TransUnion Data Breach - Information Regulators Dissatisfaction

By Sashin Naidoo - Senior Associate at JR Attorneys Inc.

On 18 March 2022 TransUnion, a self-identified “global information and insights company1 and credit bureau, announced a security compromise of its IT systems through an online hack which has since seen a compromise of approximately 4 terabytes (54 million records) of personal date/information as well as a demand for payment of a ransom to the extent of R220 million.2

According to the credit bureau, forensic investigations are already under way with a suspension of access for those of its compromised customers together with consultations with cyber and forensic experts, although this would be of little comfort to those of us whose data and personal information have now been placed in the hands of nefarious individuals.3

TransUnion has further undertaken to provide free “identity protection products” to all of those effected by the breach and/or security compromise and notify those individuals whose data has been compromised as and when its investigation, in collaboration with the SAPS, unfolds.4

On 19 March 2022 our Information Regulator, custodian of the Protection of Information Act, 4 of 2013 (“POPIA”), released a statement to the public informing us that the office of the Regulator had met with the CEO of TransUnion to discuss the mass scale security comprise of credit consumer data. The Regulator stressed the importance of “the need for affected data subjects to be informed early about any security compromise on their personal information to be able to take the necessary preventative action against wrongful use of their personal information.5

In recognising the enormity of the impact which the security compromise could have on data subjects should TransUnion fail to apprise all affected data subjects of this security compromise, the Regulator instructed TransUnion to submit specific details to its office regarding the number of affected parties as well as and their plan to notify data subjects in terms of Section 22 of POPIA.6

 

TransUnion was given until the 22nd of March 2022 to provide the following information to the regulator:

  • the date that the security compromise occurred;

  • the cause of the security compromise;

  • details of investigations into the security compromise;

  • the extent and materiality of the security compromise;

  • interim measures put in place to prevent a recurrence of the security compromise; and

  • security measures that TransUnion Credit Bureau has put in place to prevent a recurrence of the security compromise.7

 

This information was to be used by the Information Regulator to assist in assessing and instituting further investigations by the Regulator in the pursuit of its mandate prescribed under POPIA.

Section 22 of POPIA reads as follows:

  • “Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify
    1. the Regulator; and
    2. subject to subsection (3), the data subject, unless the identity of such data subject cannot be established. . .
  • The notification to a data subject referred to in subsection (1) must be in writing  and  communicated  to the data subject in at least one of the following ways:
    1. Mailed to the data subject’s last known physical or postal address;
    2. sent by e-mail to the data subject’s last known e-mail address;
    3. placed in a prominent position on the website of the responsible party;
    4. published in the news media; or
e)     as may be directed by the Regulator.
  • The notification referred to in subsection (1) must provide sufficient  information   to   allow   the   data   subject to take protective measures against the  potential consequences of the compromise, including—
    1. a description of  the  possible  consequences  of the security compromise;
b)     a description of the measures that the responsible party intends to take or has taken to address the security compromise;

c)     a recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security

compromise; and

  1. if known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the personal information.

(6)      The Regulator may direct a responsible party to publicise, in any manner specified, the fact of any compromise to the integrity or confidentiality of personal information, if the Regulator has reasonable grounds to believe that such publicity would protect a data subject who may be affected by the compromise.”8 [emphasis added]

 

It is clear from the above-mentioned provisions under POPIA  that the Information Regulator has been afforded wide discretionary powers in order to ensure that those who have been affected any compromises in relation to the security of their personal information, entrusted to responsible parties, are adequately notified when such compromises occur.

It is further evident that this notice serves to enable a data subject to mitigate any potential adverse impacts associated with the breach and the unauthorised use of their personal information.

On 25 March 2022 the Information Regulator released a media statement wherein it voiced its discontent with the measures and responses adopted by TransUnion. The Information Regulator. The Regulator took issue, chiefly, with the notification which was submitted by TransUnion as required under Section 22(1) of POPIA.9

In accordance with Sections 22(4)(e) and 22(6) the Regulator has now directed TransUnion to provide it with the following outstanding information:

TransUnion was further directed to “use all radio stations, broadcasting in each official language, publish in all newspapers and drive communication on various social media platforms to provide sufficient notification to data subjects about this security compromises.”10

8     Section 22 (1), (4), (5) & (6) of POPIA, No. 4 of 2013.

  • Office of the Information Regulator (South Africa). “MEDIA STATEMENT: THE REGULATOR IS DISSATISFIED WITH TRANSUNION’S RESPONSE, AND IT INITIATES AN ASSESSMENT ON THE SECURITY COMPROMISE” (25 MARCH 2022).

Interestingly, despite seemingly having the election to use one of the means of communication under Section 22(4) of POPIA, the credit bureau was directed to use all of the methods established thereunder and further directed to use of radio and social media platforms in all official languages as a means by which to affect its notice in terms of Section 22(1) of POPIA.

The reasoning behind this direction is found in the nature of the personal information which has been compromised, the contents of the credit bureau’s security compromise notification and the extent and severity of the security compromise.

The Information Regulator undoubtedly considered the fact that the credit bureau holds, and is responsible for, the personal information of everyday South Africans, some of whom may only have access to limited means of communication for the requisite notification to be affected.

The means of communication directed to be utilised by the credit bureau are broad and will surely incur a great expense of time, effort, and money, however, it is clear from the Information Regulators direction that this was not a consideration. It appears that the primary focus is to ensure adequate notification to all data subjects impacted by the security compromise as a main concern.

Section 22 is further silent on whether such directive must consider the ability of the responsible party to give effect to any directive issued by the Regulator or whether such directive must be reasonably practicable.

It would appear then that the Regulator may have acted within the ambit of the powers accorded to it under Section 22 of POPIA, notwithstanding any review of such administrative decision which may find its way to our courts.

This then serves as a caution to all those who process the personal information of data subjects, more specifically those who process “big data”. The cost of a security compromise under POPIA may be a harsh cost to bear, but the rights of a date subject remain the key priority of our regulatory authority.

This story has not been finalised and is still unfolding and we await any further action by both the Information Regulator and TransUnion in this regard.

 

Sashin Naidoo (BA Law, LLB) is a Senior Associate at JR Attorneys Inc.

 

 

 

 

 

 

You can download this newsletter as a PDF document, or send the link to a friend.
Download as PDF

Document of the Month

Abscondment

FREE Download

Upcoming Events


CCMA - Conducting Conciliations & Arbitrations

Date: 07/07/2022 09:00:00
Event Type: Distance Learning
Venue: Office / Home


New Code Of Good Practice - Harassment

Date: 13/07/2022 09:00:00
Event Type: Distance Learning
Venue: Office / Home


Managing HR Challenges

Date: 18/07/2022 09:00:00
Event Type: Distance Learning
Venue: Office / Home


Investigating & Charging in Disciplinary Hearings

Date: 18/07/2022 09:00:00
Event Type: Distance Learning
Venue: Office / Home


Cross Examination Skills

Date: 22/07/2022 09:00:00
Event Type: Distance Learning
Venue: Office / Home


Guide to Retrenchments

Date: 25/07/2022 09:00:00
Event Type: Distance Learning
Venue: Office / Home


Initiating & Chairing Disciplinary Hearings

Date: 01/08/2022 09:00:00
Event Type: Distance Learning
Venue: Office / Home


Guide to Employment Equity

Date: 05/08/2022 09:00:00
Event Type: Distance Learning
Venue: Office / Home


Managing HR Challenges

Date: 12/08/2022 09:00:00
Event Type: Distance Learning
Venue: Office / Home


Protection Of Personal Information Act

Date: 24/08/2022 09:00:00
Event Type: Distance Learning
Venue: Office / Home


Dealing With Workplace Grievances

Date: 26/08/2022 09:00:00
Event Type: Distance Learning
Venue: Office / Home


Managing Workplace Discipline

Date: 29/08/2022 09:00:00
Event Type: Distance Learning
Venue: Office / Home


Basic Labour Relations - LRA & BCEA

Date: 02/09/2022 09:00:00
Event Type: Distance Learning
Venue: Office / Home


CCMA - Conducting Conciliations & Arbitrations

Date: 05/09/2022 09:00:00
Event Type: Distance Learning
Venue: Office / Home


Investigating & Charging in Disciplinary Hearings

Date: 19/09/2022 09:00:00
Event Type: Distance Learning
Venue: Office / Home


Cross Examination Skills

Date: 23/09/2022 09:00:00
Event Type: Distance Learning
Venue: Office / Home


See more...
Title Description Published By
May 2022
A Zero-Tolerance Policy - How Fair Is That? Johanette Rheeder View
May 2022
Cost to not follow suit in labour matters Johanette Rheeder View
April 2022
The new code of good practice aimed at eliminating harassment in South African workplaces Lezanne Taylor View
March 2022
The new code of good practice aimed at eliminating harassment in South African workplaces Lezanne Taylor View
February 2022
A Great acquisition for the Property Industry Lezanne Taylor View
January 2022
The Legality Of Mandatory COVID Vaccinations Lezanne Taylor View
Sept 2021
Self-Isolation and Employees’ Sick Leave Sashin Naidoo View
August 2021
The Cybercrimes Act, Act 19 of 2020. Johanette Rheeder View
July 2021
THE CYBERCRIMES ACT, ACT 19 OF 2020. Johanette Rheeder View
June 2021
RELEVANCE & INVESTIGATION REPORTS Dr. J.J. van der Walt View
May 2021
COVID-19 VACCINE - An operational requirement - still a needle in a haystack? Gilles Van De Wall & Johanette Rheeder View
April 2021/2
Encapsulating The Apprehension Of Retirement & Severance Packages Lezanne Taylor View
April 2021/3
Guidance Note On Information Officers Information Regulator (South Africa) View
April 2021
The legal duty of a bank to protect non-customers from pure economic loss Ivor Heyman View
Mar 2021
The Simultaneity of Ubuntu & Law Lezanne Taylor View
Feb 2021/2
A Win for Privacy! Sashin Naaido View
Feb 2021
Overtime and compressed work weeks Gilles van de Wall View
Jan 2021
Differentiation of employment conditions Gilles van de Wall View
Dec 2020
STRIKES - CERTIFICATES OF OUTCOME AND MATTERS OF MUTUAL INTEREST Johanette Rheeder View
Nov 2020
Can an attorney settle a dispute without the client’s consent? Ivor Heyyman View
Sep 2020
POPIA: The Second condition - Processing limitations Gilles van de Wall View
Aug 2020
‘I am the master of my fate; I am the captain of my soul’ Gilles van de Wall View
Jul 2020
Disaster Management Regulations- 12 July 2020 Sashin Naaido View
Jun 2020
Advanced leave a possible solution to the payment of salaried employees Lezanne Taylor View
May 2020/2
CHILD MAINTENANCE AND THE IMPACT OF COVID 19 ON A PARTY’S INABILITY TO PAY Lezanne Taylor View
May 2020/1
RE-INSTATEMENT OR RE-EMPLOYMENT AFTER UNFAIR DISMISSAL Gilles van de Wall View
Apr 2020/2
COVID 19 – SMME Interventions Sashin Naaido View
Apr 2020/1
COVID-19 – Salary payments, relief payments and UIF claims during lockdown Johann Rheeder View
Mar 2020
Your obligations in a COVID-19 World State of Emergency! Gilles van de Wall View
Feb 2020
A tale of two judgments dealing with free speech and hate speech Ivor Heyman View
Jan 2020
The development of vicarious liability in Employment Law Alex Davies View
Dec 2019
The development of vicarious liability in employment law Alex Davies View
Nov 2019
Privacy implementation in South Africa – Quo vadis? Johanette Rheeder View
Oct 2019
Prescription of Labour law Wanya Cloete View
Sep 2019
Litigation Privilege: when and how can it be waived? Ivor Heyman View
Aug 2019
Refusal to accept a demand by an employer a legitimate operational requirements? Alex Davies View
July 2019
The Concept of Job Security & Fairness For Employees in Retrenchments Alex Davies View
June 2019
Can a union suspend a strike and take it up again? Johanette Rheeder View
May 2019
Social Media – Clash between Freedom of Expression & Privacy Ivor Heyman View
April 2019
Canabis in the workplace Wanya Cloete View
March 2019
GDPR/POPIA – Where Technology and Ethics have reached crossroads Megan Grindell View
February 2019
Strikes – certificates of outcome and matters of mutual interest – how far does it stretch? Johanette Rheeder View
Jan 2019
Regulations relating to the Protection of Personal Information Johanette Rheeder View
Dec 2018
Collection of debt from Employees Johanette Rheeder View
Nov 2018
Strikes – certificates of outcome and matters of mutual interest – how far does it stretch? Johanette Rheeder View
October 2018
The right to strike – A matter of mutual interest Johanette Rheeder View
July 2018
Extension of Collective Agreements Alex Davies View
June 2018
GDPR / POPIA – Where Technology & Ethics Have Reached a Crossroad Megan Grindell View
May 2018
Exemption Clauses: an assessment of the burden of proof Ivor Heyman View
April 2018
Companies that cannot afford the National Minimum Wage Department Of Labour View
March 2018
Portfolio Committee on Labour Extended Invitation for Commentary By SASLAW View
February 2018
Business Rescue Proceedings – A Brief Overview Alex Davies View
January 2018
Collection of debt from employees Alex Davies View
November 2017
Publication Of New Bills Which Impact Employment Alex Davies View
September 2017
POPI Regulations & the duties of the Information Officer Johanette Rheeder View
August 2017
Is a Break in the Trust Relationship, a prerequisite to Dismissal? Alex Davies View
July 2017
Temporary Employment Services - NUMSA vs Asign Services Alex Davies View
June 2017
Probation and probation related dismissals in the CCMA Johanette Rheeder View
May 2017
Job descriptions and extra duties required of an emplyee Johanette Rheeder View
March 2017
The extention of collective agreements in the workplace Alex Davies View
January 2017
The application of the prescription act to disputes under the labour relations act Alex Davies View
November 2016
Who can represent parties at CCMA proceedings? Yozan Botha View
September 2016
“Solidarity for Ever” Collective bargaining – rights and duties Johanette Rheeder View
July 2016
POPI Implementation on the horizon Johanette Rheeder View
May 2016
Applying the rule test in disciplinary hearing Johanette Rheeder View
April 2016
Does the managerial prerogative still apply during the recruitment process? Johanette Rheeder View
March 2016
The Stigmatising Effect of Medical Testing on Mental Illness Kellie Hennessy View
February 2016
Office Romance - A Lesson in managing personal relationships at work Kellie Hennessy View
January 2016
Rights for Males to Maternity Leave Benefits Kellie Hennessy View
December 2015
Interdicting Disciplinary Hearings Johanette Rheeder View
November 2015
The Right to Natural Justice in Disciplinary Hearings Xander Wehncke View
October 2015
The Protection of Personal Information Act No 4 of 2013 (“POPI”): Rethink the ‘architechture’ of your business Kellie Hennessy View
September 2015
Load Shedding in the Workplace: Negotiate Back the Power Kellie Hennessy View
July 2015
Retrenchment - Do We Recognise The Effect? Johanette Rheeder View
June 2015
The new CCMA rules - The ultimate relief? Johanette Rheeder View
May 2015
Medical Incapacity, Disability and Discrimination Kellie Hennessy View
April 2015
Breach of the trust relationship in employment: What to prove and how to prove it Xander Wehncke View
March 2015
The exposure of senior employees in terms of Labour Relations Amendment Act 2012 Johanette Rheeder View
February 2015
The Correct Approach to a Reviewable ‘Error in Law' Kellie Hennessy View
January 2015
E-Cigarettes and the Workplace Kellie Hennessy View