Section 43(5) of the ECT Act requires the supplier in an electronic transaction to “utilise a payment system that is sufficiently secure with reference to accepted technological standards at the time of the transaction and the type of transaction concerned.” If a payment system is breached, the supplier must reimburse the consumer for any loss suffered. In most instances the supplier does not provide or operate the payment system and this obligation will shift to the provider who is sometimes the ISP.

Apart from the aforegoing, whilst there is no specific law which imposes specific information security related obligations on companies and ISP’s, both have a common law duty not to be “negligent”. When South African Courts consider whether an act was negligent or not, they will try to find out if a “reasonable man” in the defendant’s position (e.g. the ISP) would have acted differently if the damage was reasonably foreseeable and preventable.  It may be argued that compromises to an organisation’s information security is a foreseen risk which should be guarded against and that any omission to take preventative or remedial steps could be regarded as a negligent act which may lead to liability.

The concept of a “duty of care” is also used by our Courts to determine whether or not a party was negligent.  One owes a duty of care only to persons to whom harm may be reasonably foreseen.  Where a degree of skill and expertise is required in the rendering of certain services, such as information security services, the test for negligence is adapted to accommodate such situations.  Here, not only must reasonable care be exercised, but it must measure up to the standard of competence of a reasonable person professing such knowledge and skill.  In other words, the reasonable man is replaced by the reasonable expert.

Where, for example, a hacker gains access to an organisation’s database and obtains the names, addresses and credit card numbers which it the uses for purposes of identity theft, the individual whose information was stolen, may be able to institute legal proceedings claiming that in failing to use industry standard security measures, such as firewalls or intrusion detection systems, the organisation / ISP failed to protect the victim’s personal information and thereby caused it to suffer loss.

Reproduced with permission from Law Business Research. This article was first published in Getting the Deal Through – e-Commerce 2009, (published in August 2008 – contributing editor Robert Bond). For further information please visit