The role of directors in the age of cybercrime

The role of directors in the age of cybercrime
02 Dec 2019

The exponential development of technology in recent years has meant that cybercrimes are no longer just an occurrence in Hollywood movies. South Africans have been the victims of numerous cyber-breaches exposing their personal information as was the case with the data leak of real estate company Jigsaw Holdings in 2017. Known to be the largest data leak in the history of the country, the incident occurred when 60 million South Africans’ ID numbers, phone numbers and estimated incomes were uploaded by mistake onto the company’s unsecured and publicly accessible server. Although this seems shocking, internationally, the risk is just as realistic. In 2018, the Indian government’s ID database called “Aadhaar” (meaning foundation) saw the records of all 1.1 billion registered citizens compromised after being a victim of breaches.

The right to privacy in South Africa is protected under Section 14 of the Constitution with particular mention of the right to not have the privacy of one’s communications infringed. Cyber-breaches mainly compromise this invaluable right through either unlawfully retaining, recording or sharing one’s personal information.


The Protection of Personal Information Act (PoPIA) was designed to help protect this right through allowing for the establishment of an Information Regulator and also minimum requirements to be satisfied when processing personal information. Under the Act, Condition 7 stipulates that a responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable measures to prevent loss, damage or unlawful access to such personal information.

In the case of directors, the link can easily be made between a ‘responsible party’ as stipulated above and a director who acts as an extension of such a ‘responsible party’. In this regard, included in the normal scope of directors’ duties would be the addition of ensuring the safety of any personal or sensitive information obtained.

Section 76(3) of the Companies Act states that a director, when acting in his/her capacity, must do so in good faith and with the degree of care, skill and diligence that may be reasonably expected of someone in his/her position acting with the same general knowledge, skill and experience. What this translates to, is that directors have an objective analysis of their work done based on the subjective criteria of someone acting with the same level of skill and intellect as that particular director in question. Failure to act in accordance with this fiduciary duty, a director could even be held personally liable for any damages incurred by the company as a result of his improper actions.

Additionally, in the King IV Report on Corporate Governance of South Africa, 2009, under a guideline of practices to be employed to further the implementation of good governance, Principle 12 recommends that governing bodies of companies ‘exercise ongoing oversight over technology and information management’ to a point that it results in an ‘ethical and responsible usage of technology and information’. In this case, again the usage of the word ‘director’ is not explicitly included, but the report can be integrated into any business model if the assertion of good governance is to be made.


With a combination of these three pieces of legislation, one can easily see the duty directors have in terms of protecting personal information from cybercrimes. When data of this nature is leaked it can be used to commit various forms of fraud with serious financial implications for the victim. As a result, there are also rights to recourse included in PoPIA in order to hold companies and by extension, directors (even though not always directly), liable for reputational or general damages. In certain instances, the penalty can be a fine or a period of imprisonment not exceeding ten years. Penalties can be issued by the Information Regulator or a court of law, and the amount can be determined at the Regulator’s/court’s discretion depending on the facts and seriousness of the matter.

As the world of technology further develops, the means and resources used to conduct cybercrimes will undoubtedly become more accessible. With a growing number of instances of companies selling personal information, tighter legislation will be needed not only to protect consumers but to guide directors as to the scope of their obligations as well.

See also:

(This article is provided for informational purposes only and not for the purpose of providing legal advice. For more information on the topic, please contact the author/s or the relevant provider.)
Nicolene Schoeman-Louw
Nicolene Schoeman-Louw

Mrs Nicolene Schoeman – Louw founded the firm in 2007, aged 24, and is now the Managing Director of the firm. Nicolene is an admitted Attorney of the High Court of South Africa, Conveyancer, Notary Public and Mediator; with a passion for entrepreneurs and helping them reach their most ambitious goals. She obtained her LLB degree cum laude and successfully completed her LLM degree (dissertation) in commercial law and B-BBEE, both at the University of the Free State. In addition, she obtained her postgraduate diploma in financial planning (CFP) at the University of Stellenbosch. An abstract of her LLM dissertation was published in the Journal for Estate Planning in 2006. Now, she regularly writes for academic publications such as De Rebus (the SA attorneys’ journal) as well as Without Prejudice and (legalbriefs). She also regularly contributes to various online publications such as Spice4Life and other mainstream publications such as The Entrepreneur Magazine, Business Briefs and Personal Finance Magazine (to name a few). For over 7 years she presented The Law Report with Karen Key on SAFM, until the show was cancelled. She currently shares her knowledge regularly on radio 786, RSG and other radio stations. Mrs Schoeman – Louw lectured at the University of the Free State during her studies, presently guest lectures at Stellenbosch Business School and currently presents seminars and workshops on a wide range of legal topics for various organizations such as Bandwidth Barn, UnitedSucces, Cape Chamber of Commerce and Industry and the Business, Retail and Marketing Indabas – to name a few. Mrs Schoeman – Louw has won a number of prestigious awards for her academic achievements. Among others, they include the: Hofmeyr Herbstein Gihwala Inc. Prize; Gildenhuys van der Merwe Prize; Juta Prize; The Bobbert Medal (for obtaining her LLB degree cum laude). Other Awards and achievements: 2012: Finalist in the Professional Category of the Regional Business; Achievers’ Awards (RBAA) – Western Cape; 2013: Finalist as CEO magazine’s Most Influential Women in Government and Business Africa; 2019: Runner-up WOZA Women in Law Awards Corporate Attorney (Practicing); 2019: Finalist Standard Bank Topwomen Awards Top Young Achiever Under 40; Her professional and other affiliations include: Legal Practice Council (Western Cape – member number: 13546); International Institute of Legal Project Management – Legal Project Practitioner (member number: 859); Arbitration Foundation of South Africa (AFSA); UnitedSucces; Women Presidents’ Organization (WPO); Cape Town Attorneys’ Association; Institute of Directors Southern Africa (IODSA): 17476335; Xtraordinary Women (member number: XWCT008); Cape Chamber of Commerce and Industry (member number: 9861); Western Cape Business Opportunities Forum (WECBOF); Mrs Schoeman-Louw has enjoyed the confidence of many successful entrepreneurs (both locally and abroad) over the years and continues to do so. As a trusted advisor she has actively contributed to the successes of many businesses, helped and continues to help many entrepreneurs build lasting legacies.

Send a legal query to Nicolene Schoeman-Louw
Jared Poole
Jared Poole

Jared Poole obtained his LLB degree from the University of the Western Cape in 2017. While at high school Jared held various leadership positions including that of Deputy-Head Prefect. Externally, he served on the Junior City Council of Cape Town where he held the position of Sub-Council Chairperson in addition to that of Speaker of the Executive. Jared was part of the UWC Chapter of the Students for Law and Social Justice (SLSJ) organization whose work during this time included reviews of the LLB curriculum as well as the Court’s distribution of justice during its proceedings. He joined SchoemanLaw Inc as a Candidate Attorney on 1 December 2018. Jared is a driven, ambitious and reliable individual. He believes that no matter how complex your legal needs, the law can always be utilized to bring about harmony.

Send a legal query to Jared Poole

Commercial & Corporate Law articles on GoLegal