The Act of Cybercrime
Written by Catherine Berry – Director of Commercial and Cyber Crime at Camargue Specialised Liability Management
Cybercrime is generally defined as any form of criminal activity involving the use of computers and the internet. Without a legal definition of cybercrime, it is difficult to accurately and completely quantify the impact on South Africa. However, the SA Fraud Prevention Association estimates that the economic cost of cybercrime to South Africa is R1 billion per year. The Center for Strategic & International Studies suggest that the cost is actually close to R5.8 billion annually. Generally, smaller organisations do not have sufficient technology and security systems to protect them from cyber criminals. A 2013 report places South Africa as the third highest country affected by cybercrime, stating that 73% of South Africans were victims of cybercrime in 2013.
South Africa drafts its own Cybercrimes and Cybersecurity Bill
On 2 September 2015, the [128-page] draft Cybercrimes and Cybersecurity Bill, which aims to bring South Africa in line with international laws governing internet-based crimes, was published by the Department of Justice and Constitutional Development for public comment. Based on collaboration with the United Kingdom and the European Council on Cybercrime, the draft legislation incorporates best practices and policy goals pertaining to cybersecurity and governance. The Bill seeks to implement an integrated cybersecurity legislative framework to effectively deal with cybercrimes and address aspects pertaining to cybersecurity. The Bill creates various categories of cybercrimes, including the unlawful access to, or interference with, data; as well as other crimes which are committed electronically, such as extortion, espionage and fraud. Furthermore, the Bill provides for malware and crimes related to password theft; and deals with data messages that promote hatred, discrimination and violence.
The Bill currently provides to extend the powers of South African courts to any act or omission alleged to constitute an offence under the Bill, even if it is committed outside of South Africa. Thus, South African courts will have jurisdiction over defined cybercrimes committed outside of South Africa, provided that the crime affects any person in South Africa.
Salient focus points contained within the Bill include:
- Creating 20 new cybercrime offences and prescribing penalties related to cybercrime
- Regulating jurisdiction, as well as the powers to investigate, search and gain access to, or seize items in relation to, cybercrimes
- Regulating aspects of evidence relative to cybercrimes
- Regulating aspects of international cooperation in respect to investigations of cybercrimes
- The establishment of various structures to deal with cybersecurity, including a Cyber Security Centre
- The identification and declaration of National Critical Information Infrastructures and measures to protect these infrastructures. South Africa is working in collaboration with the United Kingdom and the European Council on Cybercrime to implement a Computer Emergency Response Team (CERT) in case of a terrorist attack on critical governmental information infrastructures; as well as a Standard Operating Procedure (SOP) being written for cybercrime labs. It is interesting to note that South Africa adopted the National Cyber Security Policy Framework in March 2012, which seeks to define measures that are designed to address cyber threats at a national level, seeking to strengthen intelligence collection, investigations, prosecution and judicial processes, in respect of preventing and addressing cybercrime, cyber warfare, cyber terrorism and other cybercrimes.
- Creating obligations for electronic communications service providers regarding issues that impact on cybersecurity
It is interesting to note that the Bill cites 32 related laws. Section 3 of the Bill proposes creating offences relating to personal information (as defined in the POPI Act):
- Personal information abuse: unlawful and intentional retention, possession, procurement or provision of personal information to another person, or entity, to commit a cybercrime;
- Personal information misuse: unlawful and intentional application or utilization of the personal information of another to commit a cybercrime; and
- Personal information possession: possession of personal information of another person or entity where there is reasonable suspicion that it was used, or may be used, to commit a cybercrime.
There are some concerns surrounding the Bill
The legislation has generally been well-received, particularly given that South Africa currently does not have any legislation in place that addresses cybercrime. The Bill has also received negative feedback, particularly in terms of the powers which shall be ascribed to the likes of the South African Police Service and the State Security Agency. Concerns surrounding this primarily emanate from the fact that, on the basis of verbally granted warrants, these entities are empowered to conduct investigations, search, access and seize property. Furthermore, concern has also been expressed that this may lead to curtailment of freedom of [online] speech.
Given that the Bill is still in its draft form, and much conversation and debate is taking place around this legislation, it is difficult to anticipate just when the Cybercrimes and Cybersecurity Bill shall actually be finalised and enacted. However, given the parallels between this legislation and the POPI Act, it further strengthens the requirement for organisations to move towards POPI compliance.