“My business collects and stores quite a large amount of client data. We were recently nearly hacked and were lucky that no information was leaked. I’m concerned about another attack and worried what would happen if information was leaked. What should I do?”
It is well recognised that the way we do business and interact has radically changed in the current digital age. Businesses operate online, have social media accounts and trade with consumers that never set a foot inside their store. Customers also review, rate and make decisions about a business based on their online credentials. The more data a business processes the larger also the target painted on the back of the business for potential hackers, scammers and fraudsters.
In this digital world consumers have understandably also become increasingly concerned about privacy and the security of their digital footprint and make engagement decisions based on the perceived risk level of the business. Nothing scares off consumers more easily than a business that appears to have been compromised, is not safe to engage with or appears open to hacking or other online malfeasance. Recent studies have gone so far as to predict that nearly two-thirds of consumers would likely end a business relationship with a company whose data security in respect of personal information has been compromised.
This makes data security and privacy a vital aspect of any business today, with a failure to do so potentially attracting massive reputational damage and loss of business. Businesses cannot ignore the need to take steps to protect the personal information of its customers. With the introduction of the Protection of Personal Information Act 4 of 2013 (“POPIA”), this need has now also been legislated requiring all businesses that process personal information of customers to secure and safeguard such information.
POPIA obliges businesses to ensure data security by taking appropriate and reasonable technical (electronic) and organisational (physical) measures to prevent loss, damage, unauthorised destruction, unlawful access to, and/or unlawful processing of personal information. To do so, businesses should consider generally accepted information security practices and procedures as well as any specific practices and procedures that may be required in terms of industry specific rules and regulations that apply to the business.
In addition to physical and electronic security measures, a business must also implement an appropriate data governance framework, including policies and procedures to ensure that their employees have a clear understanding of data security and their obligations in this regard.
If your business has not yet taken the necessary steps to prepare for such compliance, particularly if you are already being targeted, it can only be recommended that you not delay and obtain advice from data protection specialists to help you get the necessary procedures and measures in place to protect your business, reputation and client information.