POP(I) Music to Consumers' Ears

Long gone are the days when consumers had to be on the lookout for a sharply-dressed man with a fine moustache, comb over and battered briefcase peering over their shoulder at the bank or grocery store in order to obtain a glimpse of the unsuspecting consumer's personal information to eventually draw a fraudulent cheque in their name. In the modern age, most consumers have received notifications via SMS or email that they have won a couple of million dollars in a lucky foreign draw without entering, which begs the question: How did the third party obtain the consumer's personal information?

Consumers find themselves in an increasingly connected world where advances in technology are enabling more sophisticated devices and computing power. These days, bank tellers are startled when anyone under the age of 65 enters the bank to do business. Modern advances in technology have made it possible for consumers to do their banking online. Businesses can effortlessly store their customer lists, supplier information, databases, inventory etc in an easy-to-use system that is all-digital. The fine-moustache-comb-over-man can therefore no longer prey on unsuspecting consumers by using the old school paper trial of yesteryear to exploit consumers and their personal information. One would assume that this is a good thing, but it is quite the opposite. The threat is no longer an identifiable unsavoury character who can be spotted relatively easily. It has also evolved with the technology by morphing into a nameless, faceless threat that is virtually impossible to spot or trace.

Threats to online security have grown and progressed considerably, increasing by 42% in 2012 according to Symantec. In particular, social media and mobile devices have come under increasing attack. If you think someone is violating your privacy online, you are probably right. Symantec conducted research that indicates that 50% of mobile malware created in 2012 attempted to steal consumers' information. Criminal activity is driven by opportunity and cybercriminals are looking for profit by spying on consumers. Their method is to learn the banking details, phone numbers, email addresses and personal information that consumers may have stored on their devices. These attacks are not limited to individual consumers. With cybercrimes, that opportunity appears to be with small businesses or individuals who believe they are immune to attacks or have nothing of value to steal. Attackers often choose to breach the weaker defences of a small business that has a business relationship with the ultimate target, using the smaller company as a springboard to get to the larger businesses.

Today's attackers seemingly have the time, expertise and resources to create threats that bypass detection. An attack starts with a point of ingress to the organisation. This may be an unsecured system that hackers are able to access, a vulnerable machine on which malware is executed, or a user who has been duped into installing malware. Malware, short for malicious or malevolent software, is software used or programmed by attackers to disrupt computer operation, gather sensitive information, or gain access to private computer systems. It can appear in the form of code, scripts, active content, and other software. Consumer information can therefore be obtained from a company or business without them willingly supplying it to the outside source.

The top causes of data breaches according to Symantec in 2012 were: Hackers at 40%; information accidentally made public at 23%; followed by theft or loss of a computer also at 23% and insider theft at 8%. Although there are a number of products on the market to assist companies in protecting their systems and databases, cyber-attacks still occur frequently. The research conducted by Symantec, indicates that the top five targeted industries in 2012 were the following: Manufacturing at 24%; followed by the finance, insurance and real-estate industries at 19%; non-traditional services coming in at 17%, government at 12% and, lastly, the energy and utilities industries at 10% of the total attacks launched by cybercriminals. The conclusion that can be drawn from this is that frontline attacks are moving down the supply chain, particularly for small to medium sized businesses. Threats are not always from an outside source, but can be internal as well. In many organisations and companies, the same administrator password is used across the organisation, making it easier for a disgruntled insider to abruptly take down core systems and access or steal important information.

There is no doubt, that customer databases are one of the most valuable marketing assets of a business. The winds of change, however, are blowing, as the Protection of Personal Information Act (POPI) has been passed by the National Assembly and has been adopted by a Select Committee of the National Council of Provinces. The objectives/aims of this act are to give effect to the constitutional right to privacy by safeguarding a person's personal information when processed by public and private bodies in a manner that balances that right with any other rights. This piece of legislation will also prescribe how personal information about individuals and juristic persons is to be stored, updated and destroyed, provided that the consumer consented to the processing of their information to start off with. In accordance with the act, an information protection regulator will be set up with the function of promoting and enforcing the principles of the act on a national level and it will have the authority to investigate complaints lodged with it. POPI contains a complaints procedure whereby any person may lodge a complaint against any company or organisation relating to unsolicited communications and automated decision making.

In the act, personal information is very broadly defined and includes the following: Information about an identifiable natural person and, in so far as it's applicable, an identifiable juristic person. Information relating to education or medical, criminal or employment history of the person or information relating to financial transactions, in which a person has been involved, is included. The address of a person, identification number and the name of a person, where it appears with other personal information relating to that person, are also specifically included. There are a couple of exclusions, as the act does not apply to the processing of personal information in the course of a purely personal or household activity; this has been de-identified to the extent that it cannot be re-identified again or has been exempted from the application of the information principles.

This, however, seems to be of little use to companies, as only the commission can authorise a responsible party to process personal information if the commission is satisfied that, in the special circumstances of the case, the public interest in that processing outweighs to a substantial degree any interference with the privacy of the data subject that could result from that processing. Alternatively, the commission must be satisfied that the processing involves a clear benefit to the data subject or a third party that outweighs any interference with the privacy of the data subject or third party that could result from the processing. From the aforesaid, it is apparent that these exclusions will not apply to most companies or businesses.      

The implications that this act will hold for businesses and companies are far reaching. The aim of the legislature was to give effect to consumers' right to privacy by introducing measures to ensure that the personal information of an individual is safeguarded when processed. The significance of this proposed piece of legislation is that consumers will have to opt in for marketing purposes. This means that businesses will only be able to share client information with their marketing powers if the consumer specifically gives permission to do so. Furthermore, consumers will be entitled to know what the purpose of the data collection is and who the intended recipients thereof are.

In terms of the act, the responsible parties (which will mostly be businesses and companies) must implement appropriate technical and organisational measures to ensure the integrity of personal information of consumers by safeguarding against the risk of, or damage to, or destruction of personal information. They must further implement these measures to secure the information against the unauthorised or unlawful access to or processing of the information. This means that the responsible party must take measures to identify all reasonably foreseeable internal and external threats to personal information in its possession or under its control, establish and maintain appropriate safeguards against the risk identified and regularly verify that the safeguards are effectively implemented and continuously updated.

From here on out, companies will have to be extra careful when processing any consumer's personal information. Once the act is signed into law, companies and businesses will have to make sure that they fully comply with the provision of the act, as failure to do so could have repercussions for it. A warrant can be issued by a magistrate or judge, if they are satisfied by information on oath supplied by the commission, that there are reasonable grounds for suspecting that a responsible party is interfering with the protection of the personal information of a person, or an offence under this act has been or is being committed. Once such a warrant is granted, the commission or any of its officers or staff may at any time, within seven days of the issuing thereof, enter the premises as identified in the warrant in order to search, inspect, examine, operate and test equipment found there that is used for the processing of personal information. Records may also be searched and seized. Any person convicted of an offence in terms of the act is liable to pay a fine or to imprisonment of up to 10 years, or to both a fine and imprisonment.

Businesses and companies must therefore not only be careful how they process the consumer's information, but also how it is stored. Adequate security measures will need to be in place to not only protect the acquired data from external hackers and other cyber criminals, but also from internal threats. At the end of the day, the company that processed the information will be held responsible if the consumer's information was used against their wishes, even if the company or business that stored the information itself was not directly responsible for the misuse thereof, should they not have adequate security measures in place.

This is a serious piece of legislation that is aimed at protecting the consumers. The writer is of the view that a cyber-war is on the loom. As with all things in life, the scarcer a resource is, the more valuable it becomes. With the POPI Act on the horizon, companies and businesses best prepare for a cyber-onslaught that will undoubtedly be launched against their databases to obtain this very information. Consumers now have a weapon to ward off unwanted "information attacks", as they seemingly view bulk marketing methods. The faceless, nameless thin-moustache-man-with-the-comb-over-and-battered-briefcase is most definitely very much with us and ready to exploit consumer information, leaving businesses and companies to face the POPI music.

Download PDF Back To Listing
Loading data