The Cybercrime Bill and electronic communications service providers
The Internet has expanded to more than 3 billion users, and with this, the ability to abuse its capabilities has increased. It has become easier to gain access to systems, even more so in light of the abundance of information that exists regarding hacking, such as online hacking guides. For example, the hacking group Anonymous, which on 16 November 2015 declared war against ISIS, recently released a few guides on how to hack.
South Africa is one of the most active countries in terms of cyber crime. There may not be many South African hackers, but they are just as competent as international cyber criminals. The skill of a hacker has nothing to do with where you live in the world, and the recent high-profile hacking cases show that no one is immune to hacking threats.
Cyber crime threats include spoof Web sites, viruses, malware, phishing, illegal access to data, hacking mobile devices etc. Hacking can take place as a starting point or as a result of a person clicking on a link that leads to a hostile Web site, opening malicious e-mails, or any other seemingly harmless act on the Internet. Motives behind hacking can differ from gaining access to data such as banking and credit card details, hacktivism, espionage, warfare, intellectual curiosity etc.
Since the Electronic Communications and Transactions Act ("ECTA") came into force, perpetrators have been successfully prosecuted for illegal access to data in terms of section 86(1), which criminalises intentionally accessing or intercepting data without permission to do so. ECTA does not provide adequate provisions to regulate cyber crimes, and as a result, government has published the Cybercrimes and Cybersecurity Bill (the "Bill") for comment. Although this Bill provides consequences for numerous cyber crime offences, there are many provisions that could apply to and render a company liable to criminal prosecution. For example, in relation to electronic communications service provider; ("ECSP"), there lies a duty to immediately report to the National Cybercrime Centre, on becoming aware that its network is being used to commit an offence. The offences, to mention a few, include unlawful access, interception of data, fraud, espionage and terrorist activity.
Further duties placed on ECSPs are to take reasonable steps to inform clients of cyber crime trends, to establish procedures for clients to report cyber crimes, as well as provide measures to safeguard against cyber crime. Failure to report or fulfil its duties could lead to fines of up to R10 000 per day of non-compliance.
Difficult as it may be to regulate the extent of access of any users of an electronic communications service, it is important to proactively manage the security of your entire service and to put in place preventative procedures to deal with cyber threats. The Bill, as it is developed, may place further onerous duties on ECSPs with immense consequences if the duties are not complied with.