After making headlines in July with a historic R 5 million fine imposed on the Department of Justice and Constitutional Development (DoJ&CD), the Information Regulator is back in the spotlight after it issued an enforcement notice against Dis-Chem Pharmacies.
We delve into the recent Dis-Chem case and distil the five key lessons businesses and institutions should glean from the Regulator’s enforcement notices issued this year.
The Dis-Chem enforcement notice
On 31 August, the Information Regulator issued an enforcement notice against Dis-Chem for failing to comply with various sections of the Protection of Personal Information Act (POPIA). The Regulator expects the retail pharmacy chain to enhance its data security process – or face penalties, which could include a fine of up to R10 million, imprisonment, or both.
The data breach incident dates to last year when Grapevine, a third-party service provider of Dis-Chem, suffered a brute force attack by a cybercriminal. A brute force attack is a hacking method that aims to crack a password by continuously trying different combinations until the right character combination is found.
The security compromise resulted in about 3,6 million data subjects’ records being accessed from Dis-Chem’s e-statement service database, which was managed by Grapevine. The affected records in the database were limited to names, surnames, e-mail addresses and cell phone numbers of the data subjects.
Dis-Chem was alerted to the security compromise when some of its employees started receiving SMS messages. Within four days of becoming aware of the breach, the retail chain notified the Regulator in writing of the security compromise. However, according to the Regulator, they failed to notify the data subjects of the breach, which is a requirement in terms of Section 22 of POPIA.
This prompted the Regulator to conduct an own initiative assessment into the security compromise. They determined that Dis-Chem had interfered with the protection of personal information of the data subjects, and thus breached the conditions for the lawful processing of personal information.
The Regulator’s assessment found that Dis-Chem failed to:
- Identify the risk of using weak passwords and prevent the use of such passwords.
- Put in place adequate measures to monitor and detect unlawful access to their environment.
- Enter into an operator agreement with Grapevine and ensure it has adequate security measures in place to secure personal information in its possession. Furthermore, the agreement would have outlined processes of reporting to Dis-Chem in the event of a security compromise.
Dis-Chem was ordered to implement the following remedial actions within 31 days:
- Conduct a personal information impact assessment to ensure that adequate measures and standards exist to comply with the conditions for the lawful processing of personal information as required by Regulation 4(1)(b) of POPIA.
- Implement an adequate incident response plan, implement the payment card industry data security standards (PCIDSS) by maintaining a vulnerability management programme, implement strong access control measures and maintain an information security policy.
- Ensure that it concludes written contracts with all operators who process personal information on its behalf, and that such contracts compel the operator(s) to establish and maintain same or better security measures referred to in Section 19 of POPIA.
- Develop, implement, monitor and maintain a compliance framework, in terms of Regulation 4(1)(a) of POPIA, which clearly makes provision for the reporting obligations of Dis-Chem and all its operators in terms of Section 22 of POPIA.
Dis-Chem has hit back at the Regulator, disputing the accuracy of the allegations in the enforcement notice. This includes, amongst others, the Regulator’s view that the company failed to notify the affected data subjects. Furthermore, the pharmacy chain stated they had already addressed and acted upon all orders outlined in the enforcement notice, and they would respond to the Regulator within 31 days.
Complaints on the rise
In the 2022/23 financial year, the Regulator received 895 POPIA complaints, compared to the preceding financial year’s total of 544. Of the 895 complaints received, 616 have been successfully resolved.
Under POPIA, the Regulator has the authority to investigate complaints filed by individuals or initiate investigations on its own initiative, as it did in the Dis-Chem case. Additionally, it can conduct assessments on compliance with both POPIA and PAIA.
Most complaints are resolved through settlement or mediation procedures. In cases where a resolution can’t be reached, the matter is escalated to a full investigation. Thereafter, an investigation report is referred to the Enforcement Committee, who will use the report to make their findings. The Committee will also recommend the appropriate actions that must be taken.
A handful of enforcement notices have been issued in 2023, but it is when these notices are ignored that businesses or entities run into serious trouble. A prime example of this is the DoJ&CD. Much like the Dis-Chem case, the DoJ&CD’s IT systems were compromised. Consequently, the Regulator issued them with an enforcement notice that required the department to implement a number of remedial steps within 31 days. The DoJ&CD failed to do this, resulting in the Regulator imposing its very first administrative fine.
In light of all the recently published enforcement notices, what main lessons can institutions handling personal information learn? Here are five key insights:
- Training is crucial: In most of this year’s enforcement notices, the Regulator has asked for evidence of POPIA awareness training. Therefore, it’s essential to train all employees on POPIA. In terms of Regulation 4(1)(e) of the Act, it’s the information officer’s responsibility to ensure internal awareness sessions are held regarding POPIA provisions, regulations, codes of conduct or information obtained from the Regulator. Moreover, it’s advisable to provide cybersecurity training to your employees, covering security measures and response procedures for security compromises, such as data breaches.
- Maintain an up-to-date risk management plan that addresses privacy and security risks: This can include a risk register to identify and record foreseeable internal and external privacy and security risks your business may be exposed to. Outline what steps you will take to mitigate these risks to prevent breaches and safeguard personal information in your possession or control.
- Plan for your response: Ensure that you have an incident response plan in place, and that your staff knows what to do in the event of a security compromise. This plan should include the necessary steps for notifying both the Regulator and the data subject/s (unless the identity/ties of such data subject cannot be established) as required in terms of Section 22 of POPIA. When notifying the Regulator, make use of the Security Compromise Notification Form (Form SCN1), which was published by the Regulator with a guideline on how to complete the form. Send the completed form and necessary attachments to POPIACompliance@inforegulator.org.za.
- Third-party service provider contracts: Maintain written contracts with all third-party service providers who process personal information on your behalf. These contracts should also address security measures that the third party will maintain in terms of Section 19 of POPIA.
- Implement a compliance framework: Ensure that you have a compliance framework, in terms of Regulation 4(1)(a) of POPIA, in place. This framework can include policies, procedures and controls for ensuring POPIA compliance in your business.
Proactive POPIA compliance
With cybercriminals continually developing innovative ways to gain access to personal information, data breaches pose a real threat to companies and institutions.
To safeguard against these threats, entities handling personal information must sharpen their cybersecurity measures. Equally important is maintaining robust procedures and practices to ensure POPIA compliance. Failing to do so can cost you dearly in terms of administrative fines. What’s more, POPIA compliance goes a long way in protecting your clients’ personal information and limiting the fallout – including reputational damage to your business – should a data breach occur.