Understanding rights, obligations under Cybercrimes Act: Integral aspect of businesses' data and information protection processes

By Karl Blom, partner, Mieke Vlok, senior associate, and Inge Swanepoel, consultant, Webber Wentzel
Karl Blom, partner, Webber Wentzel.
Karl Blom, partner, Webber Wentzel.

Businesses in South Africa are required to notify authorities of certain offences, although they are also empowered to rely on certain legislation to protect and enforce their rights against criminals.

The Cybercrimes Act 19 of 2020 (the Cybercrimes Act) is the first statute in South Africa to explicitly recognise cybercrimes by creating a new category of criminal offences under South African law. These cybercrimes include:

  • The unlawful interception of data;
  • The theft of incorporeal property;
  • Cyber fraud;
  • Cyber forgery and uttering;
  • Cyber extortion;
  • The unlawful acquisition, possession, provision, receipt or use of a password, access code or similar data or device;
  • Unlawfully accessing a computer system or computer data storage medium; and
  • The unlawful interference with data, a computer program, a computer data storage medium or a computer system.

The Cybercrimes Act also places certain obligations on institutions and corporations to comply with stringent security requirements in managing the data of citizens and employees. Contravention of the Cybercrimes Act may, upon conviction, result in several penalties, including fines and up to 15 years imprisonment.

Various key sections of the Cybercrimes Act took effect on 1 December 2021. Businesses are increasingly relying on the Cybercrimes Act to enforce their rights to their proprietary information and data.

Inge Swanepoel, consultant, Webber Wentzel.
Inge Swanepoel, consultant, Webber Wentzel.

Recently, a South African airline exercised its rights under the Cybercrimes Act against a former employee accused of engaging in industrial espionage and misappropriation of the airline’s incorporeal property. The airline filed a complaint in terms of the Cybercrimes Act with the South African Police Service. 

The airline alleged that the former employee disclosed its confidential information obtained during the employee's tenure with the airline, to the employee’s new employer without authorisation. Among other things, the employee was accused of unlawfully disseminating copies of documents containing client revenues, thereby violating the confidentiality and proprietary interests of their former employer.

Businesses should not only have regard to the protections and possible remedies the Cybercrimes Act offers them, but also to their own obligations under the statute.

Importantly, electronic communications service providers and financial institutions have specific duties in relation to reporting cybercrimes (although these obligations have been suspended until a date to be determined by the President). 

In terms of section 54, electronic communications service providers and financial institutions must report any cybercrime involving their electronic communications service or network to the Information Regulator and the South African Police Service within 72 hours of becoming aware of the offence. 

Any information which may be of assistance to the South African Police Service in conducting their investigation must also be preserved. A failure to comply with these obligations may upon conviction attract a fine of up to R50 000.

According to a directive published by the South African Reserve Bank (SARB), effective August 2024 participants in the National Payment System also have certain duties in relation to reporting cybercrimes.

The directive introduces new cyber security requirements for payment institutions regulated under the National Payment System Act 78 of 1998, including clearing system participants, settlement system participants, third-party payment providers, system operators, payment clearing house system operators, and the operators of payment system financial market infrastructures.

Mieke Vlok, senior associate, Webber Wentzel.
Mieke Vlok, senior associate, Webber Wentzel.

Notably, payment institutions and operators must report material cyber-incidents to the SARBwithin 24 hours of the cyber-incident occurring and must submit a report to the SARB containing specified information regarding the cyber-incident within 48 hours of the cyber-incident occurring. Payment institutions and operators are also required to provide ongoing updates to the SARB until the incident is fully resolved. As part of their internal business processes, payment institutions and operators must also ensure that any information-sharing arrangements they enter into comply with the relevant provisions of the Cybercrimes Act relating to the disclosure of information.

Other legislation, such as the Financial Intelligence Centre Act 38 of 2001 and the Prevention and Combatting of Corrupt Activities Act 12 of 2004, also imposes mandatory reporting obligations and it is vital that businesses are aware of their obligations to notify authorities of certain events and offences. 

Share