If it happened to them, it could happen to you: Lessons from the Information Regulator

A business’ operations can be brought to a standstill if it experiences a data breach – a reality which is becoming more and more familiar. Section 22 of the Protection of Personal Information Act 4 of 2013 (POPIA) requires responsible parties to notify both the Information Regulator and the relevant data subject(s) of a breach where there are reasonable grounds to believe that their personal information has been accessed or acquired by any unauthorised person. The Information Regulator itself recently had the unfortunate opportunity to demonstrate this requirement.

11 Oct 2021 3 min read Technology & Communcations Alert Article

At a glance

  • Data breaches can bring a business to a standstill, requiring notification to the Information Regulator and affected data subjects under Section 22 of POPIA.
  • The Information Regulator recently experienced a security compromise at the Department of Justice and Constitutional Development, resulting in unauthorized access to its systems.
  • The Information Regulator issued a notification of the breach, providing details of the unauthorized access, the potential consequences, measures taken to address the breach, and recommendations for data subjects to protect themselves.

On or about 9 September 2021, the Information Regulator became aware of a security compromise at the Department of Justice and Constitutional Development (DoJ&CD), whose information and communication technology (ICT) systems the Information Regulator shares. The DoJ&CD have advised that the security compromise was effected through ransomware on its systems on 6 September 2021. The DoJ&CD further confirmed that there was unauthorised access to its ICT systems, and as a result, one of the domain administrator’s accounts was compromised and used to deploy ransomware in the DoJ&CD’s ICT environment.

As is required in terms of section 22 of POPIA, on 22 September 2021, the Information Regulator issued a notification of security compromise (Notice) to all its data subjects (whom the Information Regulator identifies as “any person that has, in the course of interacting with the [Information] Regulator, submitted their personal information to the [Information] Regulator”). A copy of the Notice was published on the Information Regulator’s website. The Notice covers the following key points:

  • the identity of the unauthorised person who may have accessed or acquired the personal information;
  • the categories of personal information that may have been accessed or acquired by the unauthorised person;
  • a description of the possible consequences of the security compromise;
  • a description of the measures that the Information Regulator intends to take or has taken to address the security compromise and to protect the personal information of the data subjects from further unauthorised access or use; and
  • advice or recommendations with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise.

Any person who is a data subject, as described in the notice, should take protective measures against the compromise to protect themselves.

Proactive approach

Through the Notice, the Information Regulator has demonstrated a proactive approach to data breaches, in that although it is currently still making use of the DOJ&CD’s ICT systems, it is also taking its own steps as a responsible party to strengthen its security measures and ensure the protection of personal information of data subjects in the future. These measures include establishing its own email system with security controls in place; ensuring that cloud service hosting options for its Information Officer Registration Portal are fortified with two-factor authentication, encryption and next generation firewalls; implementing its own website; and, importantly, commencing its own independent investigation into the security breach and any impact on the personal information of its data subjects.

Data breaches can have devastating effects on targeted businesses and businesses should prepare for such eventualities by implementing appropriate, reasonable technical and organisational measures to prevent the loss of, damage to, or unauthorised destruction of personal information and unlawful access to or processing of personal information, in accordance with POPIA. In addition to implementing such measures, and in order to deal with breaches swiftly when they do happen, businesses should also proactively develop and implement (throughout the business) a POPIA-compliant data breach response plan.

Furthermore, we note that the Information Regulator is expected to publish a template for responsible parties to use in order to notify the Information Regulator of such a breach – a development which is most welcome.

The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2024 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.