By Sean Duffy, Security Executive at Dimension Data Middle East & Africa
The aim of the Cybercrimes and Cybersecurity Bill (Cybercrimes Bill) is to stop cybercrime and to improve security for South African citizens. A draft of the Cybercrimes Bill was first released for public comment in August 2015 – submissions closed in December and the Bill is due to be presented to Parliament later this year (2016).
Who is affected?
The Cybercrimes Bill affects everyone using a computer or the Internet, or anyone who owns an information infrastructure that could be declared critical. Among others, the following individuals and organisations should take note: ordinary South African citizens or employees using the Internet, network service providers, providers of software and hardware tools, financial services providers (the Bill includes prohibited financial transactions), representatives from government departments, those involved with IT regulatory compliance, as well as information security experts.
What are the offences and penalties?
The Cybercrimes Bill consolidates South Africa’s cybercrime laws, which makes successful prosecution of criminals more likely. Up until now, cyber offences were charged under various acts, among others the Prevention of Organised Crime Act, and the Electronic Communications and Transactions (ECT) Act of 2002. The ECT Act seemed to govern most online crime, but only included three cybercrime offences.
The Cybercrimes Bill defines over 50 new offences, and imposes penalties. Some of the offences detailed in the Cybercrimes Bill relate to the following:
- accessing personal data or interception or interference of data
- use of hardware, software and computer systems to commit offences
- acquisition, possession and provision, or receipt or use of passwords, access codes or similar data or devices
- prohibited financial transactions
- dissemination of data or messages which advocate, promote or incite hate, discrimination or violence
- copyright infringement
- computer-related offences pertaining to terrorist activity such as espionage, unlawful access to restricted data, as well as extortion (which includes unlawful acts in respect of malware pirates, fraud and forgery)
Penalties on conviction are quite severe. Penalties include fines of R 1 – R 10 million and imprisonment of one to ten years, depending on the severity of the offence. The nature of the crime determines the penalty.
The law also imposes obligations on electronic communications service providers, such as mobile networks, Internet service providers, and financial institutions, regarding aspects which may impact on cybersecurity. The Cybercrimes Bill is very specific in obligating these institutions to take steps in preventing cybercrime to protect consumers. It also imposes a fine of R 10 000 a day on organisations that fail to comply with the stipulations in the Cybercrimes Bill.
The Cybercrimes Bill regulates the powers to investigate, as well as aspects of international cooperation. The Bill also provides for the establishment of a 24/7 point of contact and various structures to deal with cyber security.
Gear up for the final law
Incidents will happen, but it’s how an organisation responds that matters. Government is working on establishing a legal mechanism for anyone to defend themselves against cybercrime. However, organisations need to be more proactive in their security through the use of services such incident response plans, real-time threat management, vulnerability management and managed security services.
“The Cybercrimes Bill provides legal backing for anyone to defend themselves in law against cybercrime.”
To read the Cybercrimes and Cybersecurity Bill, visit: http://www.justice.gov.za/legislation/invitations/CyberCrimesBill2015.pdf