The Select Committee on Security and Justice has invited members of the public to submit comments on the incoming Cybercrimes Bill.
According to Fatima Ameer-Mia, a senior associate at Cliffe Dekker Hofmeyr, this version of the Cybercrimes Bill – which was passed by the National Assembly in November 2018 – differs quite substantially from the versions of the bill published previously.
“The old bill was divided broadly into two parts, namely cyber crimes and cybersecurity,” she said.
“The cyber crimes section, bar a few criticisms, was lauded – however, it was the proposed cybersecurity section which raised very serious concerns about the government’s encroachment on freedom of expression and freedom of the internet.”
She added that the bill’s approach did not strike the right balance between the interest of the state in securing cyberspace, and individual freedoms and rights.
“However, given the urgent need for legislation that comprehensively criminalises cybercrime, the Portfolio Committee on Justice and Correctional Services have decided to strip out all clauses in the bill pertaining to cybersecurity and to proceed only with cyber-related crimes.”
According to Ameer-Mia, the new bill now specifically only deals with offences relating to cyber crimes, jurisdiction of the courts, powers of investigation, search, seizure and access, evidence gathering, the establishment of a designated point of contact, reporting obligations and penalties.
Some of the key clauses relate to:
- The new offences which have been created under the bill, such as the distribution of a data message of an intimate image (often referred to as the ‘revenge-porn’ offence), the infringement of copyright (through the use of ‘peer-to-peer’ sharing), offences relating to malicious communications by disseminating a data message which advocates, promotes or incites hate, discrimination or violence against a person or group of persons;
- The jurisdiction clauses which are more extensive and allow for South African courts to have extraterritorial jurisdiction even where offences are committed outside of South Africa (in certain instances);
- The penalty provisions which provide for a maximum penalty (depending on the offence) of up to 15 years imprisonment or to both a fine and imprisonment;
- The obligations placed on electronic communications service providers and financial institutions which become aware that its computer system was involved in the commission of an offence to within 72 hours report the offence in the prescribed form to SAPS and preserve any evidence related to the offence.
Copyright and piracy
One stand out offence in the new bill is copyright infringement and piracy.
Speaking to BusinessTech, Ameer-Mia said that the new bill has been structured to primarily focus on cyber crimes.
“Basically if it is a cyber offence – which copyright infringement is – then the obligation on electronic communications service providers, including notification and obligation to report will apply,” she said.
The copyright infringement is covered in the bill under the theft of incorporeal property – which is effectively pirating, she said.
“It is unlikely that these companies would proactively hand over information, but if a cybercrime or one of these offences become public then I think for reputational reasons they will have to comply. The issue is that there is that obligation on the company.”
Ameer-Mia added that the legislation clearly sets out these reporting obligations.
“Once they become aware of it then they have a duty to report it to SAPS and have a duty to any preserve any information which may be of assistance to the law enforcement agencies in investigating the offence,” she said.
“This reporting must be done without undue delay and, where feasible, not later than 72 hours after they become aware of the offence”.
Implications for business
With regards to the reporting and preservation of evidence requirements placed on electronic communications service providers and financial institutions, failure to comply with the bill will render such business liable for an offence and fine up to R50,000, said Ameer-Mia.
“These obligations may also result in increased costs and losses to companies in the event of a cyber crime occurring,”she said.
“If computer equipment is confiscated or seized (for long periods of time rendering them inaccessible) by the relevant authority to investigate a crime or preserve evidence, it will also result in an increased cost to business and may result in business interruption.”
In this regard, the Cybercrime Bill and the global trend of increased cyber regulations may be the impetus for companies to consider cyber risk insurance cover to preserve their economic welfare. Businesses should therefore start prioritising information security and assessing their levels of risks and exposure, she said.
In particular, businesses should consider formulating a cyber incident response plan which includes establishing notification and escalation procedures when a cyber incident occurs, formulating a PR strategy in the event of an incident, establishing evidence gathering guidelines, and a stakeholder notification procedure (including any regulatory authorities).
Ameer-Mia said it is difficult to say when the new Cybercrimes Bill will be passed, but that recent high-profile data breaches meant that there may be an impetus for it to pass sooner rather than later.
Cybercrimes Bill by on Scribd