History of South African cyber legislation

Candice Sutherland (@Lady_Liabs).

Johannesburg, 07 Feb 2019

Cyber crime is defined as any criminal activity involving a computer or a network and is the fourth most reported crime in South Africa. Any entity that makes use of a computer, network or stores employee and/or client information has a cyber crime exposure.

As our legal system was written around physical crimes, understanding how to successfully prosecute Internet-related crime has been challenging. Obtaining evidence takes a very high level of skill and computer forensics can be costly (eg, can you prove the evidence has not been tampered with and that the chain of custody was followed). Not all cyber crimes are reported; would you know where and how to report a cyber crime? And if you fell for a 419 or a dating scam, would you report it?

The Budapest Convention came into force on 1 July 2004, and was the first international treaty created to address Internet and computer crime by matching national laws, improving investigative techniques and increasing co-operation among nations with the intention of pursuing a common criminal policy aimed at the protection of society against cyber crime. Forty-six states were ratified with eight further signatories (including SA on 23 July 2001).

Offences listed include illegal access, illegal interception, data interference, system interference, misuse of devices, computer-related forgery, computer-related fraud, offences related to child pornography.

In 2002, the Electronic Communications and Transactions Act came into place, which stated that any person who intentionally and without authority or permission to do so:

* Accesses or intercepts any data;
* Interferes with data, which causes such data to be modified, destroyed or otherwise rendered ineffective; and
* Produces, sells, offers to sell, designs, adapts, distributes or possesses any device, which is designed primarily to overcome security measures designed to protect such data or access thereto with the intent to unlawfully utilise such item if convicted of an offence, the perpetrator would be liable to a fine or imprisonment for a period not exceeding five years.

Most recently is the Cybercrimes Bill, which was first published on 28 August 2015, updated on 19 January 2017, introduced in Parliament on 22 February 2017, and the latest version was published in October 2018. The Bill will provide the structure for preventing cyber crime and addresses computer-based criminal activity (unlawful access to, interference with or distribution of data, electronic communications, information systems and networks).

The Bill will impact anyone (natural or juristic) who uses a computer, processes data or uses the Internet. This includes: individuals and parents, professionals, journalists, organisations, banks, information security experts as well as IT/data protection/regulatory/compliance professionals, all electronic communications service providers (ECSPs), software or hardware vendors who use tools that could be used to commit offences, representatives from government departments, the police, and cyber criminals and terrorists.

The Bill creates many new offences such as:

* Hacking;
* Unlawful interception of data;
* Ransomware;
* Cyber forgery; and
* Cyber extortion.

The intention of the Bill is to:

* Create offences and prescribe penalties;
* Criminalise the distribution of data messages which are harmful and to provide for interim protection orders;
* Regulate jurisdiction;
* Regulate the powers to investigate, search and gain access to or seize items;
* Regulate aspects of international co-operation in respect to the investigation of cyber crime;
* Provide for the establishment of a 24/7 point of contact;
* Provide measures to protect National Critical Information Infrastructures;
* Further regulate aspects relating to evidence;
* Impose obligations on electronic communications service providers;
* Allow the country's president to enter into agreements with foreign states to promote cyber security; and
* Align with international best practice and effectively deal with multi-jurisdictional cyber crime activity.

The penalties consist of a fine, maximum 15 years' imprisonment, or both.

The National Cybersecurity Hub was established as a central point for collaboration between industry, government and civil society on all cyber security-related incidents. The Hub was launched on 30 October 2015 ( and is South Africa's National CSIRT (Computer Security Incident Response Team) that strives to make cyber space an environment where all residents of South Africa can communicate, socialise and transact safely. Cyber security incidents are to be reported to

Every company has a cyber exposure and a fundamental aspect of corporate governance is to have a strong cyber risk management programme in place. Cyber insurance provides comprehensive cover to respond to previously uninsurable risks: a network security or privacy breach. Cover extends from the incident response process through to business interruption losses and the defence and settlement of ensuing liability claims

ITOO cyber insurance solution


* Network security breach: means unauthorised access to, unauthorised use of, theft of data from, denial of service attack or transmission of malicious code to the insured's computer system, including physical theft of the insured's computer system, or any part thereof.
* Privacy breach: means a breach of confidentiality, infringement, or violation of any right to privacy, which results in harm to employees or third parties.

Please click here to see the Policy structure.


Editorial contacts

Candice Sutherland
(082) 346 1716
Ryan van de Coolwijk
(083) 794 4332