THE “NEDBANK BREACH”: WHAT IF THE PROTECTION OF PERSONAL INFORMATION ACT WAS IN FORCE?
Nedbank has handled the data breach its direct marketing services supplier - Computer Facilities (Pty) Ltd – suffered last week, reasonably well. This is evident from how they appear to have investigated it, to their frank, factual and informative press release. Apart from some reputational damage and a few million rand in forensics, legal and public relations agency fees, Nedbank should come out relatively unscathed.
Of course, if the Protection of Personal Information Act (“POPIA”) was in force, matters would be a little more serious. As much as the press release appears to direct blame at the service provider (and it certainly appears that the service provider was at fault), the reality is that if POPIA was in force, Nedbank would have almost no escape from civil liability for any damages its clients suffer. POPIA makes someone like Nedbank strictly liable even though the breach may have been caused by its service provider. There are only four defences that Nedbank could raise: that the breach was caused by an act of God; its customers consented to the breach; its customers caused the breach; it was not reasonably practical to avoid the breach; or the Information Regulator had granted it permission to allow the breach. It’s not likely that Nedbank can use any of these defences so, if POPIA was fully effective, the only question would be how much Nedbank would pay in damages, not if it would have to.
Civil damages are, of course, not the only financial penalties that Nedbank would be liable for. If the Information Regulator, after investigating, decides that Nedbank has indeed committed an offence, it can decide what administrative fine to levy on Nedbank. This administrative fine may not exceed R10 million. Nedbank would have 30 days to decide whether to pay the fine or elect to be put on trial in court. If Nedbank had to contest the fine, the Information Regulator would then refer the offence to the South African Police Service to commence a criminal prosecution in court.
Why, you may ask, would the Information Regulator prosecute Nedbank and not the service provider (after all, it was the service provider who caused the breach). The reason for this is that POPIA requires a person in Nedbank’s position to ensure that its service providers take appropriate, reasonable technical and organisational measures to prevent breaches of this nature. Nedbank had a duty to ensure that these measures were in place and if the breach happened because it hadn’t done proper checks, then it becomes responsible for the breach happening. If POPIA comes into force on 1 April 2020, as the Information Regulator hopes, everyone that needs to comply with POPIA will be given one year to get their houses in order, before the fines and prosecutions start. You had best get ready, I’m sure Nedbank will.
Lucien Pierce
16 February 2020
Lawyer: Telecoms, Information Technology, Data Privacy & Fintech
4 年Great commentary on what consequences to expect. Thanks Peter.
Information Officers Assoc., GDPR Certification Services, AI Governance
4 年The consequences could have been much more dire for Nedbank. A lawyer representing 1.7 million clients could lodge information requests for each of these individuals and request at least a letter of apology or a cash settlement of say R1000 for each clustomer.? If one lawyer charged each customer R100 to handle the information request, the lawyer would earn R170 million from one action.? Nedbank would also need to hire sufficient deputy information officers to respond to the 1.7 million customers affected within a period of 30 to 40 days, or face another complaint! Thereafter there would be an on-going trickle of requests regarding what was done to remedy the situation, how was they data destroyed and can assurance be provided to each of the 1.7 million affected customers. This trickle from 1.7 million customers could go on for months!? Disregarding people's privacy rights will not be a trivial matter in the future. Once POPIA is in full effect companies who have had a "breach" can expect to receive information requests about what was done to remedy the situation. Aida and Dacore may well be asked to explain to 53 million South Africans what they have done since the 2018 breach to remedy the situation! Could that push these companies into liquidation?
I agree. The way they handled the breach show they actually have a relatively good privacy programme in place. Address the breach with urgency and Communicate communicate communicate
Legal Advisor
4 年Hi Lucien. Would a further defence not be possible namely Nedbank arguing that they in fact took proportionate and reasonable organisational and technical measures ( and ensured that their third party service provider took these measures by way of a POPI due diligence before engacing their services)??
Experienced Compliance Professional
4 年Interesting take on the matter. But there are always two sides to a story. Much like any other crime, cyber crime is a reality. Even the best defenses can be breached. Ultimately a privacy program needs to be designed to be resilient to protect the entity when a breach does happen. I am not sure preventing all attacks is actually even possible. Whether or not a breach can be defended depends on how the privacy program is designed, implemented and maintained. Understanding your obligations in respect of a 3rd party operator ( who is ultimately also a Responsible Party with their own independent obligations) is critical to mitigating risk in your service agreement.