In a landmark decision, the Information Regulator has issued a R5-million administrative fine on the department of justice & constitutional development.

The punishment, imposed on Monday, is the first of its kind in South Africa and follows the justice department’s failure to comply with an enforcement notice issued on 9 May within the stipulated 31-day period.

The notice required that the department show proof that it had renewed various licences pertaining to its antivirus software suite and initiated disciplinary proceedings against the officials whose failure to renew these licences compromised the security of its software systems.

The justice department was hit by a ransomware attack on 6 September 2021 that left all of its information systems encrypted and unavailable, Bloomberg News reported at the time. It impacted all the department’s electronic services, including the issuing of letters of authority, bail services, e-mail and the website.

The Information Regulator monitors and enforces the provisions of the Protection of Personal Information Act (Popia).

“The regulator may impose an administrative fine in the amount not exceeding R10-million, or liable upon conviction to a fine or to imprisonment of the responsible officials,” said the regulator in its official notice regarding the justice department infringement. The department allegedly ignored the notice and, as a result, waived its right to appeal.

Read: Inside a ransomware attack

The department has three options in responding to the fine: it could pay it within the stipulated 30 days of its issue; it could negotiate with the regulator to pay the fine in instalments; or it could choose to be tried in court for contravention of Popia.