This Content Is Only For Subscribers
In the wake of the recent cyber-attacks on some leading Kenyan businesses, do I have any rights as a customer of the companies, especially if I suffer actual losses due to the attacks?
Dear Andrew, there are very many types of cybercrimes. The defining factor is that it is an attempt to illegally access a computer network for wrong purposes like stealing, distorting or exposing information.
From the www.crowdstrike.com there are 10 different types of cybercrimes including malware, denial-of-service attacks, phishing, spoofing, identity-based attacks and code injection attacks.
The incidents last week were categorised as denial-of-service attacks where a cybercriminal makes a machine or system temporarily unavailable, disrupting many services.
These types of attacks not only cause business monetary losses and reputational damage but they also expose the customers to a very high risk of data breaches and loss.
Last month, a well-known Kenyan business was allegedly hacked and customer details such as credit card data were published.
The incident spread fear and panic, with many customers wondering if their financial information was secure.
The business in question only issued a social media statement and played a lot of good public relations and said: “Our IT team is working on the issue and shall resolve the matter soon.”
The company kept the customers in the dark about what transpired, the risk exposure and what the business entity was doing to secure the customer information.
A speaker at a conference I attended noted that this well-known business had contravened the law based on how it handled the incident. He said the consequences would be grave should the customers sue the company.
The firm was supposed to follow the laid down procedure in the Data Protection Act in managing the breach. According to the general data laws in Kenya, the business should have notified the customers of the breach and provided detailed information on the exposure and remedial actions taken to secure personal data.
Each customer should have received this communication. Additionally, the regulator is supposed to be notified when there is a data breach.
According to the law, the business should have a data compliance certificate and a data breach response plan.
In a data breach incident such as this, the customers may raise a complaint and the business is supposed to follow a laid-out data breach complaints procedure.
As a customer, you have the right to data protection. However, in incidents such as hacking, it may be beyond the company’s control, unless the business itself was negligent in protecting personal data.
The data laws provide that businesses should have a data compliance certificate awarded if the regulator is satisfied that rigorous measures are in place to protect the data.
For example, adequate technological protection and adequate organisational data protection policies.
Where a business has been negligent, you can file a complaint to the Data Protection Office and the business.
In the event of gross negligence in protecting personal data, you can file a successful court claim against the business.
Remember that protection of data is a constitutional right under Article 31 and a statutory right under the data protection laws.