There are organisations we pray will never suffer a data breach. The Companies and Intellectual Property Commission (CIPC) is one of those. They hold many people’s data. In fact, there is hardly anyone who formally does business in South Africa without dealing with a CIPC-registered business or becoming CIPC-registered. That is how large the CIPC database is. Imagine, then, many people’s horror when they saw the media statement informing the pubic about the CIPC data breach. To their credit, CIPC informed the public and did not keep the matter a secret.

What are the details of the CIPC data breach?

CIPC issued a statement on their website to let the public know that cyber criminals had targeted CIPC’s systems and attempted to compromise them. The statement says that CIPC’s IT team managed to pick up on the attempted breaches and managed to identify the affected systems. They subsequently shut the systems down. Eventually, the statement goes on to say, CIPC managed to get the systems back online without suffering any additional breaches. Unfortunately, though, the criminals managed to access some information belonging to CIPC clients and employees.

What does the security compromise mean for CIPC?

We must commend CIPC for issuing the media statement. Publicly admitting that something has gone wrong is never easy, and yet they came out and did. They also assured the public that they will keep investigating the extent of the data breach and put measures in place. Having said the above, a big question remains: does the statement mean that no further trouble awaits CIPC, that they have done everything that the public would expect or that the regulator would want under POPIA? The short answer is no, not necessarily. Let’s unpack.

  • As a public body, CIPC is automatically exempt from complying with certain POPIA obligations (sections 11(3) and (4), 12, 15, and 18). They still have to comply, though, with the rest of POPIA, including the requirements in sections 19 and 22 on information security and data breaches;
  • The statement is not specific about the date of the data breach or attempted security compromises, and the affected systems, clients, and employees;
  • Due to the statement not being specific, and its silence on whether CIPC individually contacted affected clients and employees, certain clients and employees may feel aggrieved and complain to the regulator. The regulator would then probably issue a pre-investigation notice and investigate the matter;
  • CIPC would likely defend that by arguing that POPIA does not necessarily require them to individually contact and inform each data subject. They may also argue that the nature of the security compromise has not allowed them to find out whose data the criminals actually accessed;
  • Since the statement is public, we have to assume that CIPC informed the regulator, but we do not know exactly what they would have reported to the regulator. If they did not report, the regulator is fully empowered to investigate the matter and issue an enforcement notice to order that CIPC take specific actions. The regulator could go further and also issue a notice for a POPIA Compliance Assessment to assess the extent to which CIPC generally protects personal information and complies with POPIA; and
  • With cybercriminals being responsible for the data breach, the Cybercrimes Act is also relevant in respect of any cybercrime that the criminals may have committed. One of the most important steps that CIPC must consider taking is to preserve evidence and help the police catch the criminals.

Actions you can take