CyberBRICS

Securing South Africa’s elections through Popia and the Cybercrimes Act

By Sizwe Snail ka Mtuze, Lucien Pierce, Melody Musoni and Carl Heinz Uys

As South Africa and other African countries prepare for elections in 2024, cybersecurity and the protection of personal data must be prioritised. The stakes are high.

Cybersecurity breaches and incidents within government and its related agencies have been coming thick and fast. Cybersecurity is integral to our lives as most information that we generate, store and share is on digital platforms today – and will be for years.

As a result, digital platforms and information within the platforms have become important and valuable assets within society. With this understanding, cybersecurity for digital platforms, the ecosystems where these platforms are found, the people who use these platforms and the laws of any country, should be among the most important functions for any public and private organisation and for any individual.

A key factor that highlights the importance of cybersecurity is the high level of commercial and social crime that takes place online (cybercrime) within South Africa and throughout the world. 

Such crimes are executed by bad actors who target digital ecosystems, mostly for financial gain.

Sometimes these crimes are also committed in error, as a result of a lack of awareness/training and standard operating processes, and also because organisations have not transformed their company structures to include cybersecurity roles at all levels.

Cybercrime is also prevalent because organisations spend very few resources on embracing technology to solve problems, eg any public sector or private sector organisation that houses private and sensitive information of its employees, contractors, partners, customers and any other third party should have in place a working privacy protection solution. 

This solution should be made up of the right technology platform that will be proactive in detecting and preventing misuse, and safeguarding private and sensitive information. 

Recent data breaches

It is concerning that at the eleventh hour of our sixth democratic election, there have been various data breaches involving government bodies and state organs. In early 2024, the Companies and Intellectual Property Commission (CIPC) experienced a security breach.

Recently, we saw both the Electoral Commission of SA (IEC) and the Government Pensions Administration Agency (GPAA) being compromised in March 2024.

The Information Regulator confirmed on 11 February 2024 that it received two notifications from the IEC regarding a “security compromise” that led to the release of the 2024 elections candidate lists for the ANC and MK parties.

At the time, it was unclear if the candidate list data was compromised through a hack or by more physical means. What the Information Regulator established is that an “unauthorised person” gained access to the lists prior to distributing them on social media.

Based on the lessons we learnt from the Cambridge Analytica breach and the Edward Snowden revelations, we need to be aware of the implications of the IEC breach.

Cybersecurity threats targeting the IEC and electoral processes pose significant risks to democracy and fundamental freedoms. 

Certain pressing questions linger: do we as South African citizens have the assurance that we are shielded from cyber security breaches in our electoral process? If so, to what extent are we protected and what are the implications of the IEC breach incident on our democratic machinery?

We also cannot help wondering whether there have been previous cybersecurity breaches that were not reported, as the Protection of Personal Information Act (Popia) was not law at the time.

Popia came into law with eight conditions for lawful processing of personal information. Popia also emphasises that processing personal information without any lawful basis is illegal.

An unauthorised bad actor would never have a lawful basis to access personal information and their actions would be unlawful (“access” falls within the definition of processing).

Of course, it is not just the bad actor’s act of accessing the personal information which is unlawful, but also the actions or inaction of the person who is responsible for ensuring the confidentiality of the information.

Essentially, the responsible party must take measures to “secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable, technical and organisational measures to prevent (a) loss of, damage to or unauthorised destruction of personal information; and (b) unlawful access to or processing of personal information” (Section 19(1) of Popia).

In instances such as the CIPC, GPAA and IEC compromises, what would constitute “appropriate, reasonable, technical and organisational measures”?

We don’t know much about how the CIPC and GPAA compromises occurred (it could well be that these were “zero-day” attack methods against which these organisations would have been helpless), but there is a little more information from the IEC on its compromise.

We now know that an IEC official’s computer workstation was used to generate and store the reports. We do not know how the reports were disseminated. The important question is: did the IEC have sufficient organisational measures in place to prevent the unlawful dissemination?

What data loss prevention measures did it put in place? Did it scan outgoing emails; did it prevent the use of portable flash drives; did it limit access to sensitive folders to only those who were authorised; did it implement measures to prevent information from being uploaded to the cloud?

These are questions the Information Regulator is going to want answers to, as is evident from the media release it put out on 11 March 2024.

The Cybercrimes Act prohibits the unlawful accessing and interception of data. It seems, from what we know, that the official (who at the time of writing had just been dismissed) is also going to be on the hook for unlawfully and intentionally intercepting data.

Intercepting data includes “the acquisition, viewing, capturing or copying of data of a non­public nature through the use of a hardware or software tool… so as to make some or all of the data available to a person, other than the lawful owner or holder of the data”.

It appears, therefore, that not only will the implicated official have lost their job, but they’re likely to also be prosecuted for contravening the Cybercrimes Act.

What organisations should have in place

In alignment with Popia, organisations must implement rigorous and reasonable security measures designed to safeguard personal information against loss, damage or unauthorised access. These measures should reflect the diverse risks associated with data processing and the commitment to the privacy and protection of our personal information that the organisation processes.

By continually evaluating and enhancing security practices, organisations must ensure the integrity and confidentiality of personal data, underscoring the need to uphold the highest standards of data protection and privacy. A few of the key technical considerations should include implementation of data loss prevention, incident response plans and employee training.

Conclusion  

Under Popia, “reasonable security measures” refer to the appropriate and diligent steps organisations must take to prevent the loss of, damage to or unauthorised access to personal information.

These measures are tailored to the organisation’s specific needs, the nature of the data it handles and the potential risks associated with data processing. 

Implementing such measures ensures that organisations uphold the integrity and confidentiality of personal information, demonstrating their commitment to the protection of data subjects’ privacy rights.

As South Africa and other African countries prepare for elections in 2024, it is imperative that cybersecurity and protection of personal data are prioritised. The stakes are high.

The IEC data breach may potentially erode public trust in the electoral system and voters may perceive that their personal data is not secure and may lose confidence in the transparency of the electoral process.

While the Information Regulator can play a critical role in dealing with the unlawful processing of personal data, the South African government and the IEC need to act fast, do damage control, and restore people’s confidence ahead of the elections. DM

Disclaimer: This essay was originally published by The Daily Maverick