Cyber-related incidents such as cybercrimes, IT related failures and data breaches have been rated as the number one risk to South African businesses according to the 2018 Allianz Risk Barometer report. South Africa is further a top target for cybercrime in Africa because of its high internet connectivity rates, attractive GDP per capita and poor levels of cyber security (especially in business).
At present, the current legal framework relating to cybercrime in South Africa is a hybrid of different pieces of legislation and the common law which has not kept up with the dynamic nature of technology and international standards. This prompted the need for the Cybercrimes Bill, which will, inter alia, consolidate and codify numerous existing offences relating to cybercrime as well as create a variety of new offences which do not currently exist in South African law.
Old Bill vs New Bill
It is important to note that the version of the Cybercrimes Bill which was passed by the National Assembly in November 2018 (New Bill) differs quite substantially from the versions of the Bill published previously (Old Bill).
The Old Bill was divided broadly into two parts, namely cybercrimes and cybersecurity. The cybercrimes section, bar a few criticisms, was lauded however it was the proposed cybersecurity section which raised very serious concerns about the government’s encroachment on freedom of expression and freedom of the internet. It was argued that the Bill’s approach did not strike the right balance between the interest of the State in securing cyberspace and individual freedoms and rights.
However, given the urgent need for legislation that comprehensively criminalises cybercrime, the Portfolio Committee on Justice and Correctional Services have decided to strip out all clauses in the Bill pertaining to cybersecurity and to proceed only with cyber related crimes.
What are the key clauses to watch for in the New Bill?
The New Bill now specifically only deals with offences relating to cybercrimes, jurisdiction of the courts, powers of investigation, search, seizure and access, evidence gathering, the establishment of a designated point of contact, reporting obligations and penalties.
Some of the key clauses relate to:
- the new offences which have been created under the Bill (which were previously difficult to prosecute) such as the distribution of a data message of an intimate image (often referred to as the “revenge-porn” offence), the infringement of copyright (through the use of “peer-to-peer” sharing), offences relating to malicious communications by disseminating a data message which advocates, promotes or incites hate, discrimination or violence against a person or group of persons;
- the jurisdiction clauses which are more extensive and allow for South African courts to have extraterritorial jurisdiction even where offences are committed outside of South Africa (in certain instances);
- the penalty provisions which provide for a maximum penalty (depending on the offence) of up to 15 years imprisonment or to both a fine and imprisonment; and
- the obligations placed on electronic communications service providers and financial institutions which becomes aware that its computer system was involved in the commission of an offence to within 72 hours report the offence in the prescribed form to SAPS and preserve any evidence related to the offence.
It is important to note that once the Cybercrimes Bill is in effect, it will repeal the relevant provisions in the Electronic Communications and Transactions Act, No 25 of 2002 relating to cybercrime offences.
What are their implications for businesses?
With regards to the reporting and preservation of evidence requirements placed on electronic communications service providers and financial institutions, failure to comply with the Bill will render such business liable for an offence and fine up to R50,000. These obligations may also result in increased costs and losses to companies in the event of a cybercrime occurring. If computer equipment is confiscated or seized (for long periods of time rendering them inaccessible) by the relevant authority to investigate a crime or preserve evidence, it will also result in an increased cost to business and may result in business interruption.
Trend Micro released a report in December 2018 outlining its security predictions for 2019 (Trend Micro Report). The Trend Micro Report predicts that the biggest trends expected to have an impact on technology and security are:
- the advances in artificial intelligence and machine learning brought about by the ever-growing volume of data that can be processed and analysed;
- the continued adoption of cloud computing by enterprises the worked over;
- and the developments in smart devices, homes and factories.
Further, the Trend Micro Report notes that 2019 will be an important year for political developments including Brexit and national elections in several countries, including South Africa. These technological and socio-political changes are predicted to have a direct impact on security issues in 2019.
In this regard, the Cybercrime Bill and the global trend of increased cyber regulations may be the impetus for companies to consider cyber risk insurance cover to preserve their economic welfare. Businesses should therefore start prioritisinginformation security and assessing their levels of risks and exposure.
In particular, businesses should consider formulating a cyber incident response plan which includes establishing notification and escalation procedures when a cyber incident occurs, formulating a PR strategy in the event of an incident, establishing evidence gathering guidelines, and a stakeholder notification procedure (including any regulatory authorities).
It is also worth noting that the final Regulations to the Protection of Personal Information Act (POPI) were published in December 2018. These will come into force once the commencement date of POPI has been proclaimed by the President.
The fact that the legislature has taken active steps towards prioritising these pieces of legislation is a positive development and it remains to be seen whether we will see the Cybercrimes Bill and POPI being enacted during the current legislature’s tenure. Businesses should therefore start adopting a pro-active approach to compliance and implement a risk management framework to ensure it is adequately prepared in the event of a cyber-attack. This includes prioritising the security of their data and IT systems.