Member Article

 The South African President has signed the Cybercrimes Bill into law, which means it is now an Act of Parliament. The date on which the Cybercrimes Act, 2020 comes into force is yet to be announced, but there are a few key things to note:

• The majority of the offences created by the Cybercrimes Act relate to data, messages, computers, and networks involving hacking, the unlawful interception of data, ransomware attacks, cyber forgery and uttering, and cyber extortion.
• The Cybercrimes Act criminalises “malicious communications”, which means any electronic communication (called a “data message”) which is sent to a person, a group of persons, or the general public with the intention to incite the causing of any damage to property belonging to, or violence against, a person, or group of persons.
• The Cybercrimes Act also grants law enforcement extensive powers to investigate, search, access and seize various articles, such as computers, databases or networks.
• The Cybercrimes Act imposes a duty on electronic communications service providers and financial institutions to report certain offences within 72 hours. Failure to make the required report could lead to a fine on conviction of a maximum of ZAR50 000.
  
  

Overlap with POPIA

Some of the offences criminalised under the Cybercrimes Act may overlap with compromises to personal information regulated under the Protection of Personal Information Act, 2013 (“POPIA”). Although POPIA does not define a “data breach” or a “security compromise”, it imposes an obligation on companies to notify the Information Regulator and affected data subjects where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person. Here, we see similarity with a few of the offences under the Cybercrimes Act, including unlawful access, unlawful interception of data, and unlawful interference with data.

This is significant as companies may have obligations under both the Cybercrimes Act and POPIA. This bears particularly on:

• Reporting obligations: Electronic communications service providers and financial institutions may, in particular, be required to discharge reporting obligations under both the Cybercrimes Act and POPIA, should the circumstances require (for example, where there has been unlawful access to financial information processed by a bank). Companies should be aware of the different procedures and timeframes to be followed for reporting.
• Liability: The Cybercrimes Act and POPIA each impose a different form of liability, depending on the infringing conduct.
  
  

Companies should be aware of their responsibilities under the Cybercrimes Act, and the extent to which POPIA may be relevant to the occurrence or suspected occurrence of a cybercrime.

ENSafrica provides comprehensive and full-service cyber, data privacy and data-breach advice and assistance.

For further advice or assistance, please contact:

Rakhee Dullabh
Technology, Media and Telecommunications Executive
[email protected]
+27 82 509 6565

Ridwaan Boda
Technology, Media and Telecommunications Executive
[email protected]
+27 83 345 1119

Priyanka Naidoo
Corporate Commercial Associate
[email protected]