The Cybercrimes and Cybersecurity Bill is in the process of being enacted. Some people will call it the Cyber Bill, Cybercrimes Bill, Cybercrime Act or Cybercrime Law. Others might refer to it as CaCA, the CaC Bill or just CaC. What will you call it? There is still time to influence the law. Why is it necessary? Who is affected? What action do you need to take? Should you be commenting on it? What does it deal with? We answer these questions in this article.
Why do we need the Cyber Bill?
Many people will be asking – Do we need the Cybercrimes Bill? But cybercrime is on the increase and the Cybercrimes and Cybersecurity Bill aims to keep people safe from criminals, terrorists and other states. It also consolidates cybercrime laws into one place. Essentially, it aims to stop cybercrime and improve the security of the country.
Who is affected by the Cybercrimes and Cybersecurity Bill?
- People involved with IT (or POPI) regulatory compliance.
- All Electronic Communications Service Providers (ECSPs).
- Financial institutions.
- Representatives from various government Departments.
- Cyber criminals and terrorists.
- Providers or vendors of software or hardware tools that could be used to commit offences.
- Information Security experts.
- Anyone who owns an Information Infrastructure that Government could declare as critical.
- Everyone who uses a computer or the Internet.
- The Police Service.
Possible Actions for you to take
- Attend a public Cyber Crime and Security Law Workshop.
- Arrange for your own private in-house Cyber Crime and Security Law Workshop.
- Brief your board on cyber security risks and the legal implications for your organisation.
- Read the 2017 version of the Bill (or the 2015 version) and its related CyberCrimes Discussion Document 2017 (or the 2015 version).
- Send this article to someone else you think might be interested.
- Influence the content of the law.
- Subscribe to the Michalsons newsletter to receive future updates.
The timeline on the Cybercrimes Bill
The Cybercrimes Bill was first published on 28 August 2015, updated on 19 January 2017 and was introduced in Parliament on 22 February 2017. There is still an opportunity to influence the content of the law, especially when it is introduced into Parliament. You can also read our summary of the 2015 version.
What does the Cyber Bill deal with?
The Cybercrimes Bill creates many new offences. Some are related to data, messages, computers, and networks. For example:
- unlawful interception of data,
- cyber forgery and uttering, or
- cyber extortion.
The penalties consist of a fine, imprisonment, or both. How much could you be fined? The Bill no longer specifies this, but if you are convicted of a cybercrime, you could spend between one year to fifteen years in prison, depending on the cybercrime. The Cybercrimes Bill gives the courts jurisdiction to try these offences is some cases where there is uncertainty.
The National Director of Public Prosecutions must keep statistics on the number, and results of prosecutions for cybercrimes. These statistics must be included in the NDPP’s report on the NPA.
The Cybercrimes and Cybersecurity Bill gives the Police Service (and their members and investigators) extensive powers to investigate, search, access and seize just about anything (like a computer, database or network) wherever it might be located, provided they have a search warrant. Foreign states will co-operate to investigate cybercrimes.
To deal with cybercrime, the Minister of Police must establish and maintain:
- a 24/7 Point of Contact for cyber crimes, and
- the capacity to detect, prevent and investigate cybercrimes.
To improve Cyber Security, the Cybercrimes and Cybersecurity Bill creates a Cyber Response Committee. The function of the Cyber Response Committee is to implement Government policy relating to cybersecurity. The chairperson will be the Director-General: State Security, and the Minister of State Security will oversee and exercise control over the Cyber Response Committee.
The Minister of State Security must establish and operate a Computer Security Incident Response Team (CSIRT) for Government, and ensure that there are enough people to deal with critical infrastructure protection.
The Minister of Defence must establish and maintain a cyber offensive and defensive capacity as part of the Defence Force’s mandate.
The Minister of Telecommunications and Postal Services must establish and maintain a Cyber Security Hub that:
- promotes cybersecurity in the private sector,
- acts as a central point of contact between Government and the private sector on cybersecurity,
- help establish nodal points and Private Sector Computer Security Incident Response Teams (PSCSIRT) in different sectors, and
- respond to cybersecurity incidents.
The Bill aims to identify, declare and protect Critical Information Infrastructures, like the Department of Home Affairs database. There are various obligations on the owner of (or person in control of) Critical Information Infrastructure.
The Cybercrimes and Cybersecurity Bill helps people to admit evidence of cybercrimes.
ECSPs and financial institutions must:
- report offences to the police no later than 72 hours,
- preserve any information that relates to it.
If an ECSP or a financial institution doesn’t, it is liable on conviction to a fine of R50 000.
This does not mean that ESCPs and financial institutions have to monitor the data they transmit or store on their systems. They also don’t have to actively look for situations that indicate unlawful activity.
The cybercrimes bill enables the Minister of Justice to make regulations on information sharing. This includes sharing information on cybersecurity incidents, detecting, preventing and investigating cybercrimes.
The President may enter into agreements with other states considering this is a global issue.
Various laws are repealed or amended, most notably Chapter 9 and sections 85, 86, 87, 88 and 90 of the ECT Act.
If you are interested, please complete the form on the right or enquire now. We will contact you to find out more about your requirements and give you a quote.