Provided By LSSA

Business eMail compromises (BECs) are a form of cybercrime where electronic communications are accessed, monitored and at appropriate times intercepted and replaced with eMails that are so similar to eMails that may be expected by the recipient that they deceive the recipient into accepting the trustworthiness and integrity of the eMail and acting thereon. Typically, the interception occurs when a payment is to be made and the bank account into which the payment is to be made reflected in the fraudulent communication is a bank account under the control of the criminals.

While attorneys have been victims of this fraud, this advisory is aimed at attorneys ensuring that their clients are aware of the risk of a potential fraud with a view to their not falling victims to the fraud. While there will be further information security relating to BECs that will be provided to attorneys by the LSSA in the future, this advisory is aimed primarily at attorneys’ fulfilling their duty of care to clients by making them aware of the potential risk.

It is suggested that in all instances where clients may be required to make payment to an attorney that on initially engaging with the client and wherever appropriate in subsequent communications (whether by letter or eMail) the first paragraph in the communication, emphasised in bold, contains the following wording (or similar wording) alerting the client to BECs:

“Criminal syndicates may attempt to induce you to make payments due to [firm’s name] into bank accounts which do not belong to the firm and are controlled by criminals. These frauds are typically perpetrated using eMails or letters that appear materially identical to letters or eMails that may be sent to you by [firm’s name]. Please take proper care in checking that these eMails do emanate from [firm’s name].

Before making any payment to [firm’s name] please ensure that you verify that the account into which payment will be made is a legitimate bank account of [firm’s name].

If you are not certain of the correctness of the bank account you may contact [firm’s name] and request to speak to the person attending to your matter. They will assist you in confirming the correct bank details.

[Firm’s name] will not advise of any change in bank details by way of an eMail or other electronic communication. If you should receive any communication of this nature please report it to the person attending to your matter.”

In light of the increase in the prevalence of this type of fraud it is strongly suggested that this or similar wording in instances where banking transactions of high value may be performed (for instance conveyancing matters) that this wording appears on all communications to clients and is prominently displayed at the beginning of the communication.

It is also suggested that a similar notice appears in a prominent place on attorneys’ websites or other mechanisms that it uses to communicate with clients.

The recent cyber-attack and holding hostage of a South African insurance provider’s IT infrastructure has drawn attention to the dire need for effective protection of consumer data. While the company asserts that no financial losses have been encountered by any of its policy holders, it cannot currently confirm the volume of data and number of individuals that have been affected by this data breach.

Any organisation that handles consumer information will be significantly impacted by the introduction of data protection legislation. The Protection of Personal Information Act(POPI), which is expected to come into effect in 2018, prescribes how personal information may be stored, transferred and destroyed.

“All public and private entities will be required to comply with the legal obligations under POPIA,” says Billy Last, CEO of LexisNexis South Africa. “Non-compliance will result in severe penalties, fines and imprisonment in addition to reputational damage.”

Companies need to prioritise the enhancement of data security, the updating of vendor contracts and safeguarding trans-border flow of information. Entities will need to appoint an Information Officer and gain an understanding of the duties of the responsible party and the rights of the data subject, including how to be prepared and manage a data breach.

The Information Regulator has been established and the draft regulations for POPIA published. Following the implementation of the Act, a grace period allows companies the necessary time to ensure that their systems are compliant and meet the requirements.

“It is important that companies do not wait until the grace period is over to make the necessary changes – in fact they should start now even before the Act is promulgated,” says Last. “The Act will also oblige companies to report data breaches and detail their strategy for rectifying same.”

Last said the newly released book, A Commentary on the Protection of Personal Information Act, examines the eight conditions of lawful processing, the difference between personal and special personal information and the exemptions, exceptions and exclusions as set out in the Act.

The authors set out the powers of the Information Regulator and possible fines, compensation and damages and cover the impact of the POPI Act on several important issues including employment law; non-automated and automated decision-making; outsourcing of processing; marketing and direct marketing; credit reporting and the Internet.

“This is the first South African publication that covers the requirements for compliance to the General Data Protection Regulation (GDPR) which came into force on 25 May 2018, linking the POPI Act to these compliance obligations and has application to SA companies,” says co-author Ahmore-Burger Smidt. “Companies that offer goods or services to people in the European Union (EU), or monitor the behavior of people in the EU, will have to comply with the GDPR.”

POPI will bring South Africa in line with international data protection standards. It is widely accepted that the European Union has been at the forefront of the development of the framework for the protection of personal information. It is for this reason that the authors of A Commentary on the Protection of Personal Information Act have relied extensively on the General Data Protection Regulation (GDPR) to provide guidance on how POPI is likely to be implemented.