Recently, we wrote about what to do if you believe your data or personal information has been hacked. The question we now ask is whether or not companies are doing enough to secure our data, especially after an estimated 70 million identity numbers held by an estate agency were compromised. This data included highly sensitive information such as address history, credit status and employment history.
The reality is that our data is out there and hackers seem to always be one step ahead. While the companies that hold our data will have a responsibility to keep the information safe once the Protection of Personal Information Act is in force, there is no way we can know whether they are taking sufficient measures and, even if they do, there is no such thing as foolproof security.
In June, IBM Security and Ponemon Institute released the 2017 Cost of Data Breach Study: Global Overview, which argued that South Africa had the highest probability of experiencing a data breach within the next 24 months.
Brennan Wright, spokesperson for identity verification company ThisIsMe, says we are living in an environment where our information is vulnerable and we as individuals need to be taking more responsibility about our data security. One of his concerns is that the act has still not come into effect, leaving customers vulnerable when it comes to the protection of their personal information. The act specifically requires companies holding our data to have appropriate and reasonable security measures in place to protect the information. Although many of the large financial institutions are already adhering to these recommendations, no action can be taken against companies who are not adhering to them, as they are not yet in law.
Wright believes the enforcement of the act would create a balance of power for consumers against businesses who have incentives to collect as much data on us as possible – often data that we may not have consented to providing.
“We are trying to facilitate change for improved systems and tools to protect personal data. The act aims to ensure that data is collected, stored and distributed according to the law; there will be no grey areas. If we request a company to delete our data, it will be obliged to. The act will put consumers in control of their own data,” argues Wright.
Kerri Crawford, senior associate at Norton Rose Fulbright South Africa, says that the first round of public comment for the draft regulations under the act has now been finalised, so we are awaiting an updated draft. Once the consultation and approval process is completed, the regulations will be promulgated and we are then likely to see the announcement of a commencement date for the act.
Crawford says the act will make it easier to hold a company accountable for a breach of personal data when the company has not taken reasonable measures to secure it, as consumers would have the recourse to lodge a complaint with the regulator who could investigate the breach and issue fines. She says global experiences of enforcing privacy laws have resulted in heavy fines, especially in the case of failing to train staff on how to treat personal information, such as a case where an employee left a work file with sensitive information on it on a commuter train. People affected could also claim for damages, however, Crawford warns that you would have to show that there was a loss to you due to the breach in security and that the company failed to take appropriate and reasonable measures to prevent the breach. For example, in my case, had I fallen for the scam and paid the money, I would have had to prove that the information used came from the Hetzner breach and that Hetzner did not have adequate security measures in place.
The good news is that increased awareness about security means there are more technological advances for protecting our data, which include the increased use of biometrics, which is moving beyond just finger prints to voice recognition and programmes that can recognise your behaviour.
Wright says ThisIsMe is helping businesses to mitigate fraud by using its tamper detection technology, which is more accurate than a fact-to-face verification to enhance the Financial Intelligence Centre Act process. It has developed technology to verify that a real residence matches the stated address location, as well as patented real-time bank account verifications.
Coupled with their solutions for businesses, ThisIsMe is helping the public to investigate whether our data has been breached, to set up alerts on our credit profile and to safely and securely store and share our identity data. They’ve also recently launched a tool that helps us identify others when transacting on Gumtree or dating sites.
However, no security measure is ever foolproof and there will always be an element of vulnerability as hackers find ways to exploit weaknesses.
“While companies and governments can improve security, individuals need to be a lot more aware and alert about using secure and authentic sites and using strong passwords. We all need to take precautions,” says Wright.