Lucien Pierce, consultant at BDO Cyber Lab, unpacks the new Cybercrimes and Cybersecurity Bill and offers his opinion.
The Department of Justice published the Cybercrimes and Cybersecurity Bill, 2017 on 19 January. It is, at first glance, much better than the 2016 draft. Some, like financial institutions, may not think so though, because they now have additional obligations.
The 2016 draft had some rather convoluted and onerous provisions. One example was Chapter 6 titled “Structures to Deal with Cyber Security”. It provided for the creation of no less than 7 cyber security related entities. Chapter 6 alone ran for over 30 pages.
The 2017 draft deals with similar entities at Chapter 10 (in just under nine pages) but makes better sense in many ways. The way it deals with these entities is clearer and simpler. It does not try to deal with every possible aspect of how they should operate.
A second example of how the 2017 draft simplifies matters is Chapter 9. It is titled “Obligations of Electronic Communications Service Providers and Financial Institutions”. The 2016 draft also dealt with these obligations under Chapter 9, the difference being that the obligations were more onerous and did not apply to financial institutions.
The 2016 draft placed obligations on electronic communications service providers to take reasonable steps to inform clients of cybercrime trends, establish procedures for them to report cybercrimes and educate clients on cybercrime countermeasures. These provisions have, probably to many consumer advocates’ chagrin, been removed.
A further change that is likely to delight both electronic communications service providers and financial institutions, is that the maximum fine that may be levied for contravening this section (that is, failing to timeously report an incident and failing to preserve information) is capped at R50 000.00. The 2016 draft would have resulted in a fine of R10 000.00 per day from the time you became aware of an incident to the time you reported it.
In general, it certainly looks like the 2017 draft has been better thought through. It is clearer and in many ways more practical.
The quicker the Cybercrimes and Cybersecurity Bill, 2017 is passed into the law, the better. It, together with other laws like the Protection of Personal Information Act, will certainly enhance South Africa’s information economy, bringing many benefits to the country.