Business Maverick


SA’s regulator battles to cope with increasing data breach incidents as funding dries up

Pansy Tlakula, chairperson of the Information Regulator. (Photo: Gallo Images / The Times / Daniel Born)

An interview with Pansy Tlakula, the chairperson of SA’s Information Regulator, which monitors compliance with information protection legislation by private and public sector companies to prevent data breaches.

Pansy Tlakula has gone from being the boss of the Independent Electoral Commission, a highly efficient and slick election body, to leading an office of the Information Regulator that has chronic operational problems.

Tlakula’s office monitors compliance with information protection legislation by private and public sector companies to prevent data breaches, which result in sensitive information belonging to consumers and businesses landing in the wrong hands. The office was set up in 2016 after the Protection of Personal Information (POPI) Act was enacted – but major sections of the act were only operational from 1 July 2020.

From this date, Tlakula was given powers to slap negligent companies with sanctions including fines of up to R10-million or company directors facing imprisonment for up to 10 years. Companies cannot yet be sanctioned under the POPI Act because they have a year-long grace period until 1 July 2021 to comply with the act.

But the mandate of the Information Regulator office might be undermined because it’s seriously underfunded by the government. Underscoring the cash crunch is that the Information Regulator office is run by fewer than 10 executives (similar offices in the UK and US have more than 20 executives and hundreds of support staff). The office has limited internal forensic investigation and IT skills and capacity. And Tlakula cannot afford to hire a communication or media specialist, prompting her to arrange media interviews and drafting press releases about the work of her office.

The importance of her office was highlighted last week when the credit bureau Experian accidentally handed over personal details belonging to as many as 24 million consumers and nearly 800,000 businesses to an individual that it now describes as a “fraudster”. Read more here: Experian offers mea culpa after massive data breach blunder. This is SA’s largest ever data breach. Business Maverick quizzed Tlakula, whose five-year term as the chairperson of the Information Regulator ends in 2021, about damaging data breaches in SA.

DM: Does your office have the capacity to investigate incidents of data breaches in SA, which seem to be getting incredibly sophisticated and worse, given recent incidents at Experian, Liberty, and Momentum Metropolitan?

PT: We don’t have a lot of resources allocated by the government. We are working with a little budget even though we are swamped with rising incidents of reported data breaches. We [her colleagues] tend to moonlight a lot to save money; although I’m the chairperson of the Information Regulator, I even write press releases about the work of the office. In terms of staff, all that we have are four members – three are full-time and one is part-time. Then we have the CEO and five executives – that is all we have at the moment.

We understand that the economy has been severely battered by Covid-19 and that there is no money floating around in the fiscus. But if there are fund allocations made by the National Treasury, they must be sympathetic to us as we are a new institution that has been established from scratch and requires funding. We need a building to house people, get staff and tools of the trade. We need Treasury to give us money to pay executives to retain them.

DM: Do the limited resources impact your ability to carry out your mandate of monitoring compliance by companies with the information protection legislation?

PT: This is worrying. We have raised this issue with the Portfolio Committee on Justice in Parliament. I wrote a letter to the Minister of Finance [Tito Mboweni] asking for more funding because the POPI Act applies not only to private entities but also to public ones. The investigations that have to be conducted by my office are highly specialised. When we have to investigate companies on whether they have adequate security and safeguards to prevent a data breach, we normally require IT forensic investigators, who don’t come cheap.

I also suspect that there won’t be companies that would be willing to pay our maximum R10-million administrative fine. A fined company will go to court because they have deep pockets and would have the best legal minds in the country to represent them. If we cannot match that fight, the Information Regulator’s office won’t function well.

DM: Are you seeing higher data breach incidents because your office is facing funding and capacity problems, which limits its ability to launch investigations?

PT: Yes. During the one-year grace period [for companies to be compliant with the POPI Act], I think cybercriminals know that there is no recourse in SA because we cannot yet enforce our powers. SA is a haven for cybercriminals. From May 2020 and now [24 August], we have had 25 incidents of data breaches. About 19 of these data breaches were self-reported [companies approaching the Information Regulator to report the incident] and we picked up the remaining six incidents through the media.

DM: Has it frustrated you that it has taken lawmakers about five years to have the POPI Act enacted and having it operational?

PT: Yes. But we are now trying to convince the government that we cannot talk about attracting foreign direct investment in SA if we don’t have a functional and protective data protection regulatory authority. People will be very reluctant to do business in SA if their data is not protected. Investors will say this is a place where cybercriminals are having a field day.

I don’t think the penny has dropped for government authorities in SA on the significance of the regulator’s office. When we talk about the digital economy and the Fourth Industrial Revolution, the protection of data is essential to these discussions. We [the Information Regulator office] are not even included in such discussions of the government when they take place.

DM: How have you handled the data breach incident reported by Experian?

PT: The company contacted us for the first time on 6 August about wanting to discuss an urgent matter, which turned out to be the data breach. It did the right thing by contacting us because, in terms of the POPI Act, companies have to self-report when there has been a security breach. We met with Experian on 7 August about the matter. They told us that they have been victims of fraudulent behaviour, were investigating the matter and referring it to the police. We are meeting them again tomorrow [25 August]. DM/BM