Entities in the private and public sectors should take note of the enforcement action taken by the Information Regulator (IR) against the Department of Justice and Constitutional Development (DoJ) after finding that the department contravened the Protection of Personal Information Act (Popia).
In September 2021, DoJ suffered a security compromise – a data breach – on its IT systems. This led to the department’s systems being unavailable to its employees and subsequently affecting services to the public.
The IR conducted an assessment in terms of section 89 of Popia, which empowers the regulator to assess the processing of personal information by a responsible party against the provisions of Popia.
The IR found that the DoJ had failed to comply with the obligations set out in sections 19 and 22 of Popia under Condition 7, “Security safeguards”. These sections require responsible parties to implement security measures to ensure the integrity and confidentiality of personal information, as well as to notify affected data subjects of any unlawful acquisition or access of their personal information.
Expired licences
The IR said the DoJ had failed to put in place adequate technical measures to monitor and detect the unauthorised exfiltration of data, resulting in the loss of about 1 204 files.
This occurred because the department failed to renew the Security Incident and Event Monitoring (SIEM) licence, which would have enabled the DoJ to monitor unusual activity on its network and keep a backup of the log files. The failure to renew the licence resulted in the unavailability of critical information contained in the log files. The SIEM licence expired in 2020.
The department also failed to renew the Intrusion Detection System licence, which had also expired in 2020. If this licence had been renewed, the department would have received alerts of suspicious activity by unauthorised people accessing the network.
The Trend Antivirus licence was also not renewed in 2020 when it expired. The failure to renew this licence resulted in the virus definition for known malware threats not being updated.
The regulator also found that the department had failed to take reasonable measures to identify or reasonably foreseeable internal and external risks to the protection of personal information in its possession or under its control and establish and maintain appropriate safeguards against the identified risks. In this regard, the DoJ failed to establish and maintain appropriate safeguards against the risks identified and to regularly verify and update the security safeguards against malware threats.
Measures to improve cybersecurity
The IR issued the DoJ with an enforcement notice in which it ordered the department to take various measures to improve its cybersecurity. These steps include that the department must submit proof to the IR within 31 days of receipt of the notice that the Trend Anti-Virus licence, the SIEM licence, and the Intrusion Detection System licence have been renewed.
It must also institute disciplinary proceedings against the official/s who failed to renew the licences that are necessary to safeguard the department against security compromises.
If the department does not abide by the enforcement notice within the stipulated timeframe, it will be guilty of an offence. This will empower the IR to impose a fine of up to R10 million or to impose liability in the form of a fine or imprisonment on any of the responsible officials.
Key take-aways
Law firm Clyde & Co says the key take-aways from the enforcement notice are:
- Although the IR appears to be focused on driving Popia compliance within the public sector, it is expected that increased scrutiny will follow in the private sector, particularly for serious cybersecurity compromises.
- Popia provides a wide discretion to the IR to prescribe far-reaching security improvements or remedial actions without regard to the cost of achieving compliance.
- The IR has emphasised the need to manage personal information responsibly to prevent unintended security compromises. Proactive and holistic risk management practices must be implemented by any organisation handling personal information.