Cybercrimes continue to escalate globally and South Africa is not immune to this scourge. Currently there is no regulation in place that deals with the issue of cybercrimes but on 2 September the South African government issued a 128-page draft Cybercrimes and Cybersecurity Bill for public comment. The aim of the bill is to combat cybercrime by implementing legislation in line with international standards.
What does the cybersecurity bill focus on?
- Criminalising illegal access to, and interception of, data, including personal and financial information
- Giving authorities the right to thorough investigation, search, access and/or confiscation
- Imposing responsibilities on electronic communications service providers regarding aspects that may affect cybersecurity
- Regulating jurisdiction of the courts, particularly with regards to cross-border offences
The proposed Bill has a very broad definition of an electronic communications service provider (ESCP), including “(a) a licensee or deemed licensee in terms of Electronic Communications and Transactions Act; (b) a “financial institution” in terms of the Financial Service Board Act; or (c) “any person or entity who or which transmits, receives, processes or stores data […] of any other person”.
This will impact cyber activities in IT and communications, retail, banking and financial sectors, among others. The consequences of such a wide definition may become problematic considering the obligations imposed on ECSPs by the bill.
Clause 64 of the bill provides that an ECSP must:
- Take reasonable steps to inform its clients of cybercrime trends which affect or may affect them.
- Establish procedures for its clients to report cybercrimes and inform its clients of measures which can be taken in order to safeguard itself against cybercrimes.
- Immediately report to the National Cybercrime Centre if it becomes aware that its computer network or electronic communications network is being used to commit a cybercrime.
- Preserve any information which may be of assistance to the law enforcement agencies in investigating the offence.
An ECSPs failure to comply constitutes an offence, which is punishable with a fine of R10 000 for each day of non-compliance.
The bill has therefore been criticised for not being practical enough, nor taking into account the dynamic nature of cybercrime.
Furthermore, there is a concern that the South African Police Service and the State Security Agency will be given excessive authority, which could possibly lead to abuse of power. Although it makes sense for electronic service providers to be responsible for keeping its customers updated about cybercrime activities, the bill is unclear about how often this needs to happen and what communication method should be used. Electronic service providers also feel that this requirement in the draft bill will lead to additional expenses.
How will the cybersecurity bill affect large businesses?
The current draft of the bill allows authorities to be dictatorial in the sense that data can be accessed and seized without a warrant. For large businesses this means increasing difficulty in protecting its data, and can be considered a violation of constitutional rights and privacy. The South African government will need to adopt a more co-operative approach with businesses to address these issues but the bill has nevertheless been welcomed by security experts who believe it is ‘long overdue’.