The Cybercrimes Act places strict legal obligations on electronic communications service providers (ECSPs). For example, an ECSP must report cybercrimes to the police, and store evidence about cybercrimes that someone may have committed. The Act imposes steep penalties on ECSPs that do not comply. In this post, we highlight the impact of the Cybercrimes Act on ECSPs.

ECSPs must report cybercrimes to the police

Section 54 of the Cybercrimes Act creates certain reporting obligations on ECSPs and financial institutions. However, section 54 of the Act is not in operation yet. It will come into effect on a future date.

Once section 54 commences, ECSPs and financial institutions will have to report cybercrimes to the police within 72 hours of being aware or becoming aware that someone is using their network to commit a cybercrime.

The Act does not force an ECSP to:

  • monitor the data that they store or transmit on their computer systems or networks, or
  • actively look for unlawful activity on their networks. (Section 54 (4))

An ECSP must keep data

The Act mandates an ECSP to keep data. However, because these obligations fall under section 54 of the Act, they are not in operation yet. When this section of the Act commences, an ECSP (including financial institutions) must preserve any information which may help the police in investigating a cybercrime. (Section 54 (1)(b)).

The moment an ECSP is aware or becomes aware that someone is using their network to commit a cybercrime, they must keep data for an unspecified amount of time to help the police catch the cyber-criminal.

Technical assistance to authorities

An ECSP (or anyone else who is in control of data, networks, or computers) must provide technical or other assistance to law enforcement to search for, access or seize any data or computer that may be linked to a cybercrime. (Section 34)

The Cybercrimes Act does not specify what sort of assistance ECSPs or financial intuitions must render. You would have to keep the data or computer for as long as the law enforcement member needs it.

If you don’t assist the police or an investigator, you could receive a hefty fine or face up to two years in prison.

Storing evidence about cybercrimes

The Cybercrimes Act places some onerous legal obligations on ECSPs and financial institutions. Not just on reporting cybercrimes to the police, but also storing evidence about cybercrimes. The financial implications to comply with these obligations could be enormous.

If an ECSP or financial institution does not comply with their obligations to keep data, they will be guilty of an offence and may face a fine of up to R50000.

Actions you could take