South Africa’s Information Regulator has established a unit that will investigate cyber security compromise incidents, as data breaches escalate across the country.
The new division comes as the regulator continues to receive an increasing number of notifications of data breaches, with 600 reported incidents from January to August.
This is according to advocate Pansy Tlakula, chairperson of the Information Regulator, speaking to ITWeb on the sidelines of the “10 Years of POPIA Symposium”, hosted by the regulator in Johannesburg, last week.
The event created a platform for information officers, legal professionals and data privacy specialists to reflect on the implementation of the Protection of Personal Information Act (POPIA) since it was enacted in SA on 19 November 2013.
While the Information Regulator has made strides in enforcing data protection since the office was established in 2016, Tlakula noted her office experienced several challenges associated with implementing the Act.
The POPIA division, she noted, has been travelling the length and breadth of SA, conducting investigations and assessments, either as a result of complaints received, or the security compromises that have been reported.
“We have established the security compromise unit because data breaches are a huge problem in this country, and I'm not sure if our government is even aware of the challenge of data breaches.
“So, with the 600 data breaches that have been reported this year, if you look at the number of staff members required to investigate these incidents, this becomes a challenge.
“The second challenge is that we are investigating private bodies with deep pockets. If you think that they will just take our infringement notice lying down, they won’t. They will take us to court to challenge our decisions.
“The duties of this unit will be to investigate the nature of data breaches,” she explained.
The over-processing of data subjects’ personal information is a key contributor to the soaring data breaches in SA, Tlakula added.
The organisation has grown from five employees at inception, to a current staff complement of 100, working across six divisions.
The establishment of the security compromise unit follows the information watchdog coming under pressure from the public, who complain about its slow response in dealing with data privacy complaints.
Last August, the regulator created an Enforcement Committee to focus on all matters referred to it regarding a complaint, an investigation of a complaint and a finding in respect of the complaint, as referred to in section 92 of POPIA.
POPIA aims to bring SA in line with international standards for the protection, collection, recording and storage of personal information, giving individuals control over their personal information.
While the Act was signed into law in 2013 (section 1, Part A of Chapter 5, section 112 and section 113), the commencement date of the other sections was 1 July 2020 and the one-year grace period to comply ended on 30 June 2021.
Langithemba Mazibu, senior manager of information and technology analysis at the Information Regulator, was among the panellists speaking during a roundtable discussion at the recent POPIA symposium. He highlighted the important convergence between cyber security and the role of the regulator.
“Almost everything the Information Regulator does regarding data breaches has an element of cyber crime in one way or another, whether it is an internal employee that has been negligent, or an external party trying to infiltrate an organisation or steal personal data.
“We are seeing a trend where there is a shift from the era where the perpetrator is often a skilled cyber criminal, to a point where now anyone with a couple of Bitcoin is able to buy hacking tools online and start these attacks without having any significant computing skills.
“With the advent of artificial intelligence, we are seeing incidents where it is being used as the primary tool to conduct sophisticated cyber attacks.”
Also speaking during the roundtable, advocate Tshepo Boikanyo, executive member of the Information Regulator and executive of POPIA, said the regulator has been issuing enforcement letters.
“Through our regular assessments as the POPIA division, we have realised there has been a number of challenges out there. While there is general compliance by the private bodies, we still have instances where public bodies do not have privacy policies, for example,” asserted Boikanyo.
“We have also noted that most of the irresponsible parties have inadequate security controls to safeguard the personal information they hold. There is also a lack of training of employees by responsible parties, as well as the lack of IT skills required to ensure the information they hold is really protected.”