In September 2023, the South African Information Regulator announced that it had issued an Enforcement Notice to a South African pharmaceutical company ("the company") after it found that the company had contravened various sections of the Protection of Personal Information Act (POPIA).
According to the Enforcement Notice, the company uses a third-party service provider ("the provider"), and the provider had suffered a cyber-attack, which compromised the security of personal information of approximately 3.6 million data subjects from the company's e-Statement Service data base.
This type of cyber attack is known as a brute force attack whereby an unauthorised party continuously attempts different passwords to gain access to the system, until the correct password was found. The company had notified the Information Regulator in writing of the security compromise. The Information Regulator then conducted an assessment into the security breach and concluded that the company had failed to identify the risks of using weak passwords and failed to put in place adequate measures to monitor and detect unlawful access to their environment. In an ever-changing cyber-environment, it is essential that companies stay ahead of the curve in the fight against data interception and unlawful cyber activity - strong passwords are therefore a must!
The assessment conducted by the Information Regulator also found that the company had failed to enter into an operator contract to ensure that adequate security and reporting measures were put in place. The Enforcement Notice requires the company within 31 days to, amongst others, comply with regulation 4 of POPIA (impact assessments, compliance frameworks) and to enter into written contracts with all its operators. Section 21 is one of the few sections of POPIA which requires a responsible party to conclude a written agreement, in this case with an "operator", to ensure that when the operator process personal information for the responsible party, it complies with the security measures mentioned in POPIA. This explains why the Enforcement Notice was issued to the company even though the brute force attack was against the provider. An "operator" processes personal information on behalf of a responsible party under POPIA.
These Enforcement Notices should not be taken lightly. Apart from the embarrassment and damage to customer confidence, the failure to comply with an Enforcement Notice could be an offence for which a fine of up to R10 million or imprisonment (or both) can be imposed.
In July 2023, the Information Regulator announced that it had imposed a fine of R5 million on the South African Department of Justice and Constitutional Services for failing to comply with an Enforcement Notice issued in May 2023. This notice required that licenses for certain anti-virus software to be renewed and for disciplinary action to be taken against the officials who had failed to do so. The Department has 30 days to pay the fine, or arrange payment in instalments, or elect to be tried in a court for an offence under POPIA.
The Information Regulator is certainly active, gaining momentum and enforcing the laws of the Protection of Personal Information Act in South Africa.
For advice and assistance on the content of these written agreements for operators, please contact us. As an added incentive, if required, legal advisors and deputy information officers need only remind their CEO' that the responsibilities of a responsible party under POPIA rests on the CEO's shoulders as the automatically appointed information officer of the company.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.