Clampdown On Criminals

At present, South Africa’s existing cybercrime legal frameworks are a combination of different pieces of legislation. These regulations have not stayed up to date with the evolving cyber threat landscape, nor have they kept up with the new technologies adopted by business and consumers.

A Cybercrimes Bill, which aims to bring together existing legislation and address holes in the current law, was passed by parliament in 2018, yet it is still not law. Instead, it is currently sitting with the Select Committee on Justice in the National Council of Provinces while public responses to the bill are being processed.

According to Brian Pinnock, a cybersecurity expert at Mimecast, the Cybercrimes Bill fills an urgent need to consolidate existing cybercriminal offences.

It also creates a series of new offences, which don’t yet exist in our law.

“This is very important because cybercrime has erupted in recent years and it continues to grow and evolve.”

Historically, South Africa has had difficulties in prosecuting offensive cyber practices under the common law.

That includes things that should seem like obvious offences, such as revenge porn, hacking and online terrorism explains associate designate at Norton Rose, Priyanka Naidoo.

The bill recognises the impact internet and technology have had on citizens’ lives. It also takes into account how digital innovation has affected all sectors of business and government.

“It is critical that a country has a responsive legislative framework to authorise the enforcement of unlawful acts,” says Naidoo. “This is particularly so in South Africa, which has become somewhat of a cybercriminal’s paradise because of the lack of a responsive legislative framework.”

What does this mean for business?

Previously, it was difficult to prosecute people for acts of cybercrime because the crimes weren’t specifically defined and the associated penalties and methods of prosecution weren’t established, notes Lukas van der Merwe, specialist sales executive for security at T-Systems. For businesses, this is a massive step in the right direction as it gives law enforcement the mandate and authority to prosecute people for cybercrimes.

To be compliant, businesses must understand their role in reporting and preserving evidence, adds Pinnock. If an incident is being investigated in court, businesses may have to deal with increased costs and business interruption if equipment or data is seized as evidence. “At worst, an organisation could go from being the victim of a cybercrime to a villain if their systems or breached data are used in the conduct of a further cybercrime against other organisations, employees or customers,” he cautions.

For businesses across all sectors, the Cybercrimes Bill, and the Protection of Personal Information Act (POPI), both reinforce the long-overdue need for businesses to carefully consider their attitude to cyber-hygiene and evaluate how they secure the confidential information they keep.

“Prevention does, of course, remain better than cure,” urges Pinnock. So, while the ability to police and prosecute is essential, organisations still need to have the right protection in place to prevent breaches from happening in the first place.