You may be wondering whether you are an Electronic Communications Service Provider (ESCP) as defined by law. It’s an interesting question. A lot more people are ECSPs than you realise. You probably are one. What does it means for you if you are?
Who falls within the definition of an Electronic Communications Service Provider?
The 2015 version of the Cybercrimes and Cybersecurity Bill defined an Electronic Communication and Service Provider very broadly. In that version an ESCP included:
- a person who provides an electronic communications service with an electronic communications service licence
- a financial institution for example a bank, or
- anyone (including an entity) who processes or stores data for someone else.
Essentially, everyone was an ECSP.
The 2017 version of the Bill, has narrowed the definition of an ECSP:
- It is now just a person who provides an electronic communications service with an electronic communications service licence.
- Financial institutions are no longer ECSPs, but they have exactly the same obligations.
Financial institutions and ESCPs have the same obligations
Do ECSPs have to report cybercrimes?
ECSPs and financial institutions must report cybercrimes to the police within 72 hours of being aware or becoming aware that their network or system is being used to commit a cybercrime. However, a financial institution or ECSP is not forced to:
- monitor the data that they store or transmit on their computer systems or networks, or
- actively look for unlawful activity on their networks.
Does the Bill force an ECSP and financial institutions to keep data?
One of an ECSP’s or a financial institution’s obligations is to preserve any information that could assist law enforcement in investigating a cybercrime. The moment they are aware or become aware that their network is being used to commit a cybercrime, they have to keep data for an unspecified amount of time to assist in catching the cyber-criminal. If they don’t, they are guilty of an offence themselves.
A police official also can require an ECSP or a financial institution to preserve data where there is reason to believe that it has been involved in a cybercrime. If they do not comply, they are guilty of an offence.
Financial institutions and ECSPs (or anyone else who is in control of data, networks or computers) must provide technical assistance and “such other assistance as may be necessary” to law enforcement to search for, access or seize any data or computer that may be connected with a cybercrime. The Cyber Bill does not specify what sort of assistance is required, but you would probably have to keep the data or computer for as long as the law enforcement member needs it. If you don’t do this you could be fined or face two years in prison.
What does it mean if I am an ESCP?
The Cyber Bill places some pretty onerous legal obligations on ECSPs and financial institutions. Not just on reporting cybercrimes to the police, but also storing evidence about cybercrimes. The financial implications to comply with these obligations could be enormous. And you could be fined R50,000 if you don’t comply.
To find out more attend one of our Cyber Crime and Security Law Workshop.