The Information Regulator of South Africa has found that the Department of Justice and Constitutional Development have contravened section 19 of 2022 of the Protection of Personal Information Act (POPIA).
The regulator investigated the data breaches after the Department suffered security compromises almost two years ago.
The Department has been issued with a notice to respond to the Regulator within 31 days or face an administrative fine not exceeding R10 million or the imprisonment of officials who failed to renew the Security Incident and Event Monitoring (SIEM) licence contract.
In a statement, the regulator says the department failed to put in place adequate technical measures to monitor and detect unauthorised exfiltration of data from their environment, saying this resulted in the loss of over 1 000 files.
“On 9 May 2023, the Information Regulator issued an Enforcement Notice to the Department of Justice and Constitutional Development (DoJ & CD) following the finding of the contravention of various sections of the Protection of Personal Information Act (POPIA) by the DoJ & CD. In September 2021, the DoJ & CD suffered a security compromise on its IT systems. This led to the department’s systems being unavailable to its employees and subsequently affecting services to the public. The Regulator conducted an own initiative assessment after the Department suffered a security compromise data breach”, says Information Regulator Chairperson Advocate Pansy Tlakula.
VIDEO: Safeguarding personal information
Tlakula says the Regulator had to conduct its own assessment on the data breaches and found that the Department failed to renew it’s Security and Event Monitoring license.
“Following the assessment, the Regulator found that the department had failed to put in place adequate technical measures to monitor and detect unauthorised exfiltration of data from their environment resulting in the loss of approximately 1204 files. This occurred as a result of the DoJ & CD’s failure to renew the Security Incident and Event Monitoring (SIEM) licence which would have enabled it to monitor unusual activity on their network and keep a backup of the log files. The failure to renew the licence resulted in the unavailability of critical information contained in the log files. The SIEM licence expired in 2020.”
“The DoJ & CD also failed to renew the Intrusion Detection System licence, which had also expired in 2020. Had this licence been renewed, the Department would have received alerts of suspicious activity by unauthorised people accessing the network. The Trend Antivirus licence was also not renewed in 2020 when it expired. The failure to renew this licence resulted in the virus definition for known malware threats not being updated,” adds Tlakula.
Internal and external security risks were also not identified to protect the personal information, says Tlakula.
“The Regulator also found that the DoJ & CD had failed to take reasonable measures to identify or reasonably foreseeable internal and external risks to the protection of personal information in its possession or under its control and establish and maintain appropriate safeguards against the identified risks. In this regard, the department failed to establish and maintain appropriate safeguards against the risks identified and to regularly verify and update the security safeguards against malware threats”.
Disciplinary action
The regulator wants the Justice and Constitutional Development Department to take the necessary steps to prevent breaches in future or face action against non-compliance with the enforcement notice given by the Regulator, as Tlakula explains.
“Following the finding that the DoJ & CD had contravened section 19 and 22 of POPIA, the Regulator issued the DoJ & CD with an Enforcement Notice in which it orders the Department to take a number of steps. These steps include that the Department must submit proof to the Regulator within 31 days of receipt of the Notice that the Trend Anti-Virus licence, the SIEM licence and the Intrusion Detection System licence have been renewed. It must also institute disciplinary proceedings against the official/s who failed to renew the licences which are necessary to safeguard the Department against security compromises.”
Action against Non-compliance
Failure to comply with the notice could lead to among other things, a multi-million fine.
“Should the DoJ & CD fail to abide by the Enforcement Notice within the stipulated time frame, it will be guilty of an offence, in terms of which the Regulator may impose an administrative fine in the amount not exceeding R10 million, or liable upon conviction to a fine or to imprisonment of the responsible officials. With the rising scourge of security compromises, responsible parties are urged to improve their information security systems to ensure that there are adequate safeguards to protect personal information of data subjects in their possession or under their control. The Regulator places emphasis on the management of risks arising from security compromises,” Advocate Tlakula concluded.
