If your organisation is faced with a cybercrime or data breach, it is imperative that you have a clear, effective and robust plan on hand to deal with these incidents. The plan needs to consider the interaction between the Electronic Communications and Transactions Act 35, 2005 (“ECTA”), the Cybercrimes Act 19, 2020 (“Cybercrimes Act”) and the Protection of Personal Information Act 4, 2013 (“POPIA”). Let's unpack below:
ECTA
ECTA aims to give functional equivalence to electronic transactions by ensuring that, generally, such transactions have the same status as physically concluded transactions. ECTA is a law of general application which applies to transactions which are concluded electronically or by way of data messages. Of relevance to data breaches, chapter XIII of ECTA deals with cybercrimes and regulates unauthorised access to, interception of or interference with data. Sections 85, 86, 87 and 88 create a number of cybercrime offences. These include a person who intentionally accesses or intercepts any data without authority or permission to do so ie, hacking and computer-related extortion, fraud and forgery.
If convicted of an offence, the relevant person could be liable to a fine or imprisonment not exceeding 12 months to 5 years, depending on the offence.
Cybercrimes Act
The Cybercrimes Act was signed into law on 26 May 2021, but the Act will only come into operation on a date yet to be proclaimed by the President in the Government Gazette. Once in force, the Act will repeal sections 85, 86, 87 and 88 of ECTA. Chapter 2 of the Cybercrimes Act will then deal with cybercrimes, malicious communications, sentencing and orders to protect complainants from the harmful effect of malicious communications.
The Cybercrimes Act, in section 54, imposes a duty on electronic communications service providers and financial institutions to report certain offences to the South African Police Services (“SAPS”) within 72 hours. Failure to make the required report could lead to a fine on conviction of a maximum of ZAR50,000.
POPIA
POPIA came into effect, by and large, on 1 July 2021, and does not create any cybercrimes. POPIA, in terms of Processing Condition 7, places and obligation on the responsible party to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to, or unauthorised destruction of personal information and unlawful access to or processing of personal information. In order to so, the responsible party must take reasonable measures to identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control.
Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify the Information Regulator; and, as a general rule, the affected data subjects.
A cybercrime, such as hacking, can trigger a number of obligations for organisations, as it often results in both a data breach under POPIA, that must be reported to the Information Regulator and affected data subjects, and also an offence under ECTA, that may be reported to the SAPS. This must be reported by certain parties once the Cybercrimes Act replaces the provisions of ECTA.
It is important to take legal advice in order to preserve legal privilege, implement periodic dry-runs, training, awareness and testing of any incident response plan to ensure that your incident response plan is effective. This will facilitate and enable your organisation to comply with its obligations under POPIA, navigate the aftermath of cyber-incidents and data breaches and mitigate any possible liabilities faced by your organisation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
