Information Regulator issues first fine to the Department of Justice after ransomware attack

The Information Regulator (Regulator) has issued its first administrative penalty of R5 million, to the Department of Justice and Constitutional Development (the DOJCD) for failure to comply with an enforcement notice issued following an investigation by the Regulator into the cyber-attack where the DOJCD was locked out of their systems in September 2021. The notice required the DOJCD to renew their licences for anti-virus software, a security and event management application and an intrusion detection system. Under the Protection of Personal Information Act, 2013 (POPIA) anyone processing personal information in South Africa must implement technical and organisational measure to protect that information. The DOJCD failed to provide proof of renewal to the Regulator as required to ensure the appropriate technical measures were in place and therefore the penalty was imposed.

Though the nature of the attack was not made public, it is suspected that the DOJCD suffered a ransomware attack. Ransomware attacks have become the fastest growing area of cyber risk in South Africa, with everyone from small businesses to listed corporations falling victim to these malicious attacks. But what does it mean when your business suffers a ransomware attack? What is ransomware? What are the legal consequences and what can you do to protect yourself?

What is ransomware?

Ransomware is a type of malware that is designed to deny access to a victim’s computer systems, whether through extracting or deleting data, corrupting or encrypting it, or making it otherwise inaccessible. It is often very difficult to detect that ransomware has been deployed in your environment until it is too late. The goal of the person or organisation using ransomware is to extract a benefit from the victim; they will typically demand payment (mainly in cryptocurrency) in exchange for a decryption key which is meant to give back access to the affected data. Hacker groups who target organisations using ransomware function very much like a professional business unit; their intention is not to destroy (unless you don’t pay them) or create fear, but is simply a business plan to generate revenue (an illegal one, nonetheless).

Is it legal to pay a ransom?

It is not illegal per se to pay a ransom. However, there are ethical considerations which one must bear in mind when paying a ransom, and they should be weighed against the benefit of making such payment. The harm which it may cause to a business and to any sensitive information which could be made public should be considered in light of the potential of having funded criminal or terrorist activity, amongst other things.

Businesses will also have to be able to act quickly and lawfully when considering paying a ransom. Listed entities will be required to report to the board of directors and to receive authorisation from them to pay the ransom. As ransom payments are usually made using cryptocurrencies, the ability to draw on liquid assets to purchase cryptocurrency will significantly speed up the process. Further to this, there are exchange control considerations if the ransom amount exceeds ZAR 10 million.

Ensuring that you do your due diligence and obtain proper legal advice and forensic support is essential to making sure that any payments which are made do not create further legal obstacles for victims.

Do I need to inform the Information Regulator?

Whenever a ransomware attack occurs, is it usually the case that personal information has been compromised in some way. POPIA requires businesses to take reasonable organisational and technical measures to protect the integrity and confidentiality of personal information, and to prevent any access, loss, destruction or acquisition of personal information by an unauthorised person (security compromise). Once there are reasonable grounds to suspect that a security compromise (data breach) has occurred, there is an obligation to notify the Regulator and those data subjects whose personal information has been affected under POPIA. These notifications must be made in a specified format and contain specific information for the data subjects to be able to understand how the security compromise may affect them, and what they can do to protect themselves. Whilst there isn’t a specific time frame in which these notifications need to be made, organisations should do so as soon as possible. Failure to report the security compromise may result in administrative fines of up to ZAR 10 million, or further legal action.

Who else do I need to notify?

Organisations operating in regulated industries should also be aware of any sector specific legislation, codes of conduct or guidelines which obliges them to notify the regulatory authorities where there has been a material impact on the organisation. Particularly, businesses operating in the banking and financial sector must notify the appropriate authorities immediately after they become aware of a ransomware incident which may affect their businesses. Once the Cybercrimes Act, 2020 is fully in force, financial institutions and electronic communications service providers must notify the South African Police Service within 72 hours of having become aware that a cyber-offence has been committed. Any ransomware incident will likely result in a number of contraventions of the Cybercrimes Act.

What should I do?

The legal consequences for businesses who are affected by ransomware are far-reaching, and can arise many months after an attack has occurred. Cybercriminals have the advantage of catching their victims unaware and unprepared, as they are often in your system for many months before you become aware of it. Given the prevalence of ransomware attacks, the cybersecurity community considers that it is not a matter of if, but when you will be subject to a ransomware attack. Regardless of whether you find yourself as a victim of a ransomware attack or not, there are things which your organisation should do to mitigate risk and limit the amount of harm which can flow from one of these events:

1. Maintain awareness of the critical networks and data which are crucial to keeping your business operational; ensure that frequent offsite back-ups are made of such data;
2. Implement patches and updates on all third party software or applications as soon as you become aware of them being available;
3. Develop a data retention policy and regularly delete any data which is no longer relevant or necessary to carry out business functions, including personal information and intellectual property, or if necessary to keep that data, silo the information so that it can be kept separate from vulnerable systems;
4. Consider acquiring cyber liability insurance and develop and implement an incident response plan, designate key individuals with clearly defined roles to carry out the plan; and
5. Ensure that you have an alternative or back-up communication method, especially where email availability is affected by the attack.