Counting the cost of Liberty’s cyberattack

Liberty could face massive fines through civil lawsuits or from a government-mandated information regulator after falling victim to a cyberattack by unknown hackers.

The financial services firm is fighting to prevent the release of clients’ personal information after its IT systems came under attack on Thursday by hackers who demanded payment.

Insurance companies process and store the sensitive data of millions of clients, including their ID numbers, medical reports and banking details.

Civil claims from aggrieved clients could potentially emerge on the basis of their right to privacy being infringed, while fines as high as R10-million for each data breach incident could be levied under the Protection of Personal Information (Popi) Act.

The Popi Act, introduced when government realised that data breaches were a rising threat across industries, puts the onus on companies to safeguard the collection and storage of personal information. While much of the act has not yet been enacted into law, advocate Pansy Tlakula has been appointed as information regulator. Her office has vowed to revisit past data breach incidents.

This means that Liberty’s data breach might be reviewed once the Popi Act is enacted into law, says Santho Mohapeloa, digital distribution specialist at SHA Specialist Underwriters. If the data breach occurred as a result of a contravention of Popi, then the principle of strict liability would apply — subject to a responsible party being found to have failed to comply with the act.

A fine would be warranted if Liberty’s IT systems were found by the regulator to be poor.

Liberty sent out an SMS on Saturday evening to its clients informing them of the breach of security and unauthorised access to its IT systems. Liberty Group CEO David Munro confirmed on Sunday evening that “criminals” accessed an e-mail server and attachments of its core South African Liberty insurance business.

Liberty did not disclose a great deal of information about the number of affected clients, and Munro said it has since dispatched a team of IT and security specialists to investigate the breach. He said Liberty clients would not suffer any financial loss from the cyberattack.

Personal damages

Mohapeloa said averting financial losses would not absolve Liberty from civil lawsuits as its clients could argue that the cyberattack caused personal damages. “There is an over-emphasis by companies on the actual money being stolen after a data breach, but people forget what criminals can do with the information,” he says. “It could lead to extortion and identity theft.”

Andrew Chester, MD of technology and security specialist firm Ukuvuma Cyber Security, said the onus was on Liberty to ensure that customer data was secure.

Chester said the cyberattack could end up costing Liberty “millions in real and reputational damage” in light of the recently introduced General Data Protection Regulation, a European Union law that toughens the protection of personal information. He said Liberty has European stakeholders, who also have to be informed about the data breach.

“Should client personal data leak onto the dark or public Web, a lot of personal liability issues become a reality for Liberty.”