THE IMPORTANCE OF DATA PROTECTION AND DATA PRIVACY

On 7 September 2021, the Department of Justice and Constitutional Development (the “Department”) released a media statement informing the public about the challenges it was experiencing with its information technology (“IT”) systems. The media statement provided that the issues experienced by the Department were affecting the services it rendered at all of it offices and courts across the country. Upon an assessment of the extent of the problem, the Department determined that its IT systems had been interrupted due to a security breach which was effected through a ransomware attack. As a result of the breach, all information stored on the IT systems was encrypted and therefore unavailable to both internal employees as well as members of the public.

Importance of data protection and data privacy

The recent events experienced at the Department are a prime example of the importance of data protection and data privacy regulations in a continuously expanding digital world. A data breach, such as the one experience by the Department, can have a range of devastating consequences for any individual or business. Establishing data protection and data privacy regulations and policies are therefore of vital importance and South Africa has made great strides in this regard in recent years. Arguably the two most important data protection and data privacy regulations are:

  • the Protection of Personal Information Act No. 04 of 2013 (“POPIA”) which aims to ensure that all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another individual’s or entity’s personal information by holding them accountable should they abuse or compromise such personal information in any way; and
  • the Cybercrimes Act No. 19 of 2020 (“Cybercrimes Act”) which aims to align South Africa’s cybersecurity laws with the rest of the world, the objectives of which include, amongst other things, to criminalise the unlawful access, use and disclosure of data which may potentially be harmful by creating various new criminal offences, each with different penalties depending on the severity of the offence.

Compliance with provisions of POPIA and the Cybercrimes Act is however only the first step in ensuring that adequate data protection and data privacy measures are put in place.

The consequences of weak data protection and data privacy measures

If we examine the events experienced at the Department, we can determine what can happens if adequate data protection and data privacy measures are not put in place. Since the date of the breach on 6 September 2021, many strides have been made by the Department in attempting to recover from the ransomware attack. The team of Departmental officials, industry specialists and advisors from organs of State have successfully contained the spread of the ransomware attack and a number of online services have been reactivated in a safe and secure manner. Priority has been given to services that are affecting the public directly, particularly as it pertains to beneficiary payments, and ensuring that court proceedings continue as planned.

There are however still many systems and/or services that are being negatively affected by the ransomware attack such as the Integrated Case Management System, which is an administrative system used at all courts and particularly the Office of the Master of the High Court. As a result of the ransomware attack, Masters Offices around the country have resorted to the use of manual processes to render services, however, manual letters of executorship or authority still cannot be issued during this period.

Incident response and recovery plan

Once you have ensured that your business is compliant with the relevant regulation it is also necessary to ensure that your business is capable of recovering from an attack. This can be achieved with the assistance of an incident response and recovery plan. The ability to respond to attacks with an incident response plan is often followed by the need to restore some or all of your infrastructure.

It is recommended that an incident response plan be developed and should consist of, amongst other things:

  • reviewing your network infrastructure to identify vulnerabilities and points of attack;
  • determining the roles and responsibilities of your staff in the event of a cyberattack or breach;
  • providing for a communication strategy in the event that you cannot access systems such as your emails; and
  • routine testing of your incident response plan to ensure effective implementation and the identification of shortcomings.

As stated above, any incident response plan also needs an incident recovery plan in the event that the cyberattack or breach cannot be stopped. The following are some of the aspects that need to be address in the incident recovery plan:

  • a business impact analysis which will assist in determining how the cyberattack or breach has impacted the business and how long the business can survive without this data;
  • a list of all hardware and software that has been affected;
  • recovery time objectives;
  • ensuring that all service level agreements provide for cyberattacks and/or breaches and how this will affect services; and
  • procedures to safeguard sensitive information during the recovery process.

Obligation to report the cyberattack and/or breach

Once the incident response and recovery plan has been implemented it is also important to report the cyberattack and/or breach to the Information Regulator of South Africa (the “Regulator”) in accordance with the provisions of POPIA. The Department reported its ransomware attack to the Regulator on the 13th of September 2021 in accordance with the provisions of section 22(1) of POPIA. The Regulator was informed by the Department that its systems had been compromised which affected all its IT systems. The Regulator was also informed of the ongoing investigations by the Department into the nature of the breach and whether personal information had been compromised or not.

Conclusion

It is clear from the recent incident experienced by the Department that data protection and data privacy is a complex and evolving field of the law. VDMA’s team of experts will continue to monitor the status of the ransomware attack at the Department and the progress being made to restore the functionality of the Departments IT systems. VDMA’s team of experts are available to assist you and your business with ensuring you are compliant with POPIA and the Cybercrime Act as well as any enquires you may have related thereto.

Published 18 November 2021