The Cybercrimes Act places strict legal obligations on electronic communications service providers (ECSPs). For example, an ECSP must report cybercrimes to the police, and store evidence about cybercrimes that someone may have committed. The Act imposes steep penalties on ECSPs that do not comply. In this post, we highlight the impact of the Cybercrimes Act on ECSPs.
ECSPs must report cybercrimes to the police
Section 54Â of the Cybercrimes Act creates certain reporting obligations on ECSPs and financial institutions. However, section 54 of the Act is not in operation yet. It will come into effect on a future date.
Once section 54 commences, ECSPs and financial institutions will have to report cybercrimes to the police within 72 hours of being aware or becoming aware that someone is using their network to commit a cybercrime.
The Act does not force an ECSP to:
- monitor the data that they store or transmit on their computer systems or networks, or
- actively look for unlawful activity on their networks. (Section 54 (4))
An ECSP must keep data
The Act mandates an ECSP to keep data. However, because these obligations fall under section 54 of the Act, they are not in operation yet. When this section of the Act commences, an ECSP (including financial institutions) must preserve any information which may help the police in investigating a cybercrime. (Section 54 (1)(b)).
The moment an ECSP is aware or becomes aware that someone is using their network to commit a cybercrime, they must keep data for an unspecified amount of time to help the police catch the cyber-criminal.
Technical assistance to authorities
An ECSP (or anyone else who is in control of data, networks, or computers) must provide technical or other assistance to law enforcement to search for, access or seize any data or computer that may be linked to a cybercrime. (Section 34)
The Cybercrimes Act does not specify what sort of assistance ECSPs or financial intuitions must render. You would have to keep the data or computer for as long as the law enforcement member needs it.
If you don’t assist the police or an investigator, you could receive a hefty fine or face up to two years in prison.
Storing evidence about cybercrimes
The Cybercrimes Act places some onerous legal obligations on ECSPs and financial institutions. Not just on reporting cybercrimes to the police, but also storing evidence about cybercrimes. The financial implications to comply with these obligations could be enormous.
If an ECSP or financial institution does not comply with their obligations to keep data, they will be guilty of an offence and may face a fine of up to R50000.
Actions you could take
- Understand how the Act impacts you by attending our half day online workshop on the Cybercrimes Act.
- Ask us to help you determine the impact of cybercrimes on your organisation and the next steps by doing the online Cybercrimes impact assessment.
- Learn about the impact of the Cybercrimes Act on financial institutions by reading our related post.
- Receive future updates or alerts about the Cybercrimes Act and our events by subscribing to the Michalsons newsletter.
- Dive into the details of the Act by reading the web-based version of it.
- Know how the law applies to you specifically by asking us for a legal opinion or interpretation of the law.
- Brief your board on the Cybercrimes Act and the legal implications for your organisation by asking us to present an executive briefing to them.
- Find out what other actions you can take related to cybercrime by visiting our main cybercrime law page.
