The revised Cybercrimes and Cybersecurity Bill was tabled in the National Assembly in February. It aims to consolidate silo-styled laws that attempt to deal with cybercrime.
The size, scale and pace of cybercrime as a growing global risk to business and individuals is immense. Describing it as “a boundless threat”, PwC’s 2016 Global Economic Crime Survey pegs it as the second-most reported economic crime affecting organisations.
The SA Banking Risk Information Centre estimates that the country loses R2.2 billion to internet fraud and phishing attacks annually.
Cisco has warned that the global cost could reach $6 trillion (R80 trillion) by 2021.
Various countries have either enacted or are in the process of enacting laws to harmonise policies and legal frameworks, and to strengthen cross-border co-operation and enforcement. South Africa is no exception.
The bill has followed an arguably poor first draft in 2015 which followed from the country’s publication of a National Cybersecurity Policy Framework.
In line with international best practice, the bill criminalises unlawful and intentional conduct relating to accessing, acquiring, using, possessing and storing, data, data messages, computer systems and programs, networks and passwords. It creates new crimes of cyber fraud, cyber forgery and cyber uttering. It criminalises malicious communications - namely messages that result in harm to person or property, such as revenge porn or cyber bullying. It augments jurisdiction where the crime is not only committed in South Africa, but if the effect of it is felt in the country.
The bill gives police extensive investigation, search and seizure powers. Provision is made for penalties including fines and imprisonment.
Of particular significance are the onerous obligations imposed on electronic communications service providers and financial institutions to assist in investigations and to report crime. Much attention is also given to creating the framework for mutual co-operation between foreign states.
The bill creates new structures and cross-functional ministerial and departmental responsibilities aimed at developing capacity to detect, prevent, apprehend and investigate cybercriminals. It establishes a 24/7 point of contact to render assistance and the formation of a cyber response committee to implement policy and initiatives.
Read also: Cybercrime: 8.8m SAfricans victim in 2015
A computer security incident response team will also be established along with the already functional Cyber Security Hub, which seeks to facilitate co-operation with the private sector on security.
The bill provides for the declaration of Critical Information Infrastructure such as national databases, financial institutions or the stock exchange - essentially anything with which illegal interference might result in loss, damage, disruption or immobilisation and may prejudice the security of the state.
This bill is controversial. It makes compliance with information security and requirements pertaining to Protection of Personal Information (“Popi”), which itself is in a nascent phase, even more complex.
When enacted, this law will have far-reaching implications for individuals and organisations, particularly those that process data, as well as for banks or electronic communications service providers.
It is required but raises issues which require extensive debate such as its reach, possible unintended consequences and effect on other laws such as Popi.
The question is: how much amendment is required to make this an effective one.
Cohen is a director in Cliffe Dekker Hofmeyr’s Convergence and New Media practice. Njugana is a senior associate in Cliffe Dekker Hofmeyr’s Dispute Resolution practice, specialising in convergence and new media.