30 March 2020 by Cliffe Dekker Hofmeyr Technology, Media & Telecommunications

COVID-19: Cyber security concerns

Does your company have an information security or similar policy in place?

We advise all organisations to review their information security policies and to educate employees on best practice. Of particular relevance in the present circumstances should be organisations’ incident response plans and how the organisation will react in the case of a data breach or cyber-attack. Policies should outline practical steps which employees can take in the event of an alleged or actual data breach or cyber attack, including who to contact and the contact details of that person(s), the procedure for escalation and how to minimise losses.

We recommend that organisations circulate their incident response plans and information security policies to employees and draw attention to the relevant provisions to ensure employees are familiar with the steps to follow. To the extent that an organisation does not have a policy or response plan in place, we recommend drafting basic guidelines which are specific to the current challenges posed by COVID-19 and which addresses the most pressing and important risks which may arise, and circulating this as soon as possible.

Organisations should actively monitor the relevant regulatory authorities for updates or changes regarding COVID-19 and ensure that their policies and plans are updated to align with the latest official rules or recommendations from credible institutions such as the Centre for Disease Control and Prevention, the relevant government authority or the World Health Organisation. This may include updates to the number of days an employee should self-quarantine if they have potentially been exposed to COVID-19, the number of persons that may congregate at the office at the same time, or the manner in which COVID-19 is transmitted.

Oh no, I was phished! What can I do?

You should immediately report any fraudulent activity to your IT department and change all of your passwords and restart
your computer.

If you are worried that you or your business are at risk as a result of the phishing incident or someone has hacked into your system or is holding some of your data ransom, you should report this to the South African Police Services and ask them to open up an investigation. You should work with your company and consider hiring an IT security company or private investigator that specialises in cybercrime investigations to assist you.

Phishing, hacking, identity fraud and computer-related extortion are currently offences under sections 86 and 87 of the Electronic Communications and Transactions Act 25 of 2002. A person found guilty of these offences faces a fine or imprisonment of up to 5 years. A fraudster can also be tried for fraud and theft under the common law.

If you are able to locate the perpetrator, you can also bring a delictual claim against them and receive monetary compensation for any financial losses suffered. You can also bring an interdict against the perpetrator to prevent them from sharing any of your data and get them to return data that is in their possession to you.

Can I be held liable for distributing ‘fake news’ about COVID-19?

The publication and dissemination of ‘fake news’ in South Africa is not generally prohibited but new regulations published under the Disaster Management Act, 2002 on 18 March 2020 regarding COVID-19 state that “any person who publishes any statement, through any medium, including social media, with the intention to deceive any other person about (a) COVID-19; (b) COVID-19 infection status of any person; or (c) any measure taken by the Government to address COVID-19, commits an offence and is liable on conviction to a fine or imprisonment for a period not exceeding six months, or both such fine and imprisonment.”

The intention of the regulation is to avoid the malicious spreading of false news and unnecessarily creating panic in the public. The public should critically review information it receives about COVID-19 and the source of such information. The above quoted regulation is limited to the publishing of any statement regarding COVID-19 and not generally to ‘fake news’ (in the colloquial understood sense).

When sharing information regarding COVID-19 on social media, it is imperative to ensure that this information is obtained from accredited institutions such as official government channels of communication, medical journals, the World Health Organisation or the Center for Disease Control and Prevention.

To quote the director-general of the World Health Organisation, Tedros Adhanom Ghebreyesus, “We’re not just fighting an epidemic; we’re fighting an infodemic. Fake news spreads faster and more easily than this virus, and it [is] just as dangerous”.

download PDF

The information and material published on this website is provided for general purposes only and does not constitute legal advice.

We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter.

We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages.

Please refer to the full terms and conditions on the website.

Copyright © 2020 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com

You may also be interested in