By Tasneem Gangat, Head: Compliance at Sanlam Retail Affluent
The President of South Africa signed the Cybercrimes Act into law on 3 June 2021. This means that South Africa now has a comprehensive law to regulate cybercrime.
We’re seeing an increase in the number of high-profile cyberattacks in the public and private sectors. These numbers have increased at an alarming rate during the COVID-19 pandemic. This law is needed to protect South Africans and their organisations from harm.
The purpose is to bring SA’s cybersecurity laws in in line with the rest of the world.
Interesting facts and stats
- In 2020, 80% of organisations saw a rise in cyberattacks.
- There is an attempted cyberattack every 28 seconds.
- Damage related to cybercrime is projected to hit $6 trillion annually by 2021.
- Phishing attempts have increased by more than 660% since 1 March 2020.
- Ransomware attacks rose 148% in March 2020.
- South Africa has the third highest number of cybercrime victims worldwide, resulting in a loss of about R2.2 billion each year to cyberattacks, according to the South African Banking Risk Information Centre (SABRIC). We are rated as the 31st worst country when it comes to cybersecurity. (https://www.itweb.co.za/content/5yONPvEg2YkMXWrb)
Data – Electronic representations of information in any form.
Electronic Communications Service Provider (ECSP) – Any person who provides an electronic communications service in terms of an electronic communications service licence, or a person who has lawful authority to control the operation or use of a private electronic communications network used for providing electronic communications services for the owner’s own use.
Cybercrime – “Cybercrime” means illegal acts, the commission of which involves the use of information and communication technologies.
Penalties for non-compliance
Offences - Failure to report; Other offences.
Penalties - R50 000 fine; A fine and/or imprisonment up to 15 years
Plus - Reputational damage; Loss of customers and employees; Failure to attract new customers
It is further interesting to note the impact this Act will have on businesses, especially considering its overlap with the Protection of Personal Information Act 4 of 2013 (POPIA), amongst other regulatory codes and pieces of legislation. POPIA, which deals with personal information, aims to give effect to the right to privacy by protecting persons against the unlawful processing of personal information. One of the conditions for lawful processing in terms of POPIA is security safeguards which prescribe that the integrity and confidentiality of personal information must be secured by a person in control of that information. This is prescribed by POPIA in order to prevent loss, damage or unauthorised access to, or destruction of, personal information. POPIA also creates a reporting duty on persons responsible for processing personal information whereby they must report any unlawful access to personal information (data breach) to the Information Regulator within a reasonable period of time.
What does this mean
The law impacts everyone in South Africa. Depending on your roles (whether you are an ECSP or a financial institution) the Cybercrimes Act might place certain obligations on you and your organisation. The Cybercrimes Act will affect the way we interact with data or use our electronic devices. It has a far-reaching impact and it is important you understand how to deal with this impact.
- This Bill which is now an Act of Parliament and creates offences for and criminalises, amongst others, the disclosure of data messages which are harmful. Examples of such data messages include:
- those which incite violence or damage to property
- those which threaten persons with violence or damage to property
- those which contain an intimate image.
- Other offences include cyber fraud, forgery, extortion and theft of incorporeal property. The unlawful and intentional access of a computer system or computer data storage medium is also considered an offence along with the unlawful interception of, or interference with data.
What needs to be done?
The Act imposes obligations on ECSPs and financial institutions to:
- Furnish a court with certain particulars, which may involve the handing over of data or even hardware;
- Report without undue delay any cyber offences within 72 hours of becoming aware of them;
- Preserve any information that could assist law enforcement in investigating a cybercrime; and
- Financial institutions and ECSPs (or anyone else who is in control of data, networks or computers) must provide technical assistance and “such other assistance as may be reasonably necessary” to law enforcement.
Companies should be cognisant of their practices especially in dealing with data or information. The value of data as an asset cannot be understated. Tim Cook, CEO of Apple, said:
“We shouldn’t ask our customers to make a trade-off between privacy and security. We need to offer them the best of both. Ultimately, protecting someone else’s data protects all of us.”