By • Pieter van Zyl | Attorney, Notary & Conveyancer | Bate Chubb & Dickson
Cybercrimes and Data Breaches – Be aware of your obligations!
Less than two months after the commencement of the Protection of Personal Information (POPI) Act on 1 July 2020, Experian (one of South Africa’s largest credit bureaus) announced a massive data breach, where the personal information of approximately 24 million individuals and 800,000 businesses were potentially exposed.
On the same day that the POPI-Act came into operation, the Cybercrimes Bill was passed by the National Council of Provinces, which will now await approval by the National Assembly and the President.
THE CYBERCRIMES BILL SEEKS TO CRIMINALISE THE FOLLOWING CYBERCRIMES:
Malicious communications – being the distribution of data messages with the intention to incite the causing of damage to any property belonging to, or to incite violence against, or to threaten a person or group of persons, including the distribution of “revenge porn”.
Unlawful access – which includes the unlawful and intentional access to data, a computer program, a computer data storage medium or a computer system (commonly referred to as “hacking”);
Unlawful interception of data – which includes the acquisition, viewing, capturing or copying of data of a non-public nature through the use of hardware or software tools;
Unlawful acts in respect of software and hardware tools – being the unlawful and intentional use or possession of software and hardware tools that are used in the commission of cybercrimes (such as hacking and unlawful interception);
Unlawful interference with data, computer programs, storage mediums and computer systems – being the unlawful and intentional interference with data, a computer program, a computer data storage medium or computer system;
Cyber fraud – being fraud committed by means of data or a computer program or through any interference with data, a computer program, a computer data storage medium or a computer system;
Cyber forgery – being the creation of false data or a false computer program with the intention to defraud;
Cyber uttering – being the passing-off of false data or a false computer program with the intention to defraud.
The bill provides broad discretion to courts to impose fines, penalties and imprisonment in accordance with the Criminal Procedure Act.
In addition, the bill seeks to impose certain obligations on businesses. Specifically, electronic communication service providers and financial institutions will have obligations to report cybercrimes and preserve information and data used in the commission of a cybercrime.
Businesses who have any involvement in the commission of a cybercrime will be obligated to assist law enforcement and cooperate with any investigations which may be conducted.
The commencement of the POPI-Act on 1 July 2020 already imposes certain obligations on businesses, including:
To only collect information for a specific purpose;
To ensure that the information is relevant and up to date;
To have reasonable security measures in place to protect the information;
To only keep the necessary information; and
To allow the data subject to obtain or view his or her information on request.
Each business has 12 months (from 1 July 2020) to fully comply with this Act.
If your business, like most businesses, have access to customer’s data, including financial information, banking details, identity numbers and addresses, it is increasingly important to create an awareness and undergo training to ensure that the information is appropriately and legally collected and protected.