The Information Regulator (Regulator) has issued the Department of Justice and Constitutional Development (DoJ) with a R5 million fine for a failure to comply with an enforcement notice in terms of the Protection of Personal Information Act (POPIA).

This is the first administrative fine that the Regulator has issued and represents a significant development in terms of the Regulator’s enforcement powers.

DoJ cyber incident 

The DoJ fell victim to a cyber attack in 2021 where more than 1200 files were lost, and internal documents and personal information was compromised.

POPIA requires responsible parties to implement security measures to ensure the integrity and confidentiality of personal information. Section 22 of POPIA also requires responsible parties to notify affected data subjects of cyber incidents.

The Regulator found that the DoJ had failed to comply with its obligations set out in sections 19 and 22 of POPIA relating to security safeguards by failing to renew its antivirus software, including an intrusion detection licence that would have made the DoJ aware of any unauthorised third parties unlawfully accessing its network.

Enforcement action taken by the Regulator

The Regulator issued an enforcement notice on 9 May 2023 to the DoJ ordering its antivirus and intrusion detection licences to be renewed within 31 days of the issuing of the enforcement notice. The enforcement notice also included a direction to the DoJ to take disciplinary action against those employees responsible for the renewal of the antivirus software.  

The Regulator had warned that a failure to comply with the enforcement notice would result in a fine of up to R10 million or the imprisonment of all responsible officials.

On Monday, 3 July 2023, the Regulator imposed a R5 million fine on the DoJ after it had failed to provide any proof that it had complied with the enforcement notice and renewed all the necessary licences and software. The Regulator has given the DoJ 30 days to pay the fine or make arrangements for the fine to be paid in instalments. The DoJ can also elect to be tried in court for its offences.

The Regulator has not released a formal statement in respect of the fine at present and we await further details from the Regulator regarding the basis for the administrative fine.

Key takeaways

  • The Regulator is actively monitoring POPIA non-compliance and issuing fines as a result of failure to adhere to timelines to respond to enforcement notices. We expect more regulatory scrutiny and activity in the next 12 months.
  • The fine against the DoJ is significant as it represents 50% of the maximum amount the Regulator is able to issue as a penalty against a responsible party for POPIA non-compliance.
  • This development is a stark reminder for companies and their board of directors, that a failure to responsibly manage personal information and prevent security compromises may result in significant sanctions by the Regulator.

Reach out to us 

Clyde & Co specialises in all aspects of cyber risk, data protection, insurance and claims. Our end-to-end cyber solution is designed to boost cyber resilience and is built around pre-incident planning, effective incident response and post-incident recovery.