The impact of the new Cybercrimes Act on businesses

14 July 2021 ,  Nanette Janse van Rensburg 916
“My business operates in the electronic communications sector and I’m a little concerned as to what the new Cybercrimes Act will mean for us and how it can affect my business. Can you shed any light on this?”

You are correct in that the new Cybercrimes Act was signed into law by our President and once the commencement date is proclaimed, it will apply to electronic communications service providers (“ECSPs”) under which your business could potentially fall.

The Cybercrimes Act defines a ECSP as any person who provides an electronic communications service to the public, sections of the public, the State, or the subscribers to such service, under and in accordance with an electronic communications service licence issued to that person in terms of the Electronic Communications Act, 2005, or who is deemed to be licenced or exempted from being licenced as such in terms of that Act; and a person who has lawful authority to control the operation or use of a private electronic communications network used primarily for providing electronic communications services for the owner’s own use and which is exempted from being licensed in terms of the Electronic Communications Act, 2005.

The Cybercrimes Act criminalizes a number of cybercrimes, including unlawful access to data or a computer system, unlawful interception of data, cyber fraud and malicious communications. It affects virtually any person and organisation who uses a computer device and processes data.

The Act has some provisions that overlaps with certain aspects of the Protection of Personal Information Act, 4 of 2013 (“POPIA”). POPIA regulates the manner in which the lawful processing and protection of personal information of both natural and juristic persons should be carried out. Where any personal information is subject to unauthorised access or possession, POPIA outlines the obligations of the lawful holder of such personal information (i.e. the responsible party and/or operator, as defined in POPIA) to take appropriate steps to secure and safeguard the personal information, and if a data breach occurs or is suspected to have occurred, to take reasonable steps to address it, including to report the occurrence to the Information Regulator (the regulatory body established in terms of POPIA to ensure compliance with POPIA). The perpetrators of such unauthorised access or possession of personal information would now be guilty of an offence under the Cybercrimes Act.

Section 54 the Cybercrimes Act imposes similar reporting obligations on ECSP’s and financial institutions who become aware that their electronic communications service or electronic communications network have been involved in the commission of any category or class of offence/s as outlined above. 

Consequently, ECSP’s and financial institutions are obliged to report the unauthorised access of the data/personal information within their possession to both the Information Regulator and the South African Police Service (“SAPS”), respectively. It is important to take note of the particular timelines afforded when reporting such incidents. POPIA mandates that such a data breach must be reported to the Information Regulator and data subject ‘as soon as reasonably possible’, while the Cybercrimes Act specifically mandates that such an offence must be reported to the SAPS ‘not later than 72 hours’ after having become aware of the offence. 

The Cybercrimes Act also provides for mutual assistance in relation to the investigation of cybercrime. ECSP’s or financial institutions who fall victim to a cybercrime or who, for example, have an employee who commits a cybercrime, may be required to work with law enforcement, where applicable, in the investigation of cybercrimes. In certain instances, this may involve the handing over of data and hardware. Such organisations will be obliged to preserve any information that will be of assistance to the investigation. 

Any ECSP’s or financial institutions that fail to comply with such obligations could be found guilty of an offence and be liable on conviction to a fine not exceeding R50,000.

Given the impact for your business, it may be prudent to obtain the help of your attorney or data security specialist to establish the extent to which your business would need to comply with the Cybercrimes Act and to ensure that your business has the necessary policies and procedures in place to comply with your obligations, and that these are also aligned with POPIA.