A year ago, President Cyril Ramaphosa declared that the Protection of Personal Information (POPI) Act would, after a year’s grace period, officially come into effect from 01 July 2021, and that South African businesses would be required to put necessary measures in place to become compliant with the act. The act is in place to ensure better data and security management as well as accountability on how businesses use public data.
How should businesses prepare for POPIA?
With the POPI Act coming to effect from Thursday, 01July 2021 businesses need to act now to ensure that they are prepared and have the correct procedures in place.
Directors and officers are increasingly being found personally liable for cyber breaches, we therefore recommend that you take the following precautions and review your Directors & Officers (D&O) and Cyber Insurance:
- Review your processes for collecting client’s data and ensure you are asking clients to opt-in.
- The opt-in approach is the inverse of the opt-out system. It requires a consumer to expressly consent to receiving communication before the consumer’s personal information may be used for direct marketing purposes.
- Be sure to record what, when and how they consented to opting in.
- Apply strict policies on buying data from external sources.
- Review contracts with third party processors and ensure they are fit for POPIA.
- Develop a culture, starting at board level, of transparency and accountability on how you use personal data.
- Ensure you have a cyber security insurance policy in place and an adequate management liability insurance policy (D&O). These policies must cover data breaches.
- Review current policies in place and examine the indemnity limits.
- If you fail to comply with the POPI Act, whether intentional or accidental, you can be liable for an administrative fine of up to R10 million or imprisonment for a period not exceeding 10 years, or both.
- If your clients are impacted by a data breach, POPIA empowers them to take civil action for damages.
- Provide staff with regular training on best practices of cyber security and ensure data security is a top priority across the business.
Follow these six steps to Cyber Security:-
- Invest in the latest cyber-protection software to secure your wireless network. Boundary firewalls and internet gateways can protect your data whilst scanning against viruses and malware. Outdated software can have vulnerabilities that criminals can easily exploit.
- Implement a business continuity plan that will outline the correct response procedure following a possible disaster relating to cyber security. A continuity plan will help to limit the damage by focusing on getting the business back on track.
- Identify the most important information within your business and keep it segregated from other data. Grant access to only those who really need it whilst also keeping on as few computers/laptops and other portable devices as possible. Sensitive data such as financial information can be encrypted, that will prevent unauthorised users access to it.
- It is often found that the human element is the weakest link in the security chain. Therefore, staff training on security issues such as password strength, downloading of unknown files or programs, awareness of phishing emails and the risks involved are all critical to protecting your business and practising cyber security. You should also be aware of cloud storage and ensure that data is encrypted prior to uploading.
- You can protect your IT systems and network against any viruses spreading across the business by scanning any external devices such as USBs, CDs, external drives etc.
- Cyber insurance is the last resort to protecting your business against the costs related to cybercrime, but perhaps the first serious step that needs to be taken.
-
- Cyber insurance is an addition to your standard business insurance and will cover you against losses relating to damage or loss of information from IT systems and networks. With the POPI Act coming into effect, is very important to discuss these matters with your insurance broker.
The potential increase in privacy-related losses makes Management Liability (D&O) insurance an even more essential tool in managing privacy risks, including those associated with potential POPIA exposures.
As business leaders strive to understand any potential limitations that might impact coverage, they need to carry out a thorough review of their organisation’s D&O policies while keeping POPI in mind.
Among other items, organisations should consider the following when reviewing their D&O policy wording:
- Is your company’s data protection officer, or other POPIA related privacy officer, a true “officer” of the company and thus qualifies as a covered insured?
- Are there relevant exclusions in your policy, regarding cyber and/or privacy? Are your limits sufficient to cover potential POPIA and privacy-related fines and penalties along with other costs?
- Does the policy cover the scope of POPIA fines and penalties, where insurable?
- Is POPIA/privacy noted as an exclusion?
- Is your cover limit adequate to cover POPIA fines and penalties as well as potential legal defence costs?
As privacy regulations evolve, the potential exposure to companies and their directors and officers is likely to increase as well. It is therefore important to understand all new requirements under these laws and how they could affect your risk profiles – and to work closely with your insurance advisors to regularly review D&O and Cyber coverages to keep pace with the changes.
So, what insurance protection is available?
No organisation will be exempt from POPIA, and senior staff members are responsible for educating everyone within the organisation about the POPI Act regulations. If they can show that they take cyber security seriously and have robust defences in place, then they are protecting their personal liability as well as helping keep the organisation secure.
Another way to demonstrate a commitment to security is through purchasing a robust D&O policy, alongside a Cyber Breach Insurance policy, which doesn’t have restrictive POPIA/Privacy exclusions within the wording.
Directors & Officers Insurance
Companies purchase D&O cover because managers can make mistakes, as a result, D&O insurance has become a regular part of a company’s risk management. The core purpose of a D&O policy is to provide financial protection for managers against the consequences of actual or alleged “wrongful acts” when acting in the scope of their managerial duties. The D&O policy will pay for defence costs and financial losses.
In addition, extensions to many D&O policies also cover costs for managers generated through administrative and criminal proceedings or in the course of investigations by regulators or criminal prosecutors. Even if a claim is not successful, cover against the cost of mounting a defence will prove useful.
Another great thing about this policy is that it doesn’t only cover the personal liability of company directors, but also the reimbursement of the insured company in case it has paid the claim of a third party on behalf of its managers in order to protect them.
Coverage is usually for current, future and past directors and officers of a company and its subsidiaries. D&O insurance grants cover on a claims-made basis. This means that claims are only covered if they are made while the policy is in effect or within a contractually agreed extended reporting period, noted in policies as the retroactive date.
In respect of GDPR fines coverage, if these are imposed by the regulator or official body for criminal or quasi-criminal conduct then this is not permitted under English law. Coverage does not include fraudulent, criminal or intentional non-compliant acts or cases where directors obtained illegal remuneration, or acted for personal profit.
Cyber Breach & Liability Insurance
POPIA has increased interest in cyber insurance because the act has elements that are insured on the policy, and also includes data breach response support.
When an organisation experiences a data breach, it is required by the POPI Act to immediately inform their customers. That is why purchasing well-designed policies that cover IT, legal and PR assistance during a cyber-attack is important
When organisations with large amounts of personal data experience a data breach, notifying individuals of a breach (which is likely to result in a high risk to the rights and freedoms of individuals) will be expensive and time-consuming. But if they have a Cyber Breach and Liability insurance policy, they won’t worry because these costs are insurable under this policy. The policy also covers follow up credit and ID monitoring.
Standalone cyber insurance policies will cover fines to the extent they are insurable by law. However, the extent to which insurance proceeds can be used to recoup the cost of regulator penalties under POPIA is a grey area which will need to be tested in the courts.
In terms of liability claims, anyone who suffers damage as a result of a data breach will have the right to receive compensation from the company involved. A cyber policy will cover the defence costs and liability claims resulting from a breach of confidential information. The financial consequences of a data breach will increase the loss estimates attached to data protection on a company’s risk register. Managers should examine the effectiveness of cyber policies already bought, especially indemnity limits.