TOP DEFENCE In the context of an always connected environment, Cliffe Dekker Hofmeyr argues the merits of managing the increasing risk of cybercrime Cybercrime is an increasing risk for businesses around the world, and SA is no exception, says Preeta Bhagattjee, director and national practice head (technology and sourcing) at Cliffe Dekker Hofmeyr. The revised Cybercrimes and Cybersecurity Bill was tabled in the National Assembly in February 2017 and comes at an important time in the effort to root out this type of criminal activity, which is hitting the bottom lines of businesses. Worryingly, PwC’s global economic crime survey (2016) found that 15% of SA organisations have been asked to pay a bribe, and more than half of SA respondents believe it is ‘likely’ they will experience bribery and corruption in the next two years. While more than half of the global organisations surveyed (53%) reported having lost less than $100 000 to economic crime over the past 24 months, just 43% of SA organisations could make that claim. Almost a fifth (19%) of SA respondents experienced losses of between $100 000 and $1 million; one in four respondents indicated having suffered losses of more than $1 million; and 2% lost in excess of $100 million (double the global average). The new bill criminalises unlawful and intentional conduct relating to accessing, acquiring, using, possessing and storing, data, data messages, computer systems and programmes, networks and passwords. It creates new crimes of cyberfraud, cyberforgery and cyberuttering – and it also criminalises malicious communications. The publication of the Cybercrimes and Cybersecurity Bill back in 2015 (Cybersecurity Bill) illustrates that cybersecurity is on Parliament’s radar, with the Cybersecurity Bill being intended to regulate national and international co-operation in terms of the investigation and prosecution of cybercrimes, as well as the imposition of obligations on electronic communication service providers. In fact, a National Cybersecurity Policy was developed by the Department of Telecommunications and Postal Services (previously the Department of Communications) in 2010, and was approved by Cabinet on 7 March 2012. The policy aims to improve SA’s cybersecurity through the following means: Providing guidelines for online security throughout the country Instituting a plan to introduce national and sector-based computer security incident response teams (CSIRTs). The functions of the CSIRTs will include identifying, analysing, containing, mitigating and reporting the outcome of threats to relevant parties Fostering co-operation between the public and private sectors in dealing with threats to cybersecurity, and ensuring compliance with the relevant cybersecurity standards. There is global consensus on the importance of cybersecurity measures and legislation. However, the implementation thereof and associated monitoring and interception of cybercommunications in order to prevent cybercrimes, terrorism and other criminal activities from taking place is not without its challenges. The powers afforded to government under the Cybersecurity Bill are also to be considered in this context. For example, section 33 of the Cybersecurity Bill states that an electronic communications service provider and/or any other person who is in possession of data and information, other than a person suspected of a crime, must provide technical or other assistance that may be required for an investigation in order to assist the investigator with accessing such data. Failure to comply with this section may result in an offence and conviction of five years, or a fine of up to R5 million. While this provision is subject to compliance with the laws applicable to search and seizure, it may empower SA government agencies to make similar demands to those made by the US government in the Apple case. While the objectives of the Cybersecurity Bill are laudable and essential in a world where cybercrime is on the rise, the provisions of the Cybersecurity Bill have not been without criticism. The rights afforded to investigative bodies and officers under the bill will need to be considered against privacy rights. The complexities and challenges on drawing a balance between fighting crime and regulating cybersecurity in a manner consistent with rights to privacy are, however, not exclusive to SA – people will need to look to foreign jurisdictions when seeking solutions so as to ensure that cybersecurity measures do not circumvent basic constitutional rights. The framework for mutual co-operation between foreign states with respect to the investigation and prosecution of cybercrimes will also need to be carefully considered. At the end of the day, the bill needs to prevent cybercrime but not unnecessarily increase complexity and impinge on privacy rights. 1 Protea Place, Sandton Jhb, 2196, South Africa Tel. +27 (0)11 562 1000 www.cliffedekkerhofmeyr.com