Member Article

On 10 May 2023, theInformation Regulator(the “Regulator”), an independent body established to monitor and enforce compliance by public and private bodies with the provisions of the promotion of access to information act, 2000 and the protection of personal Information Act, 2013 (“POPIA”) announced that it had issued anEnforcement Noticeto the Department of Justice and Constitutional Development (“theDepartment”) in terms of POPIA on 9 May 2023.

In September 2021 the Department suffered a security compromise as a result of security weaknesses in its IT systems. During that month, the Department's systems were unavailable to its employees and this affected the services rendered to the public. The security compromise resulted in the loss of approximately 1204 files that contained personal information. All electronic services provided by the department were affected at the time, and the IT systems of the Regulator (which is overseen by the Department) were also affected.

Following the breach, the Regulator conducted an assessment on its initiative. Under sections 40(b)(vi) and 89 of POPIA, the Information Regulator is empowered to “conduct an assessment on its own initiative or when requested to do so, of a public or private body, in respect of the processing of personal information by that body for the purpose of ascertaining whether or not the information is processed according to the conditions for the lawful processing of personal information”.

Having made the assessment, the Regulator found that the Department had failed to put in place adequate technical measures to monitor and detect unauthorised access to data in its possession. As a result, the Department contravened sections 19 and 22 of POPIA. The Regulator found that the Department had not renewed several licences for solutions, which expired in 2020 and would have helped the Department avoid the breach had they been working. The failure to renew the licences resulted in the unavailability of critical information contained in the log files. The licences that were found to be crucial were:

• the Security Information and Event Management licence, which monitors unusual activity on an organisation’s network and keeps a backup of log files;
• the Intrusion Detection System licence, which notifies an organisation of any received alerts of suspicious activity by unauthorised people accessing the network; and
• the Trend Antivirus licence, which updates virus definitions for known malware threats and blocks perceived threats.

The Regulator’s assessment also revealed that the Department had failed to take reasonable measures to identify or reasonably foresee internal and external risks to the protection of the personal information it processes. Further, the Department failed to establish and maintain appropriate safeguards against the risks that should have been identified. This led to the Department’s failure to regularly verify and update its security safeguards against malware threats.

After establishing that the Department had contravened the provisions of POPIA, it issued the Department with an Enforcement Notice in which it orders the Department to take several steps to remedy the non-compliance. The Department is required to:

• submit proof to the Regulator within 31 days of receipt of the Enforcement Notice that it has renewed the SIEM, Trend Anti-Virus licence, and Intrusion Detection System licences; and
• institute disciplinary proceedings against the official(s) who failed to renew the licences which are necessary to safeguard the department against security compromises.

If the Department does not comply with the notice, it will be guilty of an offence under POPIA. Non-compliance with may result in an administrative fine of an amount not exceeding ZAR10 million. The persons responsible for the security breach can also face being convicted of an offence and having to serve a term of imprisonment for a period not exceeding 10 years.

POPIA requires responsible parties to secure the integrity and confidentiality of personal information in their possession or under their control by taking appropriate, reasonable technical and organisational measures to prevent security compromises. It is not prescriptive and it is up to each organisation to decide what appropriate measures it will take. From this Enforcement Notice, it is clear that Information Regulator deems information security software and systems an important safeguard responsible parties must consider when handling personal information.

A few months ago, at the ITWeb Governance Risk and Compliance 2023 event, the Chairperson of the Information Regulator cautioned that “every public body, every private body that has suffered a security compromise or data breach has to notify us – there is no threshold. Even if one person was breached, they still have to notify us.” Over 500 breach notifications had been made to the Regulator at the time of the event, but no fines have yet been imposed.

The Enforcement Notice is the first the Information Regulator has announced publicly, and it is much welcomed. It demonstrates that Information Regulator’s intentions to exercise more of its powers, and that the Information Regulator is both bark and bite.

ENSafrica offers data breach survival workshops and can assist clients with data privacy and protection compliance.

 

Link to article