security systems and more, causing major companies to report significantly lower annual earnings!!!

 

 

In South Africa there are laws around the privacy of your information, but these are still very much in the baby stages of being properly applied in practice. One of the major South African laws which came into play recently is the Protection of Personal Information (POPI) Act. This act is specifically aimed at companies which deal with any form of personal information and how that information is handled, stored and secured.

 

Fun Facts around POPI:

1. Did you know that if a company does not handle, store and secure your information correctly and/or your information goes public without your knowledge or consent, you could take the company to task and, depending on the circumstances, that company could face severe financial penalties (up to R10 million)!
2. In fact, there are even possible prison terms associated with the POPI act, depending on the severity of the transgression and to what extent the company has to comply with POPI’s stringent eight conditions of compliance. For example, Zurich Insurance lost an unencrypted back-up disk and it cost the company a fine of ￡2.3-million!!!
3. And finally, the company faces severe reputational risk. For instance, and this is a completely hypothetical example, just imagine if it came to light that Apple or Samsung had experienced a security breach? Just imagine the pandemonium!

 

So, without this becoming a lengthy legal discussion, what do you, as an individual living, working and/or operating a business in South Africa, need to know about POPI?

 

Number 1: All companies MUST obtain an individual’s consent before collecting and retaining a person’s information, no matter for what purpose the information is used. This info includes things like your name, contact details, ethnicity, age, identification number, email address, religion, sexual preferences, biometrics, educational history, financial records, any personal history, communication records (i.e. Facebook, Twitter, phone calls, etc.), etc. Pretty much a record of anything specific to you! The onus is on the company to keep the information up to date (i.e. correct mailing address for statements, newsletters, etc.) and this must be done by the company contacting you each time to ensure the information is up to date, with your consent.

 

Number 2: Then, the information must be stored securely and protected until that information is permanently deleted and/or destroyed. Any private or public company must have data protection processes, policies, procedures and responsible individuals in place to manage these information protection processes (i.e. an Information Security Officer).

 

So, for example, a consultant in the Customer Care Centre of a company cannot simply disclose details of your account to anyone that calls in. There must be strict processes and procedures in place (i.e. security protocols), generally in the form of security questions, to ensure that the individual phoning in is indeed the customer. Only then can the process continue. If it is not the customer calling in and/or the person calling does not have Power of Attorney (POA) on the account in question, then the customer care consultant must turn that person away. Otherwise, that consultant is opening the company up to serious, potential financial penalties, amongst other devastating repercussions.

 

Another example would be if the information is not properly encrypted, as per the example regarding Zurich Insurance above. If somehow your personal information is leaked because the information was not properly encrypted and this is discovered, then once again the company faces severe fines or worse.

 

Number 3: Should a breach of information occur in a company, then the company must act quickly. The breach must be reported to the Information Regulator and the individual whose information was breached, must be informed immediately. The company must ensure that the correct procedures are in place to ensure that all individuals involved in the breach know how the incident occurred and what has been done to contain the situation. Also, the company needs to then look at how to implement preventative measures to ensure that any such incident does not happen again in future.

 

So for example, a company cannot simply send out a letter stating that: a breach occurred, but don’t worry, the situation has been sorted out and all the risks have been mitigated. No. The company must be able to demonstrate to the individual (and potentially to the regulator) that the company has exhausted all possible measures to inform the individual, advise the individual, contain the situation and ensure preventative measures are in place. In addition, the breach responses should be coordinated from an executive level downwards to make sure the impacted parties are kept informed throughout the process.

 

Number 4: So what happens if there is more than one company involved? No matter where the breach happened in the process, whether with a company that loads the information or another company that may store and secure the information, both parties are equally responsible. Both parties must ensure the safety of that information and must disclose a security concern if and when a breach occurs.

 

Number 5: So when is it not the company’s fault if a breach occurs? If the company can prove that they already had the necessary security protocols in place. These protocols could include training individuals on the POPI act, training customer care consultants (for example) as to what information may or may not be disclosed at each step in the process to an inquiring individual, and ensuring on-going security analysis and preventative measures are being put into place (i.e. being able to show that they are learning from mistakes and continuing to mitigate risks).

 

For example, when a breach does occur and the company simply states: “we didn’t know any better” or “we aren’t trained for these type of situations,” that is pure and utter negligence on the part of the company. In such circumstances execs up to the highest levels must be held accountable. However if, for example, the company previously took the necessary precautions and adopted the preventative measures I mentioned above, then the company may potentially not be held liable.

 

Phew! Ok so now that I’ve gone through all the legal jargon, let’s get to some practical examples. What happens if, for example, your information has been compromised and you have turned to the regulator, but you are not having any luck? Unfortunately whilst regulations are still very young and POPI is yet to properly come to effect, your options are somewhat limited. But, as I will discuss in an example of my own below, hope is not lost and you may still have a few avenues available:

 

 

Number 1: If you have experienced a breach of your information and the company has not followed proper processes, by not informing you, keeping you up to date, ensuring proper protocols are in place, or whatever the case might be, then your first course of action is to hold the company accountable. I suggest escalating the situation to Senior Management and/or Executives to ensure the situation is approached properly.

 

Number 2: If the company is still acting in a negligent manner and/or not doing everything they should to mitigate and contain the situation, including keeping you informed of what they have done to ensure such a situation does not happen again, do your homework on the company. For instance:

1. Are there any bodies or associations to which the company may be associated and to which they could be held accountable?
2. Do those bodies or associations have rules around their members’ behaviour regarding consumers’ personal information?
3. What is the complaints process?
4. What are the repercussions?

 

Number 3: Then, depending on you and your situation, take action!

 

If companies are not held accountable by consumers, then there is actually no point in having legislation like POPI. We may cry all we want about our information being protected and tell people, “you can’t do that!”, but if you are not prepared to do something about it, then why should any entity change the manner in which it is behaving? Unfortunately the reality is that only if we (the individuals) hold the big boys accountable, will they actually toe the line.

 

So, coming back to my own personal experience: I was recently the victim of a disastrous breach of my personal information by a major South African Internet Service Provider. Long story short: the ISP which will remain anonymous for the moment, blatantly provided certain, very specific confidential information from an account of mine to a completely unrelated party. The cherry on the cake: the employee whom provided the confidential information KNEW that the unrelated party had just days and weeks prior been unscrupulously trying to access information on the account and, yet, the ISP employee still WILLINGLY provided the very specific information.

 

In fact, the ISP was kind enough at the time to provide me with telephone recording, which had occurred prior to the breach, between the unrelated party and a different customer care consultant of the ISP. The unrelated party falsely claimed ownership of the information relevant to my account (and also claimed ownership of another, unrelated company which does domain management and online brand protection business in South Africa and the UK [which I will also be taking to task], which was/is in cohorts with this individual) and attempted for a good 10 to 15 minutes to obtain the information from this customer care consultant. The information which was in fact then later obtained through the ISP's other employee was then manipulated by the unrelated party, taken out of context and used against me in a vicious manner, which has resulted in a number of severe consequences.

 

Every time I think about it my blood boils! How on earth is one supposed to run a blog, a website or, potentially, a business if you don’t know whether or not your proprietary information is safe with whichever ISP you are subscribed to?

 

Just imagine the likes of SAB Miller, Tiger Brands, Standard Bank or even Denel finding out that their ISP would willy nilly confirm and/or provide confidential information relating to their account, to any Joe who has the brains to call into the contact centre and simply ask a few poignant questions about a specific server and/or domain? And the worst part is that this is a major, major South African ISP! I am still absolutely furious and disgusted.

 

 

When I initially met with the ISP to discuss what occurred, the ISP made a few apologies and informed me that my information was disclosed as a part of the daily course of work in a situation where the employee was simply doing his best to help out another client of the ISP (by willingly disclosing personal information relevant to a completely separate account to a completely unrelated party). I requested that the ISP provide me with some sort of retraction in response to the confidential information which had been obtained (I can only assume in an unscrupulous manner) by the other party and which was being used for malicious purposes. However the only response I have received to date includes:

 

From the CEO of the ISP: 1x apology via email for the poor service I received and that he would put me in touch with his Client Retentions Manager to sort out the matter. This was only after I informed him of what had transpired and guess what? He had absolutely no knowledge of the situation! Oh yes and I have not heard from him since (27 June 2015 to be exact)!

Reactive vs. Proactive.

 

From the Client Retentions Manager of the ISP, something along the lines of: “we didn’t realise it would cause such an issue” and “we are not prepared for these kind of legal things” and, “we confirm whether certain email addresses go through our server to or from domains every single day”… even if it is, or isn’t the client of that particular account confirming which emails are going where.

Negligence.

 

From the company lawyer: a statement informing me that the company will not get involved any further until they are subpoenaed to provide further information.

Obstructive.

 

So, what do I do in this situation? Well, I am currently in the process of considering my options at this stage and do not wish to divulge any further. But, I will most certainly take this ISP to task.

 

Before going too off-track as this particular topic does get me quite riled up, I would just like to once more emphasise that: the theft, deliberate or non-deliberate leakage of your private information is a very common issue in the world today. Unfortunately in South Africa the relevant legislation and actual case law in this regard is still very young and immature.

 

Your right to the privacy of your information is crucial as it can have adverse effects for you, as it has had for me; for example, loss of income, fraud, identity theft, reputational risk, legal ramifications, etc.

 

In addition, for companies the consequences are severe; the financial penalties, potential prison considerations and reputational risk.

 

Thus, when deciding whom you go into business with and what types of contractual agreements you sign, you need to read the small print! You cannot just tick the “Agree” button to the Terms and Conditions!

 

In the case of my ISP, they have very conveniently set up their Privacy Policy, Client Confidentiality, General Terms and Conditions (T&C’s), and their Limited Liability on various, separate pages on their website. In order to find each and every one of these different pages I had to physically Google each policy I was looking for. On the Client Confidentiality and Privacy Policy pages they talk of looking after their clients’ information with the utmost care. Yet, on the Limited Liability page they explicitly state that they cannot be held liable in any way should a consultant somehow release client information. Isn't that just lovely?

 

So what is the lesson of the day? Know your rights!

 

Read all your contracts, understand the T&C’s and even get a lawyer to have a look at the paperwork if needed. Make 200% certain that your personal information can only be accessed by you and find out what recourse you have against the company if your information is compromised in any way. If you are running a business through an ISP you need to find out how easily accessible your information is to any person that calls in. Threat to the safety and security of one’s proprietary information can mean the end of one’s livelihood, adverse legal ramifications, a host of other nasty consequences and, potentially, theft of your identity.

Our world is becoming smaller every day. A simple thing, such as knowing what your rights are around the privacy of your information, could be the difference between you losing everything and quickly being able to put the right safety net in place (Proactive vs. Reactive once more). With regards to my situation, I have implored the ISP to get the right safety measures in place. I also asked them to tell me how they are going to resolve the situation. I have still heard absolutely nothing and the silence speaks volumes.

 

If you want to make sure your information is looked after, then you need to make sure you know when, where and how easily accessible it is. The reality is that until proper enforcement of POPI comes into play, if you aren’t looking after your personal information, then which people or companies do you think really are?

 

As per my 2x “super hero” icons, Warren Buffet: “It takes 20 years to build a reputation and five minutes to ruin it; if you think about that you will do things differently.”

And….

Richard Branson: “Your brand name is only as good as your reputation.”

 

 

Sources:

The POPI Act: https://www.justice.gov.za/legislation/bills/B9-2009_ProtectionofPersonalInformation.pdf

https://mg.co.za/article/2013-09-03-crib-notes-popi-is-here-for-you

https://www.itweb.co.za/index.php?option=com_content&view=article&id=71001

https://mg.co.za/article/2013-12-02-protection-of-personal-information-act-are-you-compliant/

https://www.itweb.co.za/index.php?option=com_content&view=article&id=143825:Lost-hard-drives-could-lead-to-reputational-loss&catid=355

https://www.itweb.co.za/index.php?option=com_content&view=article&id=143910:Easy-fast-POPI-compliance&catid=69

https://www.itweb.co.za/index.php?option=com_content&view=article&id=140629&utm_source=Recommended&utm_medium=Web&utm_term=POPI&utm_content=POPI&utm_campaign=Recommended

https://www.mondaq.com/southafrica/x/308172/Data+Protection+Privacy/POPI+Takes+Effect

https://www.michalsons.co.za/popi-act-protection-of-personal-information/11105

https://www.michalsons.co.za/popi-commencement-date-popi-effective-date/13109

https://www.forbes.com/sites/moneybuilder/2015/01/13/the-big-data-breaches-of-2014/

https://www.csoonline.com/article/2843820/data-protection/cybersecurity-2014-breaches-and-costs-rise-confidence-and-budgets-are-low.html