The Information Regulator ("the Regulator") recently concluded its investigation into a cybersecurity incident suffered by the Department of Justice and Constitutional Development (“DoJ”) in September 2021. The Regulator has now published one its first media statements detailing the enforcement notice ("Enforcement Notice") issued against a public entity for non-compliance with the Protection of Personal Information Act, 2013 (“POPIA”).
What led to the Enforcement Notice?
The Regulator conducted an assessment in terms of section 89 of POPIA following a security compromise which resulted in the DoJ’s systems being unavailable to its employees and which affected service delivery to the public. Section 89 of POPIA empowers the Regulator to assess an instance of processing of personal information conducted by a responsible party against the provisions of POPIA of its own accord.
Following its assessment, the Regulator found that the DoJ had failed to comply with the obligations set out in sections 19 and 22 of POPIA under Condition 7, ‘Security Safeguards’. These sections require responsible parties to implement security measures to ensure the integrity and confidentiality of personal information as well as to notify affected data subjects of any unlawful acquisition or access of their personal information.
The DoJ was found to have failed to put in place adequate measures to detect unauthorised exfiltration and to identify foreseeable internal and external risks. The Regulator pointed out that several cybersecurity software licences (anti-virus, threat detection and event monitoring) had lapsed or had not been updated timeously.
As a result, an Enforcement Notice was issued to the DoJ ordering it to take various steps to improve its cyber posture. These steps include renewing the abovementioned licences within 31 days of receipt of the Enforcement Notice. Notably, the DoJ was also ordered to institute disciplinary proceedings against the officials who failed to renew these licences.
Should the DoJ fail to comply with the Enforcement Notice within the stipulated period, it will be found guilty of an offence. This will empower the Regulator to impose an administrative fine of not more than R10 million or to impose liability in the form of a fine or imprisonment on any of the responsible officials.
Key takeaways
- Although the Regulator appears to be focused on driving POPIA compliance within the public sector, we expect that increased scrutiny will follow in the private sector, especially for serious cybersecurity compromises.
- POPIA provides a wide discretion to the Regulator to prescribe far-reaching security improvements or remedial actions without regard to the cost of achieving compliance.
- The Regulator has emphasised the need to manage personal information responsibly to prevent unintended security compromises. Proactive and holistic risk management practices must be implemented by any organisation handling personal information.
Clyde & Co specialises in all aspects of cyber risk, data protection, insurance and claims. Our end-to-end One cyber solution is designed to boost cyber resilience and is built around Readiness, Response and Recovery.