Says Greg Gatherer, Head of Strategic Accounts at Striata, “South Africa is way past the initial wave of organizations establishing electronic communication channels with their customers, turning off print correspondence and reaping the cost savings. Now these same organizations need to review the security of the information they are emailing to their customers, to ensure that their customer data is fully protected.”
No password protection = weak document security
According to Gatherer, it is highly concerning that the mobile industry in South Africa sends millions of customer statements and invoices by email with no password protection. “The mobile network operators implemented email billing years ago with simple document encryption. This only makes the document tamper-proof and compliant with SARS’ electronic invoicing requirements. If that document is stolen in transit, or accessed illegally at any number of hops during delivery, the personal information inside the document is wide open.”
Although SA banks are at the forefront of customer service on digital channels, the security of the documents they email to customers can still be improved. Says Gatherer, “In order to adequately protect personal information contained in an electronic document, an organization needs to use multi-factor security: this means a combination of encryption, strong passwords, digital certificates and the most crucial element – sustained customer education.”
“It only takes one industrious cyber-criminal or disgruntled employee to gain access to weakly protected documents containing personal information. Decision makers in large organizations are gambling with their business reputation by implementing only the bare minimum in electronic document protection. Organizations that have not done everything in their power to protect that information may suffer massive damage to their reputation and business confidence.”
Get your act together before PoPI is in play
While the Protection of Personal Information (PoPI) Act quantifies what a data breach will cost an organization (up to R10-million in fines and possible jail sentences), Gatherer says the financial knock-on effect for the business and the affected data subjects will be much more than that. And once the Regulator is appointed and the Act becomes enforceable, he points out that those organizations with relaxed document security are at risk of being on the wrong side of the first civil class action.
“Now is the time for organizations to upgrade the security of their electronic documents, before the Act is fully in play and before they suffer a major data breach. It is no longer acceptable for reputable brands to email documents containing personal or confidential information without using the best document security available.”
Gatherer also encourages organizations that utilize a 3rd party vendor or application to commission an independent review on the security of the electronic documents they send out. “If your customers are trusting you to protect their personal information, then you need to be 100% sure your document security is not vulnerable. As the leading email billing provider with a significant footprint in South Africa, we advocate the implementation of tighter electronic document security across the industry,” says Gatherer.