Dis-Chem enforcement notice | data breach

The information regulator issued a Dis-Chem enforcement notice to Dis-Chem Pharmacies for non-compliance with the Protection of Personal Information Act (POPIA). In April 2022, an unauthorised party gained access to more than 3 million data subjects’ records from Dis-Chem’s database. The regulator found that Dis-Chem breached several provisions under POPIA. Although Dis-Chem reported the data breach to the regulator, they did not notify data subjects about the security compromise that Dis-Chem suffered.

Dischem enforcement notice order

In the enforcement notice, the regulator ordered Dis-Chem to take action.

1. Conduct a Personal Information Impact Assessment to ensure that adequate measures and standards exist to comply with the conditions for the lawful processing of personal information. (Regulation 4(1)(b) of POPIA).
2. Implement an adequate Incident Response Plan.
3. Implement the Payment Card Industry Data Security Standard (PCI DSS compliance) by maintaining a vulnerability management programme, implementing strong access control measures and maintaining an Information Security Policy.
4. Ensure that it concludes written contracts with all operators who process personal information on its behalf (operator agreements). The contracts must compel operators to establish and maintain the same or better security measures. (Section 19 of POPIA). Operator agreements are called data processing agreements in most parts of the world.
5. Develop, implement, monitor, and maintain a POPIA compliance framework, in terms of Regulation 4(1)(a) of POPIA (data protection compliance framework) that clearly makes provision for the reporting obligations of Dis-Chem and all its operators in terms of section 22 of POPIA.

The Michalsons data protection programme (which includes the POPIA lens) empowers its members to take all these actions effectively.

Timeline to comply

The regulator gave Dis-Chem 31 days to comply with the orders in the enforcement notice. This means that Dis-Chem must implement the above orders by 2 October 2023. If they fail to comply with the enforcement notice, then they could be fined up to R10 million or be imprisoned or both.

Regulator’s findings

The regulator conducted its own initiative assessment into the security compromise because Dis-Chem failed to notify data subjects about the security compromise. The regulator found that Dis-Chem did not:

• identify the risk of using weak passwords and prevent the usage of such passwords.
• put in place adequate measures to monitor and detect unlawful access to their environment.
• enter into an operator agreement with Grapevine and ensure that Grapevine has adequate security measures to secure personal information. Furthermore, the agreement would have outlined processes of reporting to Dis-Chem in the event of a security compromise.

What we can learn from this Dis-Chem enforcement notice

Have an incident response plan in place

In August 2023, our research into data breaches and cybercrime revealed South Africa as the number 1 hotspot for data breaches. A data breach can severely impact your business and cause huge disruption to your operations. Not only can it compromise your relationships with your customers, but it can damage your brand and goodwill. Data security is a growing business issue. It would help if you had a robust incident response plan in place because when a data breach occurs, it should not ground your operations. It is too late to try to put the policy in place once an incident has occurred. Everyone must know what to do when an incident occurs.

Good IT governance

Good IT governance is key to ensuring business continuity. Having a sound IT risk management plan in place can help you identify vulnerabilities in your systems so that you can protect confidential and sensitive information from harm.

Data Processing Agreements

If a party processes personal data for or on behalf of another, they need to sign a data processing agreement (DPA). Data protection laws require DPA’s under certain circumstances and impose severe penalties where they aren’t in place. Know more about data processing agreements and get generic templates by joining our data protection programme.

Actions you can take regards the Dis-Chem enforcement notice

To avoid receiving a similar enforcement notice, responsible parties should:

• Put adequate security measures in place by joining the Michalsons data protection programme (which includes the POPIA lens) and working through the securing information module.
• Train employees on POPIA and cybersecurity best practices to protect personal data by asking Michalsons to conduct training.
• Be cyber resilient by having an incident response plan in place.