Information security law is an emerging area of the law.
There is no single law in South Africa that governs all of a company’s information security obligations. Rather, it comprises a ‘patchwork’ of different laws, and even standards and best practices.
The patchwork comprises the following areas of law:
- Transactional security: where section 43 (5) of the ECT Act requires the use of a payment system which is “sufficiently secure”.
- IT Governance: where King III™ requires appropriate information security controls to protect companies and their shareholders.
- Electronic signatures: where ordinary electronic signatures and “advanced” electronic signatures play a role in securing information pursuant to sections 13 of the ECT Act.
- Public key infrastructures: (e.g. the SA Post Office Trust Centre) which includes digital certificates and electronic authentication.
- Computer related fraud: in terms of section 87 of the ECT Act where the victim of an information security attack conducted by means of impersonation or spoofing could lay a criminal charge of fraud against the attacker based on the attacker’s attempt to mislead or misappropriate something of value
- Common law privacy claims: where for example a person submits personal information to an organisation for a certain purpose and the organisation reveals the information to a third party who misuses the information causing the person to suffer damage or loss (for example, in the context of ‘data swops’ between organisations).
- Statutory privacy claims: under the soon to be enacted Protection of Personal Information Bill.
- Cyber crime: which involves any illegal act which involves a computer whether the computer is an object of a crime, an instrument used to commit a crime or a repository of evidence related to a crime and includes the statutory cyber crimes set out in sections 85 to 88 of the ECT Act.
- The law of contract: where information technology contracts such as outsourcing, service provision, application service provider and software licensing agreements are beginning to impose security obligations on vendors and business partners. These agreements increasing require the providers of information technology to warrant against security vulnerabilities, such as viruses and trojan horses, and organisations are more frequently being contractually obligated to protect a customer’s, employee’s, or business partner’s personal or confidential information. Similarly, businesses are often required to agree to security commitments as a condition of participating in certain activities. For example, merchants that want to accept credit cards, must agree to comply with the PCI Data Security Standard (click here to read our post on the Standard).
- The law of delict: where the concepts of “reasonableness” and “duty of care” are being relied upon to determine whether or not organisations have been negligent in not taking the necessary security precautions, or are liable for loss suffered where it is proved by a party who suffered loss that their loss should have been reasonably foreseeable and due to the others parties negligence, loss or damage has been suffered by the other party.
- The law of evidence: in connection with forensic issues relating to information in electronic form which may have been modified or deleted in an attempt to hide the evidence and the taking of necessary steps to ensure that the reliability and admissibility of the electronic evidence will be maintained in the eyes of a Court of law.
- Common law fraud: for example identity theft.