But failure to renew the licence resulted in the critical information in the files being unavailable, Zondi said.
The department also failed to take reasonable measures to foresee internal and external risks of the protection of personal information under its control.
“In this regard, the department failed to establish and maintain appropriate safeguards against the risks identified and to regularly verify and update the security safeguards against malware threats.”
As the department was found to be in breach of sections 19 and 22 of the act, the regulator has ordered it to take steps which include submitting proof to the regulator that the SIEM licence has been renewed.
Disciplinary proceedings should also be instituted against officials who failed to renew the licence necessary to safeguard the department against security breaches, said Zondi.
“Should the department fail to abide by the enforcement notice within the stipulated time frame (31 days), it will be guilty of an offence in terms of which the regulator may impose an administrative fine in the amount not exceeding R10m, or liable upon conviction to a fine or to imprisonment of responsible officials,” she said.
TimesLIVE
Department of justice breaches POPI Act and compromises security files
Image: 123RF/Stockstudio44
The department of justice and constitutional development contravened the Protection of Personal Information Act, resulting in the loss of more than 1,200 files.
The information regulator issued an enforcement notice to the department this week for a September 2021 security breach on its IT systems.
This led to the department’s systems being unavailable and affecting services to the public, said the regulator.
“The regulator conducted an own initiative assessment after the department suffered a ... data breach. After the assessment, the regulator found the department had failed to put in place adequate technical measures to monitor and detect unauthorised exfiltration of data from their environment, resulting in the loss of about 1,204 files,” spokesperson Nomzamo Zondi said.
The security breach was caused by the department’s failure to renew the security incident and event monitoring (SIEM) licence which expired in 2020. This licence enables it to monitor unusual activity and to back up log files.
Popi Act is here and despite initial doubts it's a useful policy to safeguard data
But failure to renew the licence resulted in the critical information in the files being unavailable, Zondi said.
The department also failed to take reasonable measures to foresee internal and external risks of the protection of personal information under its control.
“In this regard, the department failed to establish and maintain appropriate safeguards against the risks identified and to regularly verify and update the security safeguards against malware threats.”
As the department was found to be in breach of sections 19 and 22 of the act, the regulator has ordered it to take steps which include submitting proof to the regulator that the SIEM licence has been renewed.
Disciplinary proceedings should also be instituted against officials who failed to renew the licence necessary to safeguard the department against security breaches, said Zondi.
“Should the department fail to abide by the enforcement notice within the stipulated time frame (31 days), it will be guilty of an offence in terms of which the regulator may impose an administrative fine in the amount not exceeding R10m, or liable upon conviction to a fine or to imprisonment of responsible officials,” she said.
TimesLIVE
Would you like to comment on this article?
Register (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.
Trending
Related articles
Latest Videos