30 Million plus Personal Records Compromised: Who is Responsible?
A little lost in the noise of the Cabinet reshuffle, but equally disturbing are reports of the breach involving 30 million plus records of South African citizens. The figures vary, some indicating that in fact 66 million records have been compromised. Whatever the number this compromise of citizens' information is disastrous. There is little doubt that organised crime has already been and will continue to seize on the opportunity of using citizens' information in perpetrating cybercrimes against South African citizens. This is Minister Mahlobo's legacy as Minister of State Security.
You may ask what has this to do with the compromise of 30 million plus records of South African citizens? It is an indisputable fact that in countries where privacy has been protected and data protection legislation enacted that the information or cybersecurity posture and capability of those countries is significantly enhanced. In South Africa the implementation of measures to protect the constitutional right of privacy and protection of personal information has, 21 years after the adoption of the Constitution and 15 years after initiating steps in this regard, still not been properly implemented. The importance of the Protection of Personal Information Act in this context is that it is the first legislative instrument in South Africa to expressly set out the requirement for securing electronic information, particularly personal information, in conformity to generally accepted information security practices. These are the proactive information security measures we so desperately require be implemented in South Africa. Despite proclaiming the importance of cybersecurity, it is the Department of Justice and, it would appear the JCPS Cluster, that are responsible for the unforgivable delays in enacting this legislation and protecting the South African public. Had this legislation been enactment of this legislation and its implementation been dealt with efficiently and effectively South Africa may have been spared this national embarrassment. It should also be noted that the new Minister of State Security has for several years been a member of the Parliamentary Portfolio Committee for Justice, that is directly responsible for some of these delays.
The Cybercrimes and Cybersecurity Bill seeks to deal more with the results of information security breaches and are reactionary. They too are important and calls for implementation of this type of legislation have been made since 2002 but until recently have been ignored by the Executive. In its current form the Bill, contrary to cybersecurity frameworks in democracies globally, simply ignores the importance of privacy legislation.
Why the inordinate delays? There are no clear answers but the delays seem to go beyond pure incompetence and extend more to considered political obstruction. Increasingly it has become evident that despite its clear value in information security, the Executive regards the Protection of Personal Information Act as an unwelcome inconvenience. The Act provides constitutional defences to overzealous law enforcement and national security. We all know of numerous examples of the ruling party’s propensity to disregard the constitution and our civil liberties if they conflict with its agenda. The ruling party's appetite for independent regulators in light of the troublesome Thuli Madonsela not permitting unconstitutional action on the part of the Executive at the expense of citizen’s rights is well documented. Another reason is that, with few exceptions, government generally is delinquent with its own information security, a point to which I will return.
The fact that the Information Regulator has already evidenced its independence and that its officers are taking their duties seriously is hugely encouraging. However, the fact is that the Regulator has been grossly under-funded and under-resourced. It should not be forgotten that if it is to properly fulfil its mandate, the Regulator not only has to establish the office, a significant task, but has the additional burden of playing catch-up with other democratic societies’ approaches to the advance of technology and the threats that they pose to our privacy. The Department of Justice and the Executive cannot escape responsibility for their dereliction of duty in failing to establish and address information security by the simple expedient of initiating data protection legislation as it should have years ago.
Returning to Minister Mahlobo and his tenure as Minister of State Security. He has simply done nothing of any consequence to improve the information and cybersecurity posture of government and, indeed, South Africa. Those that may dispute this need look no further than the fact that the Minimum Information Security Standard (MISS) published in 1996 (inadequate already in 1996 for electronic records and communications), remains the standard for information security within government. It has never been amended to take account of changing technologies or the threats they pose. Despite draft Information Security Regulations, intended to improve information security within government, having being prepared at least as long as 8 years ago, these have inexplicably never seen the light of day. The result is that within government, the largest repository of personal information of South African citizens, documented standards for information security are so poor as to be essentially non-existent.
What of the appointment of Advocate Bongo as the Minister of State Security? Minister Bongo's alliance to the State President, his protection of the State President in Parliamentary debates and his attacks on the former Public Protector Thuli Madonsela are well known. During the hearings on the Cybercrimes & Cybersecurity Bill, Advocate Bongo's questions to commentators and his own comments must give were alarming in lack of concern for civil liberties and the right of privacy in particular. His "Hawkish" attitude to security makes it clear that he wishes cybersecurity legislation to provide wide powers to law enforcement and national security with little regard for the constitutional right of privacy of citizens. This does not augur well for ensuring the balance between privacy and security that is a feature of democratic societies globally.
Against this background there can be little doubt that the disregard for the constitutional right of privacy and dilatory attitude of government implementing legislation by Executive Government, even if the compromise may have occurred in the private sector, is largely to blame for the compromise of 30 million plus records of South African citizens.
This does not exonerate those in the private sector for their own failures all of whom have a duty to comply with the constitution. Business has been well aware of its obligations in this regard for a long time. Instead of fulfilling these obligations many businesses have capitalised on government's delinquency and continued to exploit personal information of South African citizens for motives of corporate greed. Unfortunately, those that are to blame for placing South African citizens at risk because of the delays described in this article will probably escape legal sanction. Business must recognise that this attitude and failure "to do the right thing" contributes to the climate that has allowed disregard for the Constitution and the rule of law that led to State capture and the plunder of financial resources within government. The criticisms levelled against Bell Pottinger, KPMG and McKenzie apply to every company that fails to adhere to its constitutional obligations. They too must accept part of the blame for the compromise of our citizen’s records.
©Mark Heyink 2017