Anthem the U.S based Medical Insurance and Health Care company with a reported turnover of $80 billion and a net income of $2.26 Billion in 2016 has made now made history, but for the wrong reasons.
Anthem has been the subject of contentious litigation in past two years, over a hacking of its data in 2015. The breach compromised 79 million customers personal information.
Anthem said in February 2015 that an unknown hacker had accessed a database containing personal information, including names, birthdays, social security numbers, addresses, email addresses and employment and income information. As a result, more than 100 lawsuits were filed by victims against Anthem over the breach, which was eventually consolidated into class action lawsuits.
Anthem has of now (as at 26 June 2017) agreed to pay $115 million to settle the class-action lawsuit. The biggest in history for a data breach case.
“We are very satisfied that the settlement is a great result for those affected and look forward to working through the settlement approval process,” Andrew Friedman, a lawyer for the victims, said in a statement.
Anthem issued a statement also saying, “…we are pleased to be putting this litigation behind us…”
The breach is one of a series of high-profile data breaches that resulted in losses of millions of dollars to U.S. companies in recent years, such as Target Corp, who agreed to pay $18.5 million to settle claims by 47 states in May. Home Depot Inc, who agreed to pay at least $19.5 million to consumers in 2016.
This settlement and the recent ones like it provides South African based companies in the major industries such as insurance, medical, financial (including credit bureaus) and the like with forewarning as to the potential risks they face with data breaches.
Although we still await the regulations to the Protection fo Personal Information Act (“POPIA”) to be published and the effective date of commencement of the Act, we do know that data breaches are catered for in the Act and that severe obligations and penalties are assigned to organisations who have failed to prevent or taken adequate measures in preventing such breaches.
Avoiding a breach is about ensuring the conditions of POPIA are adhered to. These can only be done through thorough systems analysis and incorporating planned solutions into the organisation.
There are certain actions an organisation must take. Briefly, these are:
- The mandatory notification of a data breach
The regulator and identifiable data subjects must be informed where there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person. The regulator may direct that a data breach is publicised if there are reasonable grounds to believe that publicity would protect a data subject who may be affected.
- Ensure a clean database. In other words, a spring cleaning of all databases must occur.
- A database’s origins must be verified and all information available for inspection must be on hand.
- Adequate Consents must be provided by data subjects to before compiling the database.
- Personal Information must be collected directly from the data subject, who must be aware fully of the purpose and scope for which his/her personal information is being used and stored (including who will access it)
- The Data subject must also consent to how information will be processed
Furthermore, Section 19(2) of POPIA requires companies to engage in ongoing processes to:
- Identify all reasonably foreseeable internal and external risks
- Establish and maintain appropriate safeguards against the risks identified
- Regularly verify that the safeguards are effectively implemented to ensure the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards
If the above is not daunting enough, when organisations are found ‘wanting’ in their POPIA compliance, there are immense repercussions besides reputational damage. These are:
- Fines (no limit set)
- Prison sentences up to 12 months or 10 years
- Both a fine and imprisonment
- Fines up to R10 000 000 (higher than the max fines in UK and Europe)
- Stopping an organisation from processing personal information. This would be the most debilitating to any organisation. Civil actions (like we have seen with Anthem and others)
- Apart for the enforcement mechanisms above, and, data subjects or the Regulator on behalf of
data subjects can bring significant damages claims for the data breach.
If you belong to an organisation and are concerned about your company’s compliance with POPIA, especially in light of the propensity of data breaches and you want to take practical steps in reducing your exposure, we welcome you to talk to our Data Protection Legal Team.