An integral aspect of businesses’ data and information protection processes
With the latest Cybercrime stats indicating that Cyber-attacks are increasing in 2024 at an unprecedented rate, and with several large institutions having breaches reported this year Cybercrime is not a trifling thing and businesses are need to ensure that they are prepared.
South Africa, has implemented legislation regarding Cybercrimes and according to this legislation, businesses in South Africa are required to notify authorities of certain offences, while they are also empowered to rely on certain legislation to protect and enforce their rights against criminals
Karl Blom, Mieke Vlok and Senior Associate Inge Swanepoel of Weber Wentzel , have given Business Tech Africa their perspectives on this business critical aspect today.
What the Law Covers:
The Cybercrimes Act 19 of 2020 (the Cybercrimes Act) is the first statute in South Africa to explicitly recognise cybercrimes by creating a new category of criminal offences under South African law. These cybercrimes include:
- the unlawful interception of data;
- the theft of incorporeal property;
- cyber fraud;
- cyber forgery and uttering;
- cyber extortion;
- the unlawful acquisition, possession, provision, receipt or use of a password, access code or similar data or device;
- unlawfully accessing a computer system or computer data storage medium; and
- the unlawful interference with data, a computer program, a computer data storage medium or a computer system.
The Cybercrimes Act also places certain obligations on institutions and corporations to comply with stringent security requirements in managing the data of citizens and employees. Contravention of the Cybercrimes Act may, upon conviction, result in several penalties, including fines and up to 15-years imprisonment.
Case Study of Implementation
Various key sections of the Cybercrimes Act took effect on 1 December 2021. Businesses are increasingly relying on the Cybercrimes Act to enforce their rights to their proprietary information and data.
Recently, a South African airline exercised its rights under the Cybercrimes Act against a former employee accused of engaging in industrial espionage and misappropriation of the airline’s incorporeal property. The airline filed a complaint in terms of the Cybercrimes Act with the South African Police Service. The airline alleged that the former employee disclosed its confidential information obtained during the employee’s tenure with the airline, to the employee’s new employer without authorisation.
Among other things, the employee was accused of unlawfully disseminating copies of documents containing client revenues, thereby violating the confidentiality and proprietary interests of their former employer.
Specific Timelines and Duties for Business reporting
Businesses should not only have regard to the protections and possible remedies the Cybercrimes Act offers them, but also to their own obligations under the statute.
Importantly, electronic communications service providers and financial institutions have specific duties in relation to reporting cybercrimes (although these obligations have been suspended until a date to be determined by the President).
In terms of section 54, electronic communications service providers and financial institutions must report any cybercrime involving their electronic communications service or network to the Information Regulator and the South African Police Service within 72 hours of becoming aware of the offence. Any information which may be of assistance to the South African Police Service in conducting their investigation must also be preserved. A failure to comply with these obligations may upon conviction attract a fine of up to ZAR 50 000.
Payment Participants Reporting Obligations
According to a directive published by the South African Reserve Bank (SARB), effective August 2024 participants in the National Payment System also have certain duties in relation to reporting cybercrimes.The directive introduces new cyber-security requirements for payment institutions regulated under the National Payment System Act 78 of 1998, including clearing system participants, settlement system participants, third-party payment providers, system operators, payment clearing house system operators, and the operators of payment system financial market infrastructures.
Notably, payment institutions and operators must report material cyber-incidents to the SARB within 24 hours of the cyber-incident occurring and must submit a report to the SARB containing specified information regarding the cyber-incident within 48 hours of the cyber-incident occurring. Payment institutions and operators are also required to provide ongoing updates to the SARB until the incident is fully resolved. As part of their internal business processes, payment institutions and operators must also ensure that any information-sharing arrangements they enter into comply with the relevant provisions of the Cybercrimes Act relating to the disclosure of information.
Other Reporting Requirements
Other legislation, such as the Financial Intelligence Centre Act 38 of 2001 and the Prevention and Combatting of Corrupt Activities Act 12 of 2004, also imposes mandatory reporting obligations and it is vital that businesses are aware of their obligations to notify authorities of certain events and offences.
Ensuring that there is an understanding of the legal framework around Cybercrimes in businesses, should form an integral part of their cybercrime preparedness and policies , to ensure that they comply with legislative requirements.