Data Breach Reporting Responsibilities and Penalties in South Africa - What Businesses Need to Know

Nicolene Schoeman-Louw | SchoemanLaw Inc   Category: Commercial and Technology Law    In today’s digital economy, no business is immune from cyberattacks or data breaches. Whether caused by human error, hacking, or insider misuse, a data breach can expose sensitive customer information and trigger significant legal consequences. In South Africa, data breach reporting obligations arise primarily under three central pieces of legislation:  The Protection of Personal Information Act 4 of 2013 (POPIA), The Electronic Communications and Transactions Act 25 of 2002 (ECTA), and The Cybercrimes Act 19 of 2020.  Failure to comply with these laws can result in regulatory investigation, heavy fines, and even imprisonment. This article unpacks a business’s breach reporting responsibilities, the statutory requirements, and the penalties for non-compliance.  What Constitutes a “Security Compromise” or Breach?  Under section 22 of POPIA, a “security compromise” occurs when there are reasonable grounds to believe that the integrity or confidentiality of personal information has been compromised through unauthorised access, acquisition, disclosure, or loss.  Typical examples include: Hacking or ransomware attacks; Theft of devices containing personal data; Accidental disclosure of client information; or Unauthorised internal access to personal data.  Importantly, the test is not certainty, but “reasonable grounds to believe” that a breach has occurred and that the personal information of a data subject has been accessed by an unauthorised individual. Therefore, certainty is not required, but even potential exposure may trigger reporting obligations.  Reporting Obligations under POPIA  Duty to Notify the Information Regulator and Affected Persons  Section 22(1) of POPIA places a clear legal duty on the Responsible Party (the business determining why and how personal data is processed) to notify both: The Information Regulator, and Each affected data subject, as soon as reasonably possible after discovering the breach.  Many businesses make use of a third-party processor, such as an IT vendor or payroll company, to manage and process certain personal information on behalf of the business. Where business uses an operator (such third-party IT vendor), section 21(2) requires the operator to notify the business immediately upon becoming aware of a possible compromise. The responsibility, however, remains with the Responsible Party (being the business, that ultimately determines the purpose of and means for processing personal information).  Form and Content of the Notification According to section 22(5), the notification must include:  A description of the nature of the compromise; details of the personal information affected; possible consequences of the breach; measures taken or proposed to address it; and recommendations for data subjects to mitigate potential harm.  The Information Regulator may direct that the notice be given in a particular form or even be made public if deemed necessary to protect other data subjects.  Timing of the Notification  While POPIA does not prescribe a fixed deadline, section 22(1) requires that notification occur “as soon as reasonably possible”. Businesses may delay reporting only if immediate disclosure would prejudice a criminal investigation (for instance, if SAPS or the Hawks are involved).  Penalties and Consequences under POPIA  Failure by the business to notify the Information Regulator and affected data subjects as soon as reasonably possible after discovering a security compromise, under section 22 of POPIA,  can amount to non-compliance with POPIA obligations which may constitute an “interference with the protection of personal information” (under section 73), enabling the Regulator to issue an enforcement notice in terms of section 95.   A responsible party that fails to comply with such an enforcement notice commits an offence under section 103(1). The penalties for offences under the Act are set out in section 107 (which distinguishes between offences attracting higher and lower maximum sentences), and the Regulator may also impose administrative fines under section 109 (subject to the Act’s safeguards, including limits where criminal prosecution is pursued).   Additionally, section 99 establishes a civil remedy allowing affected data subjects to claim compensation for damages suffered as a result of non-compliance.  ECTA’s Role in Electronic Security  The Electronic Communications and Transactions Act 25 of 2002 (ECTA) was South Africa’s first comprehensive cyber law legislation.  ECTA contained offences dealing with unauthorised access, interception and interference with data. However, the relevant sections of ECTA (sections 85–88) were repealed with effect from 1 December 2021, and those substantive cyber-offences were consolidated and modernised under the Cybercrimes Act 19 of 2020.   Today, unlawful access, unlawful interception, unlawful interference and related cyber offences are prosecuted under the Cybercrimes Act (not ECTA) and in particular under section 2 (unlawful access), section 3 (unlawful interception of data), section 4 (unlawful acts in respect of software or hardware tools) and section 5 (unlawful interference with data or computer programs). Businesses must therefore look to the Cybercrimes Act for criminal liability and reporting duties relating to unauthorised access or interference with computer systems.  Cybersecurity Duties under the Cybercrimes Act 19 of 2020 for Electronic Communications Service Providers and Financial Institutions  While POPIA focuses on the protection of personal information, the Cybercrimes Act 19 of 2020 addresses unlawful computer activity and the obligation to report cyber offences.  1. Duty to Report Cyber Offences  Under section 54(1), an Electronic Communications Service Provider (ECSP) or a financial institution (as defined under the Financial Sector Regulation Act 9 of 2017) that becomes aware of a cybercrime such as unauthorised access, interception, or interference with data must report the offence to SAPS within 72 hours.  They must also preserve any information that could assist in the investigation.  Failure to comply with this duty is an offence under section 54(3), punishable by a fine of up to R50 000.  2. Penalties for Cyber Offences  The Cybercrimes Act criminalises various forms of cyber misconduct, including: Unlawful access to data (section 2); Unlawful interception of data (section 3); Unlawful interference with data or systems (section 5);  Unlawful interference with computer data storage medium or computer systems (section 6); and Cyber fraud, forgery, and extortion (sections 8 to 10).  For businesses, this means that any breach involving unauthorised access or manipulation of computer data may not only trigger POPIA reporting but could also, under certain circumstances, amount to a criminal offence under the Cybercrimes Act.  Dual Obligation for Businesses  Given the interplay between these three statutes, and the obligation towards clients as data subjects as well as duties imposed by the legislation, businesses should adopt a proactive compliance strategy:  Appoint and register an Information Officer with the Information Regulator, in terms of section 55 of POPIA. Implement a data breach response plan, specifying internal escalation, investigation, and external reporting procedures. Train staff on identifying and responding to data incidents. Conclude written operator agreements that reflect the security and reporting duties required by POPIA. Engage cybersecurity experts to test and improve your data protection measures. Maintain an incident log and preserve all evidence of any compromise for potential reporting under both POPIA and the Cybercrimes Act.  Conclusion  For businesses, the consequences of a cyber-attack extend far beyond the initial breach. A business faces a dual liability: first, it may be held accountable to the data subjects (its clients or customers) for any harm resulting from the compromise of their personal information; second, it must fulfil its reporting and compliance obligations under POPIA and the Cybercrimes Act.  Under section 22 of POPIA, any security compromise must be reported promptly to the Information Regulator and affected data subjects. Similarly, the Cybercrimes Act imposes duties on electronic service providers and financial institutions to notify the South African Police Service of cyber offences, with strict timeframes to ensure timely action.   In today’s digital economy, where trust is a key driver of business success, managing the aftermath of a cyber incident requires more than remediation; it demands proactive governance, timely reporting, and diligent adherence to legal obligations. For South African businesses, compliance with POPIA and the Cybercrimes Act is not optional; it is a requirement for reputation, customer confidence, and ensuring sustainable growth. Contact an expert at SchoemanLaw Inc for advice, support or assistance today.  https://schoemanlaw.co.za/our-services/technology-law-smart-contracts-and-cyber-law/    Nicolene Schoeman-Louw | SchoemanLaw Inc   Commercial Law, Technology Law and Contract Legal Specialist