Broad, over-reaching laws, like sweeping statements, are dangerous. The Cyber Crimes and Cyber Security Bill of 2017, recently published by the Department of Justice, enacts one sided legislation and we foresee numerous amendments being made to the law in future in order for it to be truly effective.
‘SABRIC states that SA loses R2.2 billion to Internet fraud and Phishing attacks annually. The Bill creates new crimes and offences. It makes even more complex, compliance with information security and requirements pertaining to Protection of Personal Information (“POPI”). When enacted, this law will have far reaching implications for individuals and organisations, particularly those that process data, as well as for banks or electronic communications service providers.’ – Cliffe Dekker Hofmeyr Attorneys.
This is what you need to know
1. Your security tools could implicate you – whether you use them for work or not.
Unlawful acts in respect of software or hardware tool – Chapter 4.
(1) Any person who unlawfully and intentionally possesses, manufactures, assembles, obtains, sells, purchases, makes available or advertises any software or hardware tool for purposes of contravening the provisions of section 2(1), 3(1), 5(1), 6(1) or 7(1)(a) or (d), is guilty of an offence.
(2) Any person who unlawfully and intentionally uses any software or hardware tool for purposes of contravening the provisions of section 2(1), 3(1), 5(1), 6(1) or 7(1)(a) or (d), is guilty of an offence.
(3) For purposes of this section, ‘‘software or hardware tool’’ means any electronic, mechanical or other instrument, device, equipment, apparatus or a substantial component of such a device or a computer program, which is designed or adapted primarily for the purposes of— (a) securing access as contemplated in section 2(1); (b) acquiring data as contemplated in section 3(1); (c) interfering with data or a computer program as contemplated in section 5(1); (d) interfering with a computer data storage medium or a computer system as contemplated in section 6(1); or (e) acquiring, modifying, providing, making available, copying, using or cloning a password, access code or similar data or devices as defined in section 7(3)
Note: the law makes no provision for circumstances which may justify owning hacker tools, in fact, you will not be presumed innocent if found in possession of such tools. The onus of proving your innocence will be on you. Unlike an accused murderer / rapist / thief, who is presumed innocent until proven guilty.
2. Expedited Search Warrants is a thing
Scarily, the law enables police to fast forward the usual formalities of acquiring a search warrant:
Oral application for search warrant or amendment of warrant– Chapter 28.
(1) An application referred to in section 27(1)(a), or an application for the amendment of a warrant issued in terms of section 27(1)(a), may be made orally by a specifically designated police official, if it is not reasonably practicable, having regard to the urgency of the case or the existence of exceptional circumstances, to make a written application.”
3. The Law Extends to Posting Images
A further worry, is this section which could make sharing images on social media without consent a crime. While it seems reasonable to the ordinary you and me, consider what a restriction this is on the press who do reporting on high profile individuals.
Distribution of data message of intimate image without consent – Chapter 18.
(1) Any person who unlawfully and intentionally makes available, broadcasts or distributes, by means of a computer system, a data message of an intimate image of an identifiable person knowing that the person depicted in the image did not give his or her consent to the making available, broadcasting or distribution of the data message, is guilty of an offence. (2) For purposes of subsection (1), ‘‘intimate image’’ means a visual depiction of a person made by any means— (a) under circumstances that give rise to a reasonable expectation of privacy; and (b) in which the person is nude, is exposing his or her genital organs or anal region or, in the case of a female, her breasts.
4. Banks and Cellphone Companies have to Report Breaches
Obligations of electronic communications service providers and financial institutions -Chapter 52.
(1) An electronic communications service provider or financial institution that is aware or becomes aware that its computer system is involved in the commission of any category or class of offences provided for in Chapter 2 and which is determined in terms of subsection (2), must— (a) without undue delay and, where feasible, not later than 72 hours after having become aware of the offence, report the offence in the prescribed form and manner to the South African Police Service.
5. There are New Crimes Created by the Law
- cyber fraud
- cyber forgery
- cyber uttering
6. New Structures come into Play
There are new structures all aimed at developing capacity to detect, prevent, apprehend and investigate cyber criminals.
- 24/7 Point of Contact will render assistance with cyber crime incidents
- Cyber Response Committee to implement policy
- Computer Security Incident Response Team will facilitate co-operation with the private sector and facilitate the co-ordination and distribution of incident information
The newly enacted legislation will most certainly have implications on industry professionals, but also on the RICA and POPI laws, what those implications will be remains to be seen.
Do have questions regarding the Bill? Email: firstname.lastname@example.org
OIC is an Information Security Firm based in Cape Town. We assist medium to large enterprises with all aspects of information security. Contact us: email@example.com