South Africa’s POPIA Privacy Rules vs. Ransomware

Time’s almost up for South African companies to comply with the country’s Protection of Personal Information Act (POPIA). But as the July 1 compliance deadline has neared, one challenge has loomed ever larger: How do you protect citizens’ data from a breach in the midst of a ransomware crime wave?

POPIA is particularly tough on one aspect of data privacy — data safeguarding — while also instituting a range of requirements to give individuals more control over how their personal data is collected and used. If a company hasn’t taken the necessary steps to protect against data breaches, it could face POPIA penalties under two different scenarios: data theft and data encryption.

POPIA’s Broad Definition of ‘Data Breach’

When people think of data breaches, they typically think of data theft — known in security industry parlance as “data exfiltration.” But many attackers don’t actually steal data; instead, they encrypt it on their victim’s site and demand a ransom to decrypt it.

POPIA would apply in either case by requiring protections against any unauthorized access, processing, damage, destruction or loss of personal information. Any significant data breach needs to be reported to authorities and could draw a penalty up to ZAR 10 million (US$700,000) if data protections are deemed negligent.

This mandate comes as criminals are launching more ransomware attacks than ever worldwide.[i] So South African businesses face risk on one side from criminals and on the other from regulators.

A Deeper Dive on Data Safeguarding

In previous blogs, we’ve given a POPIA 101 crash course and also done some POPIA myth-busting for South African companies racing to meet the coming deadline. Here, we do a deeper dive on POPIA, ransomware and data safeguarding with Brian Pinnock, Mimecast’s director of sales engineering MEA.

Under POPIA, companies must take organizational and technical measures to prevent data breaches, continually updated in line with evolving best practices and ongoing risk reassessment in a shifting threat landscape.[ii] “You can’t just set it and forget it,” as Pinnock says, when formulating cybersecurity strategy, backing up data, patching IT system vulnerabilities, updating employee awareness training and taking other measures to ensure proper cyber hygiene.

Importantly, companies should not fall into the trap of thinking they are only liable when a breach results in the theft of personal information. The new law also covers classic cases of ransomware, where attackers encrypt data on a victim’s site to hold it for ransom. So even if data never leaves a company’s premises — in other words, even if it isn’t stolen — regulators could find that company in violation.

And now, as ransomware has evolved, criminals may both encrypt and exfiltrate data. That is, they may also steal at least some of the information, since companies have been getting better at using backups to avoid paying ransom demands to release encrypted data. Then the criminals threaten to sell the information or make it public on the dark web.

Email: A Key Element in Battling Ransomware

Email security should be a priority in any anti-ransomware strategy. As companies protect customer relationship management platforms, human resources systems and other “structured data” from breaches, Pinnock says, some overlook the vast amount of “unstructured” personal information in their email accounts and archives.

But archived email is also a ransomware target. Companies archiving on the dominant email platforms are provided with basic security, Pinnock says. But they’d have to turn to an email security provider, such as Mimecast, he adds, to level up to ransomware attacks with military-grade security, such as the AES256 algorithm.

What’s more, since most criminals use email to break into data systems, securing email deflects most ransomware attacks before they can hit their targets. Here again, companies can choose their weapons: They can rely on basic security on the dominant email platforms or turn to an email security provider for best-of-breed detection and control methods.

Ransomware Surges in South Africa

Forty-seven percent of South African companies interviewed for Mimecast’s State of Email Security 2021 report said they’d been hit by ransomware in the previous 12 months. Here’s how the victims described the impacts:

• Data loss: 66%
• Business disruption: 53%
• Reputation damage: 45%
• Impact to employee productivity: 38%
• Financial loss: 38%
• Impact to regulatory compliance: 30%

Analyzing data breaches of any kind, the Ponemon Institute’s Cost of Data Breach Report 2020 reported the following statistics in South Africa:[iii]

• 177 days to identify a data breach, on average
• 51 days to contain a breach
• US$2.14 million in average costs
• 48% of breaches caused by a malicious attack
• 26% caused by a system glitch
• 26% caused by human error

Some of the largest South African businesses are seen to be prepared to meet the July 1 deadline, but midsize and smaller companies are less so. Likewise, enforcement is expected to focus first on big companies — with regulators even making an example of any that shirk their obligations — while giving smaller companies some leeway for now. The Ponemon Institute has also shed light on South African companies’ readiness:

• 16% of companies have fully automated cybersecurity
• 40% have partially automated security
• 44% have not automated

The Bottom Line

By July 1, companies in South Africa will have to comply with the POPIA data privacy law. Coming in the middle of a ransomware crime wave, the deadline is forcing companies to take a hard look at data breaches as one of their biggest regulatory ris

[i] “Ransomware Attacks Are Spiking. Is Your Company Prepared?”, Harvard Business Review

[ii] “Protection of Personal Information Act,” Government Gazette

[iii] “Cost of a Data Breach Report 2020,” Ponemon Institute for IBM