After Tuesday’s revelations that anyone could access accounts belonging to other individuals and businesses thanks to a large security hole in the City of Johannesburg’s online billing system, it should be no surprise that the legal shenanigans have been fixed before the fault is repaired. According to a statement on its website, the city has rewarded concerned citizens who highlighted an error that allowed Google to spider invoices by inviting the police to investigate them.
Legal eagle and friend of htxt.africa Paul Jacobson of Web.Tech.Law tweeted in response: “The response to revelations of its shoddy website security highlights underlying problematic attitudes that led to this.” He says that there may be the very slimmest possibility of a case under the Electronic Communications and Transactions Act, if it could be proven that a security measure was deliberately circumvented. That’s unlikely because the invoices were being indexed by Google, and therefore clearly visible on the public internet.
SANRAL has also added its voice to those calling for punitive measures against those who discovered the flaw and tried to bring it to the city’s attention before going public. One of the files that was viewable by the public showed it owes the city R55 000.
All well and good, but our inquisitive minds want to know more about the other legal case which could be brought here: a class action against the City for allowing a security flaw which has opened up any citizen or business who holds and account to the chance of identity fraud. We asked lecturer in mercantile law at the University of Pretoria, Sylvia Papadopoulos, what the chances of it happening are.
“The possible ramifications of such a breach in data security are enormous,” Papadopoulos explains, “There are two or three possible avenues open for parties affected by the data breach.
“The best option is that in South African law the right to privacy is protected in terms of both our common law and section 14 of the Constitution and it is recognized as an independent valuable personality right,” she continues, “Therefore any action in this sphere of the law is a synthesized action based on both the common law and constitutional law principles. The recognition of a right to privacy is also extended to commercial entities. In principle a party (class action for damages) would have to prove: That there was a disclosure of private information ie. a breach of privacy, that the breach was unlawful/wrong/unjustifiable and due to negligence on the part of the party you want to hold liable, that their actions/inaction caused damage and finally you have to prove the amount of damage suffered.
“The only possible issue here is showing that actual damage occurred.”
So far, no-one other than SANRAL has come forward to say they’ve been negatively effected by the data leak, but given the large volume of commercial accounts showing outstanding bills of hundreds of thousands of Rand, it can surely be just a matter of time.