1 00:00:03,040 --> 00:00:08,350 Alice Letsoalo: Welcome to Perspectives Fasken Legal Voices on Business. 2 00:00:10,300 --> 00:00:12,610 Hello, everyone. Thank you for joining us. 3 00:00:12,610 --> 00:00:18,010 In this latest episode of Fasken Perspectives, The Voice of Business Law. 4 00:00:18,040 --> 00:00:23,050 My name is Alice Letsoalo, a candidate attorney in the Dispute Resolution practice 5 00:00:23,050 --> 00:00:27,760 at Fasken. I am joined today by my colleagues who will introduce themselves. 6 00:00:28,120 --> 00:00:32,770 Catherine Hendricks: I'm Catherine Hendricks, a Candidate Attorney, also in the Dispute Resolution 7 00:00:32,770 --> 00:00:34,020 practice at Fasken. 8 00:00:34,030 --> 00:00:39,250 Jessica Rajpal: I am Jessica Rajpal, a partner in the Dispute Resolution practice at Fasken. 9 00:00:40,120 --> 00:00:45,130 Catherine Hendricks: On this episode, we will be talking about the relatively new kid on the block, cyber 10 00:00:45,130 --> 00:00:51,220 security. Today we'll be looking at governance risk and cyber crimes in so far as 11 00:00:51,220 --> 00:00:58,120 it relates to the Cyber Crimes Act, as well as the so-called Prince of data protection 12 00:00:58,120 --> 00:01:03,670 Papia. Then we will address how cyber security affects organizations. 13 00:01:03,670 --> 00:01:08,530 And in this part of our discussion, we intend to give a brief overview of key 14 00:01:08,530 --> 00:01:14,750 elements of contracts with service providers who ensure the overall cybersecurity hygiene 15 00:01:14,780 --> 00:01:16,670 of your organization. 16 00:01:16,880 --> 00:01:20,600 And so on that note, I'm going to hand it over to Alice. 17 00:01:20,630 --> 00:01:21,870 Alice Letsoalo: Thank you, Kath. 18 00:01:21,890 --> 00:01:28,040 So first things first is for us to define what corporate governance is as it relates to 19 00:01:28,040 --> 00:01:29,360 cyber security. 20 00:01:29,450 --> 00:01:35,660 And it is defined as a practice by which companies are managed and controlled and as 21 00:01:35,660 --> 00:01:40,850 also being concerned with holding the balance between economic and social goals and 22 00:01:40,850 --> 00:01:43,520 between individual and communal goals. 23 00:01:43,520 --> 00:01:48,980 So for purposes of our discussion today, we want to focus on the role that corporate 24 00:01:48,980 --> 00:01:55,010 governance has on the executive and our board level oversight in cyber security. 25 00:01:55,010 --> 00:01:59,480 And we do know that Jessica is going to touch on that for us a bit later. 26 00:01:59,480 --> 00:02:04,730 So we thought it would be an interesting topic to get into because usually when we 27 00:02:04,760 --> 00:02:10,400 consider corporate governance, we think about the elements of financial integrity, 28 00:02:10,450 --> 00:02:12,820 legal and regulatory compliance and et cetera. 29 00:02:13,540 --> 00:02:18,370 However, we do know that in the wake of cyber attacks, that has cost multiple 30 00:02:18,370 --> 00:02:20,110 enterprises millions. 31 00:02:20,140 --> 00:02:25,060 Corporate governance in the context of cyber security has also become increasingly 32 00:02:25,060 --> 00:02:31,810 important. So I think it begs the question of how cyber governance can be evolved in 33 00:02:31,810 --> 00:02:36,160 order to take into account the threats on our business operations. 34 00:02:36,580 --> 00:02:44,470 Catherine Hendricks: Yes. So some of the four major areas in which cyber governance can be evolved, namely 35 00:02:44,470 --> 00:02:51,160 inverting the cyber security leadership responsibility, adopting the right cyber 36 00:02:51,160 --> 00:02:55,740 security framework, addressing the organization structure. 37 00:02:55,750 --> 00:02:58,570 So let's start with the very first element, Jessica. 38 00:02:59,650 --> 00:03:05,560 What do we mean by inverting the cyber security leadership responsibilities? 39 00:03:05,980 --> 00:03:07,810 Jessica Rajpal: Kath I'm so glad we're having this conversation. 40 00:03:08,800 --> 00:03:13,820 If it isn't front and center of boardroom discussions, it certainly should be. 41 00:03:13,820 --> 00:03:18,590 What we know is that traditionally the approach to cyber security has been a bottom 42 00:03:18,590 --> 00:03:26,300 up approach, meaning that the IT team or an employee with experience is asked to identify 43 00:03:26,300 --> 00:03:31,310 cyber security defense mechanisms and to prepare response policies. 44 00:03:31,310 --> 00:03:36,200 These are usually developed as technical tools, but often have little regard to the 45 00:03:36,200 --> 00:03:38,870 operational implications in a business. 46 00:03:39,290 --> 00:03:44,450 It is, however, important to note that a cyber security governance model that is 47 00:03:44,450 --> 00:03:50,150 inverted to a top down approach may direct the directors and the management of the 48 00:03:50,150 --> 00:03:55,010 enterprise to establish a cyber security framework that takes into account the 49 00:03:55,010 --> 00:04:00,440 financial, legal, regulatory and reputational risks of a cyber attack. 50 00:04:00,470 --> 00:04:05,840 Using this information, a company can then curate the necessary technical tools to 51 00:04:05,840 --> 00:04:08,540 prevent such cyber attacks. 52 00:04:09,530 --> 00:04:14,810 And on that score, Kat, this should raise an alarm in the minds of executives about some 53 00:04:14,810 --> 00:04:19,280 of the legal and regulatory implications in respect of cyber security. 54 00:04:19,310 --> 00:04:21,950 More specifically, the Cyber Crimes Act is important. 55 00:04:22,940 --> 00:04:28,310 Directors must be aware, for instance, of what constitutes a cyber crime, what steps to 56 00:04:28,310 --> 00:04:32,930 take when one is faced with a cyber attack, specifically in relation to the to the Cyber 57 00:04:32,930 --> 00:04:37,880 Crimes Act and some of the protections that are available to them when faced with a cyber 58 00:04:37,880 --> 00:04:42,590 attack. Additionally, Catherine, and in accordance with the proclamation in the 59 00:04:42,590 --> 00:04:48,270 Gazette, we know that certain aspects of the Cyber Crimes Act came into operation on the 60 00:04:48,270 --> 00:04:53,840 1st of December 2021, and we now know that there are a few gazetted cyber crimes that 61 00:04:53,840 --> 00:04:56,630 are punishable by fine or imprisonment. 62 00:04:56,660 --> 00:05:02,030 These include unlawfully accessing a computer system or computer data storage 63 00:05:02,030 --> 00:05:07,370 medium, which allows the person to intercept data or interfere with data or the computer 64 00:05:07,370 --> 00:05:13,610 system and unlawfully intercepting data, for example, acquiring, viewing, capturing or 65 00:05:13,610 --> 00:05:19,220 copying any data that is non-public, so as to make it available to a person other than 66 00:05:19,220 --> 00:05:22,340 the lawful owner or the holder of the data. 67 00:05:22,370 --> 00:05:26,780 There are a few more, Kath, but I won't go into all of them today. 68 00:05:27,080 --> 00:05:33,230 Alice Letsoalo: And if I can just highlight that we also know that the South African police services, its 69 00:05:33,230 --> 00:05:40,040 members and also its investigators have now been given an extensive powers to search, to 70 00:05:40,040 --> 00:05:44,960 access, seize certain articles and investigate these cyber crimes. 71 00:05:45,200 --> 00:05:46,640 Jessica Rajpal: That's correct, Alice. 72 00:05:46,640 --> 00:05:50,840 And it is an interesting development that we are keeping an eye on. 73 00:05:51,110 --> 00:05:56,900 Alice Letsoalo: So bringing it back to the question of corporate governance with an action of the 74 00:05:56,900 --> 00:06:03,530 Cyber Crimes Act, we see a greater need for a cyber governance framework that takes all 75 00:06:03,530 --> 00:06:05,360 of this into consideration. 76 00:06:05,480 --> 00:06:11,250 Most notably absent, however, was the provision in the Act that imposes reporting 77 00:06:11,250 --> 00:06:17,600 obligations by financial institutions and electronic communications service providers. 78 00:06:17,610 --> 00:06:23,310 So as it currently stands, financial institutions and electronic communications 79 00:06:23,310 --> 00:06:30,270 service providers are not yet obliged to report cyber crimes within 72 hours to the 80 00:06:30,390 --> 00:06:36,030 SAPs after having become aware of the offence and to preserve any information that 81 00:06:36,030 --> 00:06:42,000 may assist the SAPs with its investigations relating to the alleged offences. 82 00:06:42,330 --> 00:06:48,240 Indeed, Kath. But I think equally as important to note is it will eventually come 83 00:06:48,240 --> 00:06:55,080 into effect some day in the future and so such enterprises must be aware of this and 84 00:06:55,080 --> 00:06:58,710 they must incorporate reporting procedures in their policies. 85 00:06:58,800 --> 00:07:03,810 Otherwise once it's in operation, this could actually lead to a fine of not exceeding 86 00:07:03,810 --> 00:07:05,520 50,000 rand. 87 00:07:05,700 --> 00:07:12,090 But I think it leads us nicely into our topic regarding Poppy or the Poppy Act, 88 00:07:12,090 --> 00:07:15,660 because more often than not, when we think of a cyber attack. 89 00:07:15,690 --> 00:07:20,970 There's a great possibility that this information was personal information or even 90 00:07:20,970 --> 00:07:25,740 special personal information as defined by Poppy, which was breached. 91 00:07:26,130 --> 00:07:30,990 Jessica Rajpal: Yes, Alice. So the Poppy Act and the Cyber Crimes Act are really meant to complement 92 00:07:30,990 --> 00:07:34,980 each other with the Poppy Act protecting personal information. 93 00:07:34,980 --> 00:07:40,410 And on the same token, one could view the Cyber Crimes Act as a means to also protect 94 00:07:40,410 --> 00:07:46,440 personal information and make data breaches punishable offences where offences relating 95 00:07:46,470 --> 00:07:53,880 to data, data breaches, ransomware attacks, cyber forgery and cyber extortion are likely 96 00:07:53,880 --> 00:07:55,410 to become prevalent. 97 00:07:55,560 --> 00:08:02,190 So Jas, Alice alluded to the reporting obligations that will come into effect in the 98 00:08:02,190 --> 00:08:05,160 foreseeable future in terms of the Poppy Act. 99 00:08:05,490 --> 00:08:10,470 What are some of the reporting duties that may exist under that legislation? 100 00:08:10,710 --> 00:08:15,750 So Kat, certain cyber crimes constitute reportable data breaches. 101 00:08:15,750 --> 00:08:20,160 And in terms of Poppy, what this means is that where there are reasonable grounds to 102 00:08:20,160 --> 00:08:25,290 believe that the personal information of a data subject has been accessed or acquired by 103 00:08:25,290 --> 00:08:30,150 an unauthorized person, the responsible party would, as a general rule, have to 104 00:08:30,150 --> 00:08:35,580 notify the information regulator and the relevant data subjects as soon as possible. 105 00:08:36,210 --> 00:08:41,400 Catherine Hendricks: You mentioned the information regulator with companies getting up to speed with their 106 00:08:41,400 --> 00:08:42,750 poppy compliance. 107 00:08:42,780 --> 00:08:48,390 Briefly recap our listeners on what exactly is the information regulator and what is 108 00:08:48,390 --> 00:08:52,200 their role in the space of data protection and cyber security. 109 00:08:52,440 --> 00:08:53,490 Jessica Rajpal: Absolutely, Kat. 110 00:08:53,520 --> 00:08:58,440 The information regulator is an independent body and it derives its mandate from section 111 00:08:58,440 --> 00:09:04,200 14 of the Constitution, which relates to the right to privacy as well as Section 32 of the 112 00:09:04,200 --> 00:09:08,370 Constitution, which involves the right of access to information. 113 00:09:08,400 --> 00:09:13,710 Among other things, the regulators empowered to monitor and enforce compliance by public 114 00:09:13,710 --> 00:09:18,480 and private bodies, which are referred to in poppy as responsible parties. 115 00:09:19,090 --> 00:09:23,640 Alice Letsoalo: And let's touch on some of the obligations imposed by the Poppy Act. 116 00:09:23,670 --> 00:09:29,010 What we know is that it makes it obligatory to comply with the conditions for lawful 117 00:09:29,010 --> 00:09:34,800 processing of personal information, and that it also places an obligation on responsible 118 00:09:34,800 --> 00:09:41,970 parties to disclose breaches of information and give the information regulator power to 119 00:09:41,970 --> 00:09:47,130 impose severe penalties where responsible parties fail to adequately protect 120 00:09:47,130 --> 00:09:50,970 information or fail to report data breaches. 121 00:09:51,870 --> 00:09:57,240 Jessica Rajpal: Yes. So in a nutshell, this would entail having an incident management plan that 122 00:09:57,240 --> 00:10:01,590 properly sets out the steps to determine whether a cyber crime constitutes a 123 00:10:01,590 --> 00:10:03,060 reportable breach. 124 00:10:03,090 --> 00:10:08,010 Having a robust breach detection investigation and internal reporting 125 00:10:08,010 --> 00:10:09,240 procedure. All of. 126 00:10:09,270 --> 00:10:12,930 This is critical for purposes of mitigating security risks. 127 00:10:13,500 --> 00:10:18,090 Catherine Hendricks: And what are some examples of a good cyber governance strategy Jess? 128 00:10:18,090 --> 00:10:25,080 Jessica Rajpal: So Katz just to name a few things, organizations need to clearly identify their 129 00:10:25,080 --> 00:10:28,080 cyber security obligations and goals. 130 00:10:28,110 --> 00:10:31,620 They need to develop and implement standards to subscribe to. 131 00:10:31,620 --> 00:10:38,610 And an example of this would be ISO 9001 2017, which is a standard that can be used as 132 00:10:38,610 --> 00:10:42,560 a platform on which to base effective cyber security programs. 133 00:10:42,570 --> 00:10:47,550 An organization would have to establish the appropriate internal processes and procedures 134 00:10:47,550 --> 00:10:52,500 to manage cyber risks, determine the necessary protocols to enforce compliance and 135 00:10:52,500 --> 00:10:57,930 quite importantly, equip its employees with the relevant resources and guidance to carry 136 00:10:57,930 --> 00:11:00,320 out the organization's cyber security. 137 00:11:00,330 --> 00:11:04,140 This would of course include ongoing training, etcetera. 138 00:11:04,470 --> 00:11:09,540 Catherine Hendricks: And I imagine mitigating a data breach would be quite difficult. 139 00:11:09,660 --> 00:11:14,730 Not only would an organization have to deal with the operational impact, but the 140 00:11:14,730 --> 00:11:17,970 reputational and legal implications as well. 141 00:11:18,090 --> 00:11:24,150 So what are some of the things that entities would have to be cognisant of in the instance 142 00:11:24,150 --> 00:11:25,620 of a data breach? 143 00:11:26,160 --> 00:11:32,160 Jessica Rajpal: Well, from a legal perspective, organizations need to be aware that a level of transparency 144 00:11:32,160 --> 00:11:36,060 is required by both the Cybercrimes Act and the Poppy Act. 145 00:11:36,090 --> 00:11:41,130 It was mentioned earlier that in terms of the Cyber Crimes Act, electronic service 146 00:11:41,130 --> 00:11:45,960 providers will be required to report cyber attacks within a specific period of time, 147 00:11:45,960 --> 00:11:48,540 although that provision hasn't yet been enacted. 148 00:11:49,530 --> 00:11:54,390 Then in terms of the Poppy Act, security measures must be put in place by responsible 149 00:11:54,390 --> 00:11:58,980 parties to ensure the integrity and confidentiality of personal information in 150 00:11:58,980 --> 00:12:00,020 its possession. 151 00:12:00,030 --> 00:12:05,160 In terms of the Act, responsible parties are required to notify the Information Regulator 152 00:12:05,160 --> 00:12:10,120 as well as any parties whose personal information has been accessed by by an 153 00:12:10,120 --> 00:12:13,600 unauthorised party in the event of a security compromise. 154 00:12:13,600 --> 00:12:18,130 Something important to note, Kat, is that there isn't a threshold in respect of 155 00:12:18,130 --> 00:12:19,810 reporting such compromises. 156 00:12:19,810 --> 00:12:21,040 In terms of Poppy. 157 00:12:21,670 --> 00:12:23,760 Alice Letsoalo: That's a very interesting point, Jess. 158 00:12:23,760 --> 00:12:29,950 So if one considers the implications of notifying the Information Regulator, one can 159 00:12:29,980 --> 00:12:35,320 then imagine that where an organization has faced a data breach but isn't confident about 160 00:12:35,320 --> 00:12:40,990 having established and enforced the appropriate protocols to prevent and mitigate 161 00:12:40,990 --> 00:12:46,390 such a breach, that organization may be reluctant to report this sort of crime. 162 00:12:47,030 --> 00:12:51,470 However, I think it's important that organizations are aware that a failure to 163 00:12:51,470 --> 00:12:56,630 report such incidents may very well expose them to a sanction under the Poppy Act. 164 00:12:57,080 --> 00:13:02,200 Catherine Hendricks: Absolutely. And what exactly should this notification entail? 165 00:13:02,210 --> 00:13:02,660 Jess? 166 00:13:03,440 --> 00:13:09,620 Jessica Rajpal: Well Kat, at the very least the identity of the unauthorized person who access the 167 00:13:09,620 --> 00:13:14,540 information. If this is known by the responsible party, the notification should 168 00:13:14,540 --> 00:13:19,250 provide details regarding the possible consequences of the breach, including details 169 00:13:19,250 --> 00:13:25,670 of the measures that the responsible party will take and recommendations of measures 170 00:13:25,670 --> 00:13:30,560 that should be taken by affected data subjects whose information has been leaked. 171 00:13:30,590 --> 00:13:35,120 Something else to note is that the information regulator could require that the 172 00:13:35,120 --> 00:13:38,240 responsible party publicise the data breach. 173 00:13:38,390 --> 00:13:44,150 Catherine Hendricks: Publicising something like that exposes organizations to serious reputational and 174 00:13:44,150 --> 00:13:45,530 financial harm. 175 00:13:45,680 --> 00:13:51,390 It's quite apparent that organisations really need to have a clear prevention and 176 00:13:51,390 --> 00:13:53,430 response plan when it comes to data breaches. 177 00:13:54,360 --> 00:14:00,870 There's a lot to consider protocols, mitigation strategies, very clear policies, 178 00:14:00,900 --> 00:14:03,750 adhering to the notification requirements. 179 00:14:03,780 --> 00:14:09,240 This really goes to show that the issue of cyber risk and crime can't be overemphasized 180 00:14:09,240 --> 00:14:11,490 in today's risk governance framework. 181 00:14:11,760 --> 00:14:17,340 Alice Letsoalo: Absolutely. I am so glad that we met today to share with our listeners some of the 182 00:14:17,340 --> 00:14:22,650 important factors to know from a legal perspective when it comes to data breaches. 183 00:14:22,680 --> 00:14:25,500 Jess, Kath, thanks so much for sharing your insights. 184 00:14:26,550 --> 00:14:29,400 I think that concludes our conversation for today. 185 00:14:30,090 --> 00:14:32,140 Thank you everyone for listening. 186 00:14:32,160 --> 00:14:33,690 Jessica Rajpal: Thank you very much, Alice. 187 00:14:33,750 --> 00:14:34,750 Goodbye all. 188 00:14:34,770 --> 00:14:35,950 Catherine Hendricks: Thanks so much, Alice. 189 00:14:35,970 --> 00:14:36,990 Goodbye, everyone.