The rise of the FinTech industry may herald a significant upheaval to the financial services industry, and significant opportunities (and risks) await those who wish to participate. Novel data processing techniques are a key aspect of many FinTech businesses and with such a rapid pace of innovation, there is a concomitant rise in the risk of data breaches. It is vital for FinTech companies to be aware of their obligations in the event of a data breach.

Obligations in respect to data breaches

The Protection of Information Act, 2013 (POPI) requires you to (1) secure the integrity and confidentiality of personal information to prevent unlawful access to personal information, and (2) to follow the prescribed notification procedures in the event of a data breach.

If there are "reasonable grounds" to believe that the personal information of a data subject (which may include clients, suppliers or employees) has been compromised, the responsible party (i.e. the person who determines the purpose and means of processing personal information) will need to immediately notify the Information Regulator and, unless directed otherwise by law enforcement or the Information Regulator, the affected data subjects.

You must notify the Information Regulator and the affected data subjects as soon as reasonably possible, taking into account any measure reasonably necessary to determine the scope of the data breach and to restore the integrity of your information system. Failing to notify the Information Regulator and affected data subjects may result in significant penalties and reputational harm.

What if I fail to notify the data subjects (timeously, or at all)?

TalkTalk, the United Kingdom-based telecommunications company, inadvertently revealed customer information to the public as a consequence of an error in its customer password reset facility on its website. Despite a customer notifying TalkTalk of this error, TalkTalk took almost two weeks to formally notify the regulator of the data breach (despite being required to do so within 24 hours). As a consequence, the regulator imposed a fine of approximately GBP 400,000 on TalkTalk.

Arguably, a greater consequence of a data breach is the resultant reputational harm that may be suffered by a company. In the case of TalkTalk, share prices fell by 20% in the weeks following the data breach. It lost approximately 101,000 customers and saw massive declines in its pre-tax profits within a year of the data breach. In the case of Wonga (a 'pay-day' loan provider that suffered a data breach in which the personal information of approximately 270,000 of its customers may have been illegally accessed), Wonga saw its buzz score (which reflects the positive and negative word of mouth surrounding the brand) decrease from -47 to -54 in the aftermath of a data breach in April 2017. Given the nature of the services provided by FinTech companies, the reputation of a company (including the trust of consumers in that company) is key to achieving success in a competitive market.

It does appear, however, that the management of the breach rather than the breach itself is the key determinant in the damage suffered by the brand. A data breach can be a public relations disaster, with companies recognising the breach too late and responding inadequately, resulting in public outrage. Prompt and appropriate action is pivotal immediately following a data breach in order to mitigate reputational harm. In this regard it may be beneficial to have a response plan in place to address both the technical and public aspects of the crisis.

Penalties under POPI

Where you contravene POPIs notification or processing of personal information requirements, you may face a number of penalties (in addition to the significant reputational harm suffered by entities such as Wonga and TalkTalk). These penalties include:

• administrative fees not exceeding ZAR 10 million;
• civil liability for any damages resulting from its failure to comply with its obligations under POPI, whether or not the party acted with intention or negligence; and/or
• a fine and/or imprisonment up to 10 years (where the responsible party fails to adhere to an enforcement notice or processes personal information in contravention of POPI).

Conclusion

Given the nature of their business, FinTech companies must be careful to guard against data breaches and comply with all legislation. However, when data breaches do occur, the manner in which a company interacts with consumers and the media may prove to be decisive. Prompt and clear communication to regulators and customers is key to minimise damage to a company's reputation.