Cybercrime is a growing endemic globally. It is a crime in which the perpetrators are shrouded with a significant veil of anonymity and which affects both individuals and corporations in both the public and private sectors, respectively. With incidents on the rise, current South African laws do not effectively criminalise this kind of conduct, according to Zaakir Mohamed, Director in the Corporate Investigations sector of the Dispute Resolution Practice at commercial law firm Cliffe Dekker Hofmeyr (CDH).
Cybercrimes across digital banking platforms alone increased by 75% in 2018 - resulting in losses of over R262 million - according to the South African Banking Risk Information Centre’s (Sabric) annual statistics.
Mohamed says that coupled with the increasing number of internet users one of the reasons for the rise in cybercrime is deficient cybersecurity controls.
“As a result of increased internet connectivity, as well as deficient cybersecurity controls, South Africans using digital banking platforms are an obvious (and growing) target for savvy cybercriminals.”
He explains that preventing cybercrimes remains a significant priority for banks and other financial services providers. “Cybercrime was identified as the most disruptive economic crime likely to affect organisations by respondents to the 2018 PwC Global Economic Crime and Fraud Survey. As this wave grows, progressive banks are increasingly embarking on communication campaigns that educate and promote awareness of cybercrime, empowering clients to identify incidents in order to avoid falling victim to fraudsters.”
Unfortunately, when a cybercrime is committed, victims often find themselves confused as to what to do, as well as what potential legal action is available to them, says Mohamed. “Cybercrime offences are currently specifically dealt with in the Electronic Communications and Transactions Act (ECTA) that contains several offences relating to the unauthorised access to, interception of or interference with data."
“In particular, section 86(4) of ECTA provides that ‘a person who utilises any device or computer program mentioned in subsection (3) in order to unlawfully overcome security measures designed to protect such data or access thereto, is guilty of an offence’.”
“So, in essence, victims of digital banking fraud can register a criminal case with the South African Police Service. In addition to the ECTA, there may also be recourse available by way of the South African common law offences of theft, extortion and fraud.”
He adds that, if the identity of the cybercriminal is known to the victim, he or she can potentially institute civil proceedings against the cybercriminal in order to recover the value of the loss suffered, including interest and legal costs incurred. “However, given the nature of these types of crimes, the perpetrator is often not known or difficult to find.”
Simone Dickson, Director in CDH’s Technology, Media and Telecommunications practice, says the ECTA goes some way towards establishing rights and remedies for the offences established under it, but the legislation was passed some time ago and does not provide for a comprehensive, all-encompassing cybercrime regime. “Efforts are currently being made in South Africa for the promulgation of additional legislative measures specific to cybercrime and the protection of data. These include the Cybercrimes Bill and the Protection of Personal Information Act (POPI).”
They may not however offer victims immediate support, says Dickson. “The legislative process is not typically known to be particularly fast-paced, particularly when compared to the rate at which technology develops and improves.”
Dickson says that there is and has to be a focus on issues surrounding cybercrimes and data protection in order to regulate the risks inherent in a digital world.
“The South African Reserve Bank's directive on cloud computing and data offshoring, effective from October 2018 and which applies to all banks, is a good example of regulatory efforts being made to govern and address issues in this sector.
“This directive imposes stringent obligations on banks, including the requirement to implement a formally defined and board approved data strategy and data governance framework. This goes some way towards ensuring that the risks are critically assessed and measures have been implemented to address data risk.”
Dickson says that we can anticipate a number of new developments in this space, considering the prevalence of cybercrime incidents and data breaches in South Africa. “Until then, businesses and individuals need to remain vigilant, including by reviewing current data practices and plans and implementing more stringent data security measures and policies (including data breach response plans) to mitigate against the potential risk of becoming a victim of cybercrime.”