The revised Cybercrimes and Cybersecurity Bill was tabled in the National Assembly in February 2017. It aims to consolidate various laws in the country which attempt to deal with cybercrime related issues.
Such crimes remain a growing risk to business and individuals: PWC claims cybercrimes as the second most reported economic crime affecting organisations. SABRIC states that SA loses R2.2 billion to Internet fraud and Phishing attacks annually. The Bill creates new crimes and offences. It makes even more complex, compliance with information security and requirements pertaining to Protection of Personal Information (“POPI”). When enacted, this law will have far reaching implications for individuals and organisations, particularly those that process data, as well as for banks or electronic communications service providers. Below, is a brief overview of the key aspects of the Bill.
In line with international best practice, the Bill criminalises unlawful and intentional conduct relating to accessing, acquiring, using, possessing and storing, data, data messages, computer systems and programs, networks and passwords. It creates new crimes of cyber fraud, cyber forgery and cyber uttering. It criminalises malicious communications – namely messages that result in harm to person or property, such as revenge porn or cyber bullying. It augments local jurisdiction where the crime is not only committed in SA, but inter alia, if the effect of it is felt in the country. The police are given extensive investigation, search and seizure powers in the Bill and an array of penalties, including fines and imprisonment apply, including various prescribed in terms of the Criminal Procedure Act, 1977.
The Bill provides standard operating procedures to be followed in criminal investigations. Of significance are the onerous obligations imposed on electronic communications service providers and financial institutions not only to assist in the investigation of cybercrimes, but also to report them. Much attention is also given to creating the framework for mutual co-operation between foreign states with respect to the investigation and prosecution of cybercrimes.
Quite firmly within the security cluster, the Bill creates a number of new structures and cross functional ministerial and departmental responsibilities all aimed at developing capacity to detect, prevent, apprehend and investigate cybercriminals. The Bill establishes a 24/7 Point of Contact to render assistance with cybercrime incidents and the formation of a Cyber Response Committee to implement policy and initiatives in this domain. A Computer Security Incident Response Team will also be established along with the already functional Cyber Security Hub, which will facilitate co-operation with the private sector on cyber security and facilitate the co-ordination of nodal points in different sectors to receive and distribute incident information.
The Bill provides for the declaration of Critical Information Infrastructure such as for example, national databases, financial institutions or the stock exchange – essentially anything with which unlawful interference might result in loss, damage, disruption or immobilisation and may prejudice the security of the state.
This Bill is controversial: it raises numerous issues which require debate such as its (over) reach, possible unintended consequences and effect on other laws such as POPI and RICA. A framework is necessary to combat and prosecute cybercrimes in SA – the question is how much amendment is required to make this an effective one.