The Cybercrimes and Cybersecurity Bill is in the process of being enacted. Some people will call it the Cyber Bill, Cybercrime Bill or Cybercrime Act. Others might refer to it as CaCA, the CaC Bill or just CaC. What will you call it?
The second draft of the Cyber Bill has been tabled in Parliament and we have studied it (all 139 pages of it) so that you don’t have to. We provide you with an overview below. Why is it necessary? Who is affected? What action do you need to take? Should you be commenting on it? What does it deal with? We answer these questions in this article.
This is a scary and bad law. You need to act now. Attend our full day Cyber Crime and Security Workshop to get a deeper understanding of the impact on your organisation, formulate your comments to submit to Parliament and determine whether you will make oral representations before Parliament (or whether you’d like us to do it for you).
Why do we need the Cyber Bill?
Many people will be asking – Do we need the Cybercrime Bill? But cybercrime is on the increase and the Cybercrimes and Cybersecurity Bill aims to keep people safe from criminals, terrorists and other states. It also consolidates cybercrime laws into one place. Essentially, it aims to stop cybercrime and improve the security of the country.
Who is affected by the Cybercrimes and Cybersecurity Bill?
The practical impact of the Cyber Bill on all organisations and all individuals is significant and unfortunately mostly negative. We thought it had been fixed but it hasn’t. Law enforcement wants to curtail our freedom by making everyday things a crime. It impacts all of us who process data or use a computer. Individuals, parents, journalists, organisations, banks and many others will probably commit many offences daily.
- People involved with IT (or POPI) regulatory compliance.
- All Electronic Communications Service Providers (ECSPs).
- Financial institutions.
- Representatives from various government Departments.
- Cyber criminals and terrorists.
- Providers or vendors of software or hardware tools that could be used to commit offences.
- Information Security experts.
- Anyone who owns an Information Infrastructure that Government could declare as critical.
- Everyone who uses a computer or the Internet.
- The Police Service.
Possible Actions for you to take
- Attend a public Cyber Crime and Security Workshop.
- Arrange for your own private in-house Cyber Crime and Security Workshop.
- Brief your board on cyber security risks and the legal implications for your organisation.
- Read the 2017 version of the Bill (or the 2015 version) and its related CyberCrimes Discussion Document 2017 (or the 2015 version).
- Send this article to someone else you think might be interested.
- Influence the content of the law.
- Subscribe to the Michalsons newsletter to receive future updates.
The timeline on the Cybercrime Bill
The Cybercrime Bill was first published on 28 August 2015, updated on 19 January 2017 and was introduced in Parliament on 22 February 2017. There is still an opportunity to influence the content of the law, especially when it is introduced into Parliament. Parliament has called for public comment on the Cyber Bill, and comments must be made by Friday, 28 July 2017. Parliament will allow you to make oral representations to the Committee, but the date has not been set as of yet. There is significant political will from our President to enact this Bill as soon as possible. You can also read our summary of the 2015 version.
Overview of the latest version of the Cyber Bill
The Cybercrime Bill creates many new offences. Some are related to data, messages, computers, and networks. For example:
- unlawful interception of data,
- cyber forgery and uttering, or
- cyber extortion.
The penalties consist of a fine, imprisonment, or both. How much could you be fined? The Bill no longer specifies this, but if you are convicted of a cybercrime, you could spend between one year to fifteen years in prison, depending on the cybercrime. The Cybercrime Bill gives the courts jurisdiction to try these offences is some cases where there is uncertainty.
The National Director of Public Prosecutions must keep statistics on the number, and results of prosecutions for cybercrimes. These statistics must be included in the NDPP’s report on the NPA.
The Cybercrimes and Cybersecurity Bill gives the Police Service (and their members and investigators) extensive powers to investigate, search, access and seize just about anything (like a computer, database or network) wherever it might be located, provided they have a search warrant. Foreign states will co-operate to investigate cybercrimes.
To deal with cybercrime, the Minister of Police must establish and maintain:
- a 24/7 Point of Contact for cyber crimes, and
- the capacity to detect, prevent and investigate cybercrimes.
To improve Cyber Security, the Cybercrimes and Cybersecurity Bill creates a Cyber Response Committee. The function of the Cyber Response Committee is to implement Government policy relating to cybersecurity. The chairperson will be the Director-General: State Security, and the Minister of State Security will oversee and exercise control over the Cyber Response Committee.
The Minister of State Security must establish and operate a Computer Security Incident Response Team (CSIRT) for Government, and ensure that there are enough people to deal with critical infrastructure protection.
The Minister of Defence must establish and maintain a cyber offensive and defensive capacity as part of the Defence Force’s mandate.
The Minister of Telecommunications and Postal Services must establish and maintain a Cyber Security Hub that:
- promotes cybersecurity in the private sector,
- acts as a central point of contact between Government and the private sector on cybersecurity,
- helps establish nodal points and Private Sector Computer Security Incident Response Teams (PSCSIRT) in different sectors, and
- responds to cybersecurity incidents.
The Bill aims to identify, declare and protect Critical Information Infrastructures, like the Department of Home Affairs database. There are various obligations on the owner of (or person in control of) Critical Information Infrastructure.
The Cybercrime Bill helps people to admit evidence of cybercrimes.
ECSPs and financial institutions must:
- report offences to the police no later than 72 hours,
- preserve any information that relates to it.
If an ECSP or a financial institution doesn’t, it is liable on conviction to a fine of R50 000.
This does not mean that ESCPs and financial institutions have to monitor the data they transmit or store on their systems. They also don’t have to actively look for situations that indicate unlawful activity.
The Cybercrime Bill enables the Minister of Justice to make regulations on information sharing. This includes sharing information on cybersecurity incidents, detecting, preventing and investigating cybercrimes.
The President may enter into agreements with other states considering this is a global issue.
Various laws are repealed or amended, most notably Chapter 9 and sections 85, 86, 87, 88 and 90 of the ECT Act.