By Jennifer Finnigan, Head of Competition Law, Partner in the Corporate & Commercial Law department
Cybercrime is on the increase, not only abroad but also in South Africa. This includes data kidnapping and data ransom demands. According to a report by McAfee, cybercrime is estimated to cost South African companies more than R5.8 billion a year. According to Santam, it takes approximately 200 days for a South African company to identify an online security breach.
When the rest of the Protection of Personal Information Act 2013 (POPI) comes into force, any firm which processes (a concept which is really widely defined by POPI) will have to carry out a risk analysis of its business and systems which deal with personal information. They also have to establish or upgrade their cyber safeguards to protect personal information. POPI imposes hefty fines on firms who don’t comply. Earlier this year the Department of Justice published an update of the 2016 Cybercrimes and Cybersecurity Bill. The Bill has now been tabled before Parliament.
The Bill aims to:
• define cybercrime offences and prescribe penalties;
• regulate jurisdiction and powers to investigate‚ search and gain access to or seize items;
• regulate aspects of evidence;
• regulate aspects of international co-operation in relation to cybercrime investigations;
• identify and declare national critical information infrastructures and ways to protect these; and
• impose obligations on electronic communications service providers relating to cyber security.
The 2016 draft bill was long, convoluted, repetitive, draconian and ignored the fact that many of the offences which it purported to create already existed. The 2017 Bill is shorter and acknowledges the existing laws within which it will operate. For example, Chapter 6 of the 2016 draft dealt with “Structures to Deal with Cyber Security” and provided for the creation of 7 cyber security related entities. The 2017 draft also provides for sector specific nodes to be created but does so in 9 as opposed to 30 pages. The new draft Bill is more practical. It strays into social media territory making the incitement of property damage or violence and the publication of intimate images a criminal offence.
The 2017 Bill also deals with the thorny issue of extraterritorial jurisdiction. Offences involving computers can be carried out at a location which is physically far from the place where the actual offence takes place. The 2017 Bill recognizes this and gives the South African authorities jurisdiction over anyone who is a South African citizen, permanent resident or who carries on the business in South Africa and commits a cybercrime as well as deeming any cybercrime aimed at South Africa to be committed in South Africa.
The 2016 draft obliged electronic communications service providers to take reasonable steps to inform clients of cybercrime trends, establish procedures for them to report cybercrimes and educate clients on cybercrime countermeasures. These provisions have been removed from the 2017 Bill but each sector has to establish a nodal point at its cost which is obliged to carry out similar functions. Notably, compliance with the Bill in terms of reporting, participation in nodal points and auditing is largely at the expense of the owner of the relevant information system. The maximum fine levied for failing to timeously report an cyber security breach and failing to preserve information is now capped at R50,000.00, as opposed to R10,000.00 per day from the time a firm became aware of an incident until that breach is reported.
In the 2016 Bill the State Security Agency played a prominent role in controlling critical information infrastructures. That remains unchanged. The other uncomfortable feature of the 2016 Bill which has been retained in the 2017 Bill is that information sharing between regulatory agencies arising from the use by authorities of their extensive search and seizure powers in terms of the 2017 Bill is expressly permitted.
While we all acknowledge that appropriate legislation to curb cybercrime is desperately needed in an age where hacking, unlawful interception of data, ransomware, cyber forgery, uttering and cyber extortion (all offences under the 2017 Bill) are experienced by South Africans on a daily basis, the 2017 Bill still has some uncomfortable features which may well be subjected to Constitutional scrutiny.
For more information on the above, or for compliance advice, please contact:
Head of Competition Law
Corporate & Commercial department
+27 82 499 0522