There are three high water marks in the evolution of a body of “information security law” in South Africa:
- The King III Report™ on Governance for South Africa was released on 1 September 2009
- The ECT Act in 2002
- The release of the 10th draft of the Protection of Personal Information Bill (POPI) in September 2012.
King III™ recommended that the board ensure that “information assets are managed effectively”. This includes the protection of information: “information security” (principle 5.6, sections 40 to 42).
The ECT Act:
- provided a framework for public key infrastructures (PKI),
- laid down the requirements for reliable electronic signatures (“advanced electronic signatures”),
- provided the requirements for transactional security, and
- introduced a range of cybercrimes into our law for the first time.
POPI has introduced the concepts of providing appropriate, reasonable technical and organisational measures to protect personal information.
In 2004 three trends in information security law in the United States were identified by Mr. Thomas Smedinghoff in his article titled “Security and Surveillance, Trends in the Law of Information Security” published in the BNA International World Data Protection Report .
Almost nine years later, we begin to identify those trends emerging in South Africa.
Trend 1 -Information security is now a corporate obligation
“In the Wild West, when Jesse James and Butch Cassidy robbed banks, we felt sorry for the banks and hunted down the outlaws. Today, when someone breaks into a company’s computer system, our response is totally different: We blame the company for failing to provide adequate security” (Smedinghoff).
Information security is therefore no longer just a technical issue for the IT Department. King III™ specifically requires the board to ensure that an information security framework is developed and an information security management system implemented. The risk and audit committees must assist the board in their IT responsibilities.
Information security is now a board agenda item by virtue of the fact that it forms part of IT governance.
When it comes to the protection of “personal information” POPI imposes several security measures.
Trend 2 – Emergence of a Legal Standard
POPI marks the emergence of the second trend: a legal standard against which information security will be measured generally, and for compliance with POPI in particular. This raises key questions. Just what exactly is a business meant to do? What is the scope of its legal obligation to implement information security measures?
Section 19(1) of POPI requires entities that process personal information to “secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures“: words which are deliberately very broad and non- specific. This wording takes account of the fact that information security can never be absolute. It is also technologically neutral.
POPI requires companies to engage in an on going and repetitive process
Rather than telling companies what specific security measures they must implement, section 19(2) requires companies to engage in an on going and repetitive process that is designed to identify all reasonably foreseeable internal and external risks; establish and maintain appropriate safeguards against the risks identified; regularly verify that the safeguards are effectively implemented and ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards. Key to the legal information security standard in POPI is a requirement that security be responsive to the company’s fact specific risk assessment.
This process is advocated by (amongst others) the South African National Standard SANS 27001:2006/ISO/IEC 27001:2005 (Information technology – Security techniques – Information security management systems – Requirements). This standard was approved by the South African Bureau of Standards (SABS) in January 2006. This standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented information security management system (ISMS). It is a much higher level standard than SANS 17799:2005.
Security must respond to the specific risks of a company
The key to the new legal obligation is that security must respond to the specific risks of a company. In other words, merely implementing seemingly strong security measures is not sufficient. Security measures must respond to the particular threats a business faces and must address its vulnerabilities. Brian Gaff uses the example of posting armed guards around a building or requiring key-card access may give the appearance of security, but if the primary threat the company faces is unauthorised remote access via the Internet, physical security measures are of little value. Likewise, firewalls and intrusion detection software are often effective ways to stop hackers and protect sensitive databases, but if a company’s major vulnerability is careless (or malicious) employees who inadvertently (or intentionally) disclose passwords or protected information, then even those sophisticated technical security measures, although important, will not adequately address the problem.
Trend 3 – Duty to disclose security breaches
Current law does not oblige a company to implement security measures – instead it obliges a company to disclose security breaches. Section 22 of POPI requires responsible parties to notify the Regulator and the data subject “where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person”.
This is similar to the common law “duty of care” and foreseeability. And the obligation to warn of dangers where they are known.
The emergence of the obligation to disclose security breaches highlights the necessity for proper incident management policies to be in place. Information security incidents occur all the time. If they are not properly managed, they erode confidence in the IT Department, compromise the company’s computer systems, and can be used to extort or publicly embarrass a company. A structured and coordinated approach is necessary to ensure a fast and effective resolution that limits or mitigates the impact of each security incident on a company’s business.