The department of justice & constitutional development is taking the Information Regulator to court to fight a R5-million fine the regulator imposed on it over a 2021 cyberattack.
The fine against the department was the first administrative penalty imposed by the Information Regulator since its establishment and the court case could serve to set an important precedent in the way information security breaches are regulated in South Africa.
“The court application was issued on 29 September and was delivered to the sheriff on 2 October for purposes of serving it on the Information Regulator. The return of service (a response) is currently awaited,” said justice department spokesman Steven Mahlangu.
A ransomware attack on 6 September 2021 crippled the department’s information systems, Bloomberg News reported at the time, leaving them encrypted and unavailable. All departmental electronic services, including the issuing of letters of authority, bail services, e-mail and the website, were affected by the incident.
Following the attack, the Information Regulator launched an “own-initiative” assessment through which it found that the department had “failed to put in place adequate technical measures” to detect unusual activity in its network and prevent unauthorised access to it systems. This was due, in part, to a failure by the justice department to renew the software licences of three product areas: security incident and event monitoring (SIEM), intrusion detection system (IDS) and antivirus. All three licenses had expired in 2020.
The regulator also criticised the justice department’s failure to perform an IT risk assessment on its network and software systems.
Justice department vs Information Regulator
In May, it said: “The regulator has issued the Department of Justice and Community Development with an enforcement notice in which it orders the department to submit proof to the regulator within 31 days of receipt of the notice that the Trend [Micro] antivirus licence, the SIEM licence and the IDS licence have been renewed. It must also institute disciplinary proceedings against the official/s who failed to renew the licences which are necessary to safeguard the department against security compromises.”
The department of justice did not respond to the regulator’s enforcement notice, suggesting the remedial actions enforced on it had not been implemented. Consequently, in June, the regulator issued an infringement notice in which it ordered the department to pay a R5-million fine.
TCS | The Information Regulator bares its teeth – an interview with Pansy Tlakula
“The 31 days given to the department expired on 9 June 2023. To date, the department has not provided the regulator with a report on implementation of the actions required in the enforcement notice or any other communication in that regard,” said the regulator at the time. “The department of justice had the right to appeal the enforcement notice in terms of section 97(1) of Popia, and they failed to exercise that right,” said the regulator, referring to the Protection of Personal Information Act, also known as Popia.
The justice department, however, is challenging the legality of the two notices sent to it by the regulator in terms of section 6 of the Promotion of Administrative Justice Act. The department further argues that the regulator has misinterpreted and misapplied Popia legislation, saying that the regulator’s “flawed process” risks setting a precedent that, “if not challenged, the implications for the work of the information Regulator itself and all entities will be negatively impacted”.
“The Information Regulator did not apply its mind to the application of reasonable time periods in which the orders were to be implemented. There is also no proof that personal information was lost, damaged, unlawfully accessed or processed, and subsequently misused to the prejudice of anyone,” Mahlangu said.
In an episode of the TechCentral Show published on Friday, Information Regulator chair Pansy Tlakula highlighted the fine against the justice department as a sign of its institutional independence.
“Our budget doesn’t come from the department of justice; justice is a conduit. The reason is that when we started, the justice department helped us establish the regulator. However, there is a perception out there that we are part of justice… The regulator showed that independence by fining an organisation or department that helped it to establish itself.” — © 2023 NewsCentral Media