IEC Security Compromise: a case study on notifying the regulator

With the general elections set to be held on 29 May 2024, the last thing South Africans want to hear are details of a security compromise at the IEC. On the other hand, the Information Regulator is in need of more information. 

What are the details of the IEC Security Compromise?

On 11 March the Information Regulator of South Africa confirmed it had received two notifications from the IEC regarding a security compromise. The breach concerned the unlawful release of the 2024 candidate lists for the ANC and Umkhonto we Sizwe Party respectively. 

The Information Regulator issued an Information Notice to the IEC seeking further information as they did not provide sufficient details of the incidents. 

On 26 March, following an assessment of the information obtained from the IEC,  it was announced that the Information Regulator had decided to proceed with a full investigation of the security compromise.

So, what was missing?

Part of the IEC’s non-compliance stemmed from failing to provide all necessary information to the Regulator. As a result, the Regulator asked that the IEC furnish it with the missing information. Ultimately, it is critical that all information is provided to the Regulator so it can respond swiftly and appropriately. 

Understanding what the IEC missed is vital so your organisation does not make the same mistakes. The missing information required by the regulator included: 

• proof that the IEC published a notice of the security compromise on its website, 
• proof of notification to the affected parties,
• confirmation of the number of data subjects impacted by the security compromise,
• provision of sufficient information to allow the data subjects to take protective measures against the potential consequences of the compromise,
• details as to how the unauthorised person accessed the personal information of data subjects, and
• details as to the measures that the IEC has implemented to mitigate against the risk of the affected data subjects’ personal information being unlawfully accessed and/or unlawfully processed.

Reporting a security compromise correctly

Where there are reasonable grounds to believe that there has been a breach, POPIA requires that you take various actions like notifying the Regulator, and the affected data subjects.

There are also procedural requirements like sending the notification to the Regulator by email in the prescribed form, as soon as possible after the responsible party becomes aware of the unauthorised access. Generally, notifications must be sent 72 hours after the responsible party becomes aware of the unauthorised access. 

The responsible party must also notify the affected data subjects in writing. How the responsible party makes the notification depends on the security incident and the surrounding circumstances. It can be done by: 

• mail to the data subject’s last known postal address, 
• emailed, 
• published on the responsible party’s website, or 
• published in the news media. 

The most important aspect of the notification is to provide sufficient information to the data subject. This allows data subjects to take protective measures against the consequence, and mitigate as much harm as possible. This includes providing a description of the measures the responsible party intends to take, and what measures the data subjects should take to respond to the compromise. Like changing their passwords as an example. 

Notifications to the regulator must be done correctly. These requirements are important, not only for safeguarding the information of data subjects but also for aiding the regulator in assessing the compliance of entities with POPIA.