Introduction
The partial commencement of the new Cybercrimes Act 19 of 2020 (“Act”) on 1 December 2021, brings a sigh of relief to internet users as it aims to combat and prosecute cybercrime. South Africa is heavily targeted by cybercriminals due to its lack of infrastructure, security, legislation, enforcement, and understanding of online security. Legal authorities and the judiciary will now have more concrete legal grounds on which to investigate and prosecute cyber crimes than ever before.
However, it still remains to be seen how the Act will be interpreted and applied, especially considering its interrelation with the Protection of Personal Information Act 4 of 2013 (“PoPIA”). What is clear is that the Act bolsters the position of PoPIA and creates different forms of liability under each piece of legislation for the same data breach.
A wide net has been cast to include a range of activities involving data, computers, networks and electronic communications that will be impacted. Significant progress has been made in criminalising certain online conduct such as distributing intimate images (better known as ‘revenge porn’) and inciting or threatening violence or damage to property. Another form of cybercrime is being in possession of or using someone else’s access code or passwords to gain access to unauthorised information, where no exculpatory explanation can be provided.
It is vital for companies to understand the impact of the Act and its interplay with PoPIA, as a company may have obligations under both, but to varying degrees. It is quite possible that a single event can trigger both pieces of legislation and a company will be required to act within varying timeframes that run concurrently. The Act also imposes additional obligations on certain institutions such as financial institutions and electronic communications service providers.
What follows is a brief overview of how various companies and institutions are affected by the Act:
Financial institutions and Electronic Communications Service Providers
The Act imposes a specific duty on financial institutions and electronic communications service providers (such as internet service providers, telecommunications network operators, etc.) to report any cybercrime that it becomes aware of, within 72 hours to the South African Police Service and to assist them (at the institution’s cost) by preserving any evidence in relation to the cybercrime. Failing to do so, will result in a fine of R50 000 being imposed on these institutions. Notably, these obligations do not apply to the Financial Sector Conduct Authority or the Reserve Bank.
These institutions are, however, not obligated to implement internal systems and controls to detect and prevent any cybercrimes, but merely to report it as soon as they become aware of it. Needless to say, as cybercrimes often go, it may already be too late by the time that an institution becomes aware of an incident, as cyberattackers ordinarily hack systems undetected for any period of time without a trace.
Depending on the level of cybersecurity, an institution may only become aware of the attack at the last stage where a ransom is demanded or a system or network is taken offline or captured, which takes place long after the initial attack was completed.
It is clear that stronger support is given to documentation, retention of records, and reporting practises as set out in PoPIA, to assist the authorities in the combatting of cybercrime. It goes without saying that, although the Act does not require these institutions to monitor its data for cybercrime or to actively seek out such unlawful activity, the consequences of not doing so could be devastating to the institution, especially when one considers potential reputational harm and damage.
Similarly, the Act criminalises the possession or use of access codes to restricted computer systems used by financial institutions. Training and awareness on the impact of the Act will be an unquestionable necessity.
Other companies and institutions
It will be vital for a company to understand the various types of conduct that constitute cybercrimes under the Act and accordingly adapt their internal policies, codes of conduct, and controls to guard against it and provide sufficient training to personnel to create awareness.
Below is a brief overview of offences and penalties created by the Act, which companies and institutions should take into account:
A large focus will be placed on effective record keeping in order to assist authorities with evidence in relation to the cybercrime, as well as preserving such information. Notably, no person or company (other than financial institutions and electronic communications service providers) are obligated in terms of the Act, to report the occurrence of a cybercrime or data breach to the authorities, however, such a data breach could involve personal information, which will trigger reporting obligations under PoPIA.
Point of contact
The capacity to detect, prevent and investigate cybercrimes is left to the National Commissioner of the Police Service to establish a unit or contact point with sufficient human and operational resources, and training. The purpose of this point of contact is, amongst others, to provide technical and legal advice and assistance, and the location of a suspect or article.
Any person or company that has fallen victim to a cybercrime or can provide information relating to a cybercrime, can approach the designated point of contact for assistance. As to how this is to be dealt with, is yet to be determined by way of published regulations.
Conclusion
The Cybercrimes Act is still in its infancy and only partially operational, however, the message is clear that South Africa has taken yet another giant leap forward in aligning itself with international convention on cybersecurity and protection of information. Companies should take the decision now to follow suit and implement the Act into its reporting structures whilst it is also attending to its PoPIA compliance. Considering the intertwined relationship between the Act and PoPIA, a company will be remiss not to implement both simultaneously, especially taking into account the risk of dual-liability.
Author: Rudi Byleveld