By Michael-James Currie and Camilla Warring
The new Cybercrimes Bill (B 6B – 2017) has been the subject of much debate. It has been passed by the National Council of Provinces and now awaits assent by President Ramaphosa. If it passes into law it will create a number of new crimes, including the crime of “cyber fraud”.
Data is defined as electronic representations of information in any form. Unlawful accessing of data is a crime under the Electronic Communications and Transactions Act 25 of 2002, the Bill broadens the scope of the crime. “Unlawful access” occurs when any person who unlawfully and intentionally accesses data, a computer program, a computer data storage system or a computer system is guilty of an offence.
A new crime contained in the Bill is “cyber fraud”, whereby any person who unlawfully and with the intention to defraud makes a misrepresentation by means of data or a computer program or by way of interference with data or a computer program which causes actual or potential prejudice, commits the offence of cyber fraud. This definition contains the elements of the common law offence of fraud with which we are familiar, that is; the unlawful and intentional misrepresentation which causes actual or potential prejudice. However, it adds the element of “defrauding” and the mode of misrepresentation, being by means of data or a computer program or interference with data or a computer program. “Defrauding” is not defined in the Bill. Accordingly, this element of the definition is somewhat circular. If this creates any interpretive difficulty, prosecutors may opt to continue charging offenders under the common law crime of fraud.
The common law crime of fraud presents its own difficulties, which are also present in the definition of cyber fraud. Namely, the element of causing “actual or potential prejudice” can make drawing the line between a completed “commission” of the crime and an “attempt” difficult. As in the common law, in terms of the Bill attempted fraud is a punishable offence. If one can be convicted for the completed crime of fraud without causing prejudice, as the definition makes room for “potential prejudice”, then presumably the distinction between an attempt to commit a crime and a completed crime is academic. In terms of the Bill the penalties for committing attempted cyber fraud are the same as if the crime was completed.
While most of the crimes contained in the Bill require positive action on the part of the offender, some relate to failure to act. In terms of the Bill, if financial institutions or electronic communications providers become aware that their computer systems have been involved in the commission of a category of offences in the Bill including those mentioned, they are under an obligation to report this to the South African Policy Service within 72 hours. Failure to report is an offence punishable by a fine of up to R50 000. While this amount is relatively low, if the institution or provider is subject to many small-scale offences it can build up. Perhaps more importantly, failure to report these offences might pose significant reputational risk for these institutions.
The Bill goes on to state that this obligation should not be construed as creating an obligation on financial institutions and electronic communications providers to monitor data or actively seek out information relating to unlawful activities. Nonetheless, in their clients’ interests it is best to be vigilant and ensure that systems are secure. More generally, firms should be mindful of how they interact with their clients’ data.
Coupled with the recently effective Protection of Personal Information Act, companies will be required to ensure that their internal collection, processing and monitoring obligations are adequate to ensure compliance with personal data laws as well as ensure that potential offences in terms of the Cyber Bill are quickly identified and reported.
[Michael-James Currie is a director at Primerio and specialises in anti-bribery and corruption laws and antitrust across Africa and can be contacted at firstname.lastname@example.org]