Although President Cyril Ramaphosa has signed the Cybercrimes Bill into law, only parts came into effect from 1 December 2021.
“It is important to spell out the dos and don’ts of the new Cybercrimes Act and it’s everyone’s interest to familiarise themselves the with changes,” says Ryan van de Coolwijk, product head at iTOO Cyber insurance division.ย
Spotlight falls on Chapter 2 of the Cybercrimes Actย ย
Van de Coolwijkย saysย under this chapter, activities that constitute cybercrimes includeย unlawful access, interception of data, and interference with data or computerย programย like hacking.ย
He says other unlawful acts in respect of software or hardware include unlawful interference with computer data storage medium or computer system; and unlawful acquisition, possession, provision, receipt or use of a password, access codeย or similar data or device.ย
Van de Coolwijkย says cyber fraud, cyber forgery and uttering and cyber extortion; theft of incorporeal property, which was previously limited only to corporeal property at common law are also unlawful.ย
โChapter 2 of the Act also makes it unlawful to send malicious data message communications, which include messages that are intimate in nature, which threaten or incite violence or damage to property.ย Part VI of Chapter 2 of the same Act which provides for protection orders to be granted for these types of malicious communications was not included in the proclamation and is yet to commence,โ notesย Van de Coolwijk.ย
โIn addition, the Act recognises certain cybercrimes in section 11 as an aggravated offence, which is not defined, where a โrestricted computer systemโ is unlawfully accessed and where such data, computer program, computer data storage medium or computer system is under the control of, or exclusively used by, a financial institution such as a licensed bank or insurer or an organ of state and which is protected against unauthorised access or use by security measures.
Cybercrimes Act gives courts extra-territorial reachย ย
Van de Coolwijkย says the sections relating to jurisdiction set out under Chapter 3 have commenced, which empower a court in South Africa to try any offence listed under Part I and II of Chapter 2 of the Act.ย
โNotably, South African courts have extra-territorial jurisdiction to try anyย cybercrime if it was committed outside South Africa if that act was against or affects any person, public body, business residing or incorporated in South Africaย or a restricted computer system within South Africa as contemplated in section 11(1)(b) of the Act,โ addsย Van de Coolwijk.ย
Police powers to investigate, search, access and seizeย
According toย Van de Coolwijk, most sections under Chapter 4 are now effective and grant the South African Police Service (and its members and investigators) extensive powers to investigate, search, access and seize any computer, computer program, database or network or part thereof.
โUnder section 34 of the Act, electronic communications service providers, financial institutions or any person in control of any data, computer program, computer data storage medium or computer system which is subject to a search authorised by a court in terms of section 29 are obligated to assist police officials and investigators with the provision of technical assistance such as data collection,โ explainsย Van de Coolwijk.ย
He says a contravention of this section can render the offender liable for a period of imprisonment not exceeding two years and/or a fine.ย
โSection 39 prohibits the disclosure of information by any person, financial institution, electronic service provider, police official or investigator if obtained during the exercise of any duties in terms of Chapter 4 or 5 of the Act which relate to the investigation of any cybercrimes or mutual assistance with foreign states. Chapter 5 has, however, yet to come into force.โ
Some sections of the Cybercrimes Act are not yet in effectย ย
He says the Act requires the National Police Commissioner to establish a Point of Contact within the existing structures of the South African Police Service (SAPS) with the mandate to assist with proceedings and investigations relating to cybercrimes.ย ย
โChapter 6, which imposes this obligation on the SAPS, has not yet entered into force and the reporting of offences will, until its commencement, have to go through ordinary reporting channelsย provided by the SAPS.โย
However,ย Van de Coolwijkย notes that no reporting obligations under the Cybercrimes Act for financial Institutions and electronic communications service providers โ yet.ย ย
โA notable absence from the proclamation was the express exclusion of section 54 of the Act, which prescribes certain reporting obligations and capacity building under Chapter 8.โย
โThis means that electronic service providers and financial institutions are not yet obligated to report cybercrimes set out in Part I of Chapter 2 of the Act within 72 hours to the SAPS after having become aware of the offence and to preserve any information that may assist the SAPS in their investigation of the alleged offence,โ saysย Van de Coolwijk.ย
However, given that this provision will come into force at a later stage, it would be sensible for both electronic communications service providers and financial institutions to start implementing appropriate reporting procedures as failure to comply with this section after its commencement could result in an offence and a fine not exceeding R50 000.ย
Reporting procedures should align with existing reporting procedures adopted in terms of (amongst others) the Prevention of Organised Crime Act, 1998 (PoCA), the Financial Intelligence Centre Act, 2001, and the Prevention and Combating of Corrupt Activities Act, 2004 (PRECCA).
