In our previous article, we discussed what cybercrime is and what or who constitutes a cyber-criminal. As a reminder - it isn’t the disgruntled former employee in a hoodie that we imagine plotting away in their parents dark and dank basement. Stereotypical (in the worst kind of way) and wholly inaccurate.
Today’s cyber-criminals are well organised, highly advanced, sophisticated operations formed for the sole purpose of extorting individuals and large corporates for money (or some other favour). They are dangerous, but also highly intelligent criminals.
And the biggest problem – cyber attack occurrences are on the increase. The use of ransomware and malware are becoming an almost everyday occurrence (even if the criminal act is ‘small” in nature). And there doesn’t seem to be any signs of abating.
There are tech solutions – as suggested by AJS - to combat cyber-attacks, with the additional suggestion of using strong passwords and two factor authentication, staying up to date with latest software developments and crucially – backing up data. All relevant. All necessary. But there is still the nagging question – How does the law offer protection?
A great question. One which we have two answers for.
How is our legal system counteracting Cybercrime?
We all know about this act by now. And if you don’t, you really should (get in touch with us should you require any information on POPIA or assistance with the implementation of POPIA).
POPIA requires all organisations that deal with personal information (of whatever nature) to carry out a full risk analysis of its business and systems, to ensure that their cyber-safeguards are of the latest version (and top quality) in order to properly protect the personal information that they may be handling.
Should an organisation not undertake the upgrade or maintenance of their safeguards, they could risk the imposition of a hefty fine. In addition, organisations must be able to confirm that the way they collect, store, and process the private information of their employees and/or clients is done in accordance with POPIA.
Now, you may be asking – how does this combat cyber-crime?
As set out by DataGuidance in 2022 –
“POPIA caused significant disruption across business sectors by requiring specific compliance in terms of data processing and other factors. In the case of POPIA, businesses were advised to make use of a tailored approach to compliance, avoiding box-ticking to ensure substantive compliance…
POPIA is geared towards protecting entities' data and privacy and establishes a set of minimum requirements to process data within South Africa for this purpose. POPIA does not create new cybercrimes but obliges organisations to ensure the integrity of the personal information they process.
POPIA does not create new cybercrimes but obliges organisations to ensure the integrity of the personal information they process.
Section 22 of POPIA requires responsible parties to report data breaches to the Information Regulator, and if beached information makes data subjects identifiable, then data subjects also need to be informed of any breaches”.
And it’s there where we see the benefit of POPIA when it comes to the combatting of cyber-crime or at least – the protection and safeguarding against it.
This then leads us to the next set of Laws which are crucial where cyber-crime is concerned –
The Cybercrimes Act 19 of 2020 (the “Cyber-Crimes Act”)
The Cyber-Crimes Act was signed into law in December 2021 and forms a crucial part of South Africa's growing legislative framework on data management and the safeguarding against cyber-attacks.
According to Control Risks, the Cyber-Crime Act -
“recognises cybercrime as a criminal offence under South African law. The legislation, which is post-incident in nature, defines different types of cybercrimes and provides methods for investigation. It was imperative for South Africa to have clear definitions of cybercrimes in order to effectively regulate and prosecute them. Such crimes include cyber extortion, unlawful access to a computer system or computer data storage medium, cyber fraud, and malicious communications, including unlawful distribution of intimate images.”
The Cyber-Crime Act therefore – as may be obvious - affects all individuals and organisations in South Africa who use the internet for communication or the processing of data. And in today’s times, that includes pretty much everyone.
While a 'cybercrime' is not defined by the Cybercrimes Act, there is a list of actions which would amount to a cybercrime. They are included in Chapter 2, Part I - Cybercrimes (at Sec 2 - Sec 12) and are as follows –
- Unlawful access;
- Unlawful interception of data;
- Unlawful acts in respect of software or hardware tool;
- Unlawful interference with data or computer program;
- Unlawful interference with computer data storage medium or computer system;
- Unlawful acquisition, possession, provision, receipt or use of password, access code or similar data or device;
- Cyber fraud;
- Cyber forgery and uttering;
- Cyber extortion;
- Aggravated offences, and
- Theft of incorporeal property.
The Cyber-Crimes Act also sets out three actions which could be considered malicious communication (at Sec 14 – Sec 16) –
- Data message which incites damage to property or violence;
- Data message which threatens persons with damage to property or violence, and
- Disclosure of data message of intimate image.
In addition, the Cybercrimes Act (at Sec 18) sets out the competent verdicts and (at Sec 19) appropriate sentencing (arising from the competent verdict).
It’s important to note that the Cyber-Crimes Act extends the ordinary application of jurisdiction. Which makes perfect sense. Because it’s not difficult to understand that jurisdiction and “boarders” may not exist here. And the legislator recognises that.
Offences can and have been carried out beyond the borders of South Africa – the cyber realm essentially considered to be borderless – instead the Cyber-Crimes Act recognises any acts amounting to a cybercrime, which is targeted at South Africa, and is therefore deemed to have been committed in South Africa. Should the offender be found in South Africa or extradited to South Africa, Section 24 of the Cybercrimes Act will apply –
“(2) Any act alleged to constitute an offence referred to in Part I or Part II of Chapter 2 and which is committed outside the Republic by a person other than a person contemplated in subsection (1), must, regardless of whether or not the act constitutes an offence at the place of its commission, be deemed to have been committed in the Republic if—
(a) that person is extradited to the Republic; or
(b) that person—
(i) is found to be in the Republic; and
(ii) is for one or other reason not extradited by the Republic or if there is no application to extradite the person”.
The Cybercrimes Act gives a rather large berth to authorities in order for them to respond to the potential infringements of a South African citizen, resident or person who carries on business in South Africa, especially where their personal and/or private information and data security is concerned.
Importantly, and according to Data Guidance -
“the Cybercrimes Act has a significant impact on the operations of financial institutions ('FIs') and Electronic Communications Service Providers ('ECSPs') as both are required to report specific offences to the South African Police Services within 72 hours after becoming aware of the offence or they themselves commit an offence and face a fine of up to ZAR 50,000 (approx. €2,990). Nevertheless, any fine awarded to FIs and ECSPs does not consider the potential reputational damage which the firms may experience due to non-compliance. Accordingly, the following portion of this article considers approaches towards compliance”.
The importance of the Cyber-Crimes Act cannot be underestimated. But it is equally important to remember how it interacts with POPIA.
You see, the Cybercrimes Act is linked to POPIA, which safeguards the integrity and sensitivity of personal and private information. Why you may ask? It’s simple – when there is a cybercrime investigation, experts will often require access to information from an organisation and/or private person’s devices to give context to a matter they are investigating. This can and usually does include personal information. And as we know – anything that has to do with personal information is dealt with under POPIA.
POPIA must therefore be considered when undertaking any investigation under the Cyber-Crimes Act to avoid any legal repercussions that may arise.
While POPIA and the Cyber-Crimes Act have provided a lengthily safeguard against cyber-crime in South Africa, it must be remembered that cyber-crime is an ever-evolving monster and as such, our law may need to be continually developed in order to ensure that cyber-attacks remain at a minimum.
If you have any questions on the information we have set out above or have a personal issue which you want to discuss with us, please don’t hesitate to contact us at NVDB Attorneys.
We are a law firm that considers honesty to be core to our business. We are a law firm that will provide you with clear advice and smart strategies - always keeping your best interests at heart!