On Tuesday 28 January the South African Insurance Crime Bureau (SAICB) held a breakfast seminar on white collar crime and protection of personal information.
The speakers from Norton Rose Fulbright were: Marelise van der Westhuizen, Head of Regulation and Investigation in Africa; André Vos, Head of Business Ethics and Anti-Corruption in Africa; Nerushka Deosaran, Specialist on the Protection of Personal Information Act (POPI); Anton du Randt: Director, Professional Liability and Construction with specialist skills and an interest in Insurance, Business Ethics and Anti-Corruption; Rohan Isaacs, Director of Information and Communications Technology; and Wil Huang, Associate in Litigation and Dispute Resolution.
Get your house in order – POPI’s coming
“Information is money,” said Isaacs, and insurers have large amounts of data. Isaacs predicts that POPI will come into effect in the second half of the year, and POPI will affect the insurance industry as it affects all persons who process the personal information of others. He said that one of the requirements of POPI is that the information should be used for the purposes for which it was obtained.
Deosaran elaborated on the importance of consent. She said that the Act has not been enforced yet, but when it is, companies will be given a year to comply. They will then need to:
- Get a policy in place and identify all foreseeable internal and external risks;
- Develop safeguards against perceived risks;
- Have the regulator verify that safeguards have been implemented;
- Update the safeguards in response to new risks; and
- Follow the general accepted information security practises and procedures.
- She said that staff will have to be trained, and in the case of a breach, the following steps must be taken:
- Notify the regulator;
- Notify the affected data subject;
- Guard against reputation risk.
She said that most people outsource their IT services, so businesses must make sure that their IT agreements protect them, because in the case of a breach, the onus of responsibility rests on the business, not on the outsources service providers. Businesses will need to set a PR and legal plan of action in the case of a breach.
Isaacs said the regulator will have a wide power of investigation, and can issue enforcement notices following a security breach. Failure to comply will result in imprisonment or a hefty fee.
So what should we do differently?
Isaacs said, “Comply with all the rules, review or audit the current data security practice and standards, and draft a privacy policy and rules for handling information.”
On the issue of cyber crime, Deosaran said the World Economic Forum has reported that if businesses don’t pull up their socks, the world will lose $3 trillion in cyber crime.
She said that South Africa is the third worst country after Russia and China with cyber crime, having shifted from the twelfth to the third place on Lloyd’s 2013 Global Risk Index. South Africa is one of the top three locations worldwide for phishing scams.
“Data is a company’s asset,” she said, “POPI forces companies to look after the asset better.”
SA Laws and international context
Vos explained some of the common white collar crime terminology.
Racketeering is two or more offenses over 10 years that form a pattern, for example fraud, forgery, corruption, etc. Money laundering is an activity which conceals the nature, source, location and cause of money use. Vos explained that the difference between money laundering and terror funding is that in the first, the source of the money is always concealed, whereas with the latter, the source can be transparent but the application of funds is suspect. Corruption is the gratification to do something wrong, and here he distinguished between active and passive corruption, doing something wrong and allowing something wrong to be done by saying nothing. Section 34 of the Corruption Act states, if a reasonable person of authority comes to know of white collar offenses, the person must report these offenses to the police.
During the panel discussion members of the audience said that the process of reporting is arduous and time-consuming. SAICB Director Michiel Nel said the SAICB recognises that reporting the crimes creates practical problems, and the SAICB has dedicated people in the South African Police Service to help insurance companies with the process.
Huang said, “Insurance crimes do not only relate to insurers and third party,” in his discussion on the international context to local statutory regime. He said that compliance with local and international standards is necessary and the focus of local authorities and regulators should be on whether anti-bribery and anti-corruption standards are comparable to international standards.
Nel said that white collar is not a victimless crime. He cited the 7 July 2005 (7/7) London Underground bombings as an example where insurance crime was used to support a terrorist cell. The SAICB’s role is to create awareness about organised crime and the impact it has on the community at large, and on insurance companies in particular.