• Jason Jordaan | Principal Forensic Analyst
• DFIRLABS (Pty) Ltd | @DFS_JasonJ | [email protected]
The Protection of Personal Information Act has been hanging over us for some time now, and it finally seems that 2020 will be the year that the President finally signs off key sections of the legislation. What this means is that once the President signs off on the Act, all organisations will have 12 months to comply with the law.
One of the key rationales for the legislation is to protect so-called personally identifiable information in your possession, and failure to do that could lead to significant consequences for an organisation. In terms of Section 107 of the Act, the Information Regulator could impose an administrative fine to any organisation that fails to adequately safeguard personally identifiable information with a fine that may not exceed R10 million. This is a significant risk.
Most of the discussion about protecting personally identifiable information focuses on the information of customers and clients for most organisations, in other words the information of external parties to an organisation. But what about our employees? The simple fact of the matter is that the personally identifiable information of our employees that is in our possession, must also be protected. A breach of this information can and will have consequences.
All organisations store and process employee data, whether it is in electronic form (and I am certain that all of our BKCOB members all have electronic employee data), or physical hardcopy. Many of us place significant value on the data held by us from external parties but may not treat our employee information with the same level of security (which is not always the same as keeping employee information confidential). The reason we do this is we see the external data was having value. Well it certainly does, but to a cybercriminal, your employee data has value to them.
It is time for us as organisations to rethink how we look at the security of our employee information. We need to understand that it has as much value as the data of our customers or clients, and the consequences of this data being breached are exactly the same. We need to act. We need to start understanding the impact of cyberthreats on our organisations, not only in terms of cybercrime, but also compliance and regulatory risk. We need to know exactly what our cybersecurity posture is, because most organisations, especially in our region, have no real idea at exactly how vulnerable they are.
All it takes is for one attacker to get into your organisation’s computers, and copy out employee data, and for the Information Regulator to act on this because you did not implement appropriate security measures. Are you willing to risk this, personally, I am not, and I don’t think you should either.