ict / it law (cyberlaw)

CYBERLAW (ICT LAW)CYBERLAW (ICT LAW)

FRANCIS CRONJÉFRANCIS CRONJÉ

SANDTONSANDTON

Francis CronjéFrancis Cronjé

An overview of relevant Legislation pertaining to An overview of relevant Legislation pertaining to Cyberlaw and how they relate to in-house counselCyberlaw and how they relate to in-house counsel

Electronic Communications and Transactions Act of Electronic Communications and Transactions Act of 2002;2002;

Regulation of Interception of Communications and Regulation of Interception of Communications and Provision of Communications related Information Act of Provision of Communications related Information Act of 2002;2002;

Promotion to Access of Information Act of 2000.Promotion to Access of Information Act of 2000.


Electronic Communication and Transactions ActElectronic Communication and Transactions Act

Most NB part of this Act for in-house counsel is Chapter III Most NB part of this Act for in-house counsel is Chapter III

Chapter III deals with the facilitation of Electronic Chapter III deals with the facilitation of Electronic Transactions and consists of two parts:Transactions and consists of two parts:

Part 1 thereof provides for the legal requirements of data Part 1 thereof provides for the legal requirements of data messages, whilemessages, while

Part 2 deals with the communication of data messagesPart 2 deals with the communication of data messages


Part 1Part 1

Gives legal recognition to Gives legal recognition to electronic documentselectronic documents (Sec (Sec 11);11);

Gives legal recognition to Gives legal recognition to electronic signatureselectronic signatures (Sec (Sec 13)13)

No type of technologyNo type of technology is prescribed, therefore a signature can is prescribed, therefore a signature can be:be:

Scanned image of your signature;Scanned image of your signature;

Name at the end of an email; orName at the end of an email; or

Digital signatureDigital signature

HOWEVER!!!HOWEVER!!!


Part 1 (Cont.)Part 1 (Cont.)

Where a Law requires a signature, then such Where a Law requires a signature, then such requirement will requirement will onlyonly be met once an be met once an Advanced Advanced Electronic Signature (AES)Electronic Signature (AES) is used. is used.

This constitutes a reliable form of signature and can only be issued by This constitutes a reliable form of signature and can only be issued by an Authentication Provider which have been accredited in terms of an Authentication Provider which have been accredited in terms of sections 37 and 38 of the ECT Act.sections 37 and 38 of the ECT Act.


Part 1 (Cont.)Part 1 (Cont.)

Fulfills the requirement of law that a document or Fulfills the requirement of law that a document or information must be in information must be in “writing”“writing” (Sec 12) if the (Sec 12) if the document or information is:document or information is:

In the form of a data message; In the form of a data message; ANDAND Accessible in a manner usable for subsequent referenceAccessible in a manner usable for subsequent reference


Part 2Part 2

Gives validity to agreements concluded electronically Gives validity to agreements concluded electronically (Sec 22);(Sec 22);

Provides for the time and place of communications, Provides for the time and place of communications, dispatch and receipt (Sec 23);dispatch and receipt (Sec 23);

Expression of intent or other statement (Sec 24);Expression of intent or other statement (Sec 24);


Regulation of Interception of Communications & Regulation of Interception of Communications & Provision of Communication-related Information Act Provision of Communication-related Information Act

(RICA)(RICA)

The fundamental principle of RICA for in-house counsel The fundamental principle of RICA for in-house counsel is that an employee’s communications can’t be is that an employee’s communications can’t be monitored or intercepted monitored or intercepted unlessunless it falls under the it falls under the exceptions as provided for in RICA (Heavy penalties if exceptions as provided for in RICA (Heavy penalties if not complying)not complying)

These exceptions are dealt with in sections 4, 5 and 6 of These exceptions are dealt with in sections 4, 5 and 6 of the Act and are as follow:the Act and are as follow:


RICA (Cont.)RICA (Cont.)

By a person if that person is a party to the By a person if that person is a party to the communication;communication;

With the prior written consent of a party to the With the prior written consent of a party to the communication;communication;

When the interception occurs in connection with carrying When the interception occurs in connection with carrying on of business (the so-called “business exception”) on of business (the so-called “business exception”) where written consent is not necessarily required and where written consent is not necessarily required and where express or implied consent suffices. where express or implied consent suffices.


RICA (Cont.)RICA (Cont.)

Monitoring of e-mailsMonitoring of e-mails

It can only be legal if and when:It can only be legal if and when:

Monitoring of the employee’s email must have been authorised Monitoring of the employee’s email must have been authorised by the system controller;by the system controller;

The email being monitored must relate to the business of the The email being monitored must relate to the business of the employer;employer;

The purpose of the monitoring of the emails must be to monitor The purpose of the monitoring of the emails must be to monitor or keep record of the emails;or keep record of the emails;

The System Controller must have made a reasonable effort to The System Controller must have made a reasonable effort to inform employees or third parties in advance that the email inform employees or third parties in advance that the email would be monitored or the System Controller must have would be monitored or the System Controller must have received implied or express permission from the party who’s received implied or express permission from the party who’s email is being monitored.email is being monitored.


Promotion to Access of Information Act (PAIA)Promotion to Access of Information Act (PAIA)

Section here that is relevant to Cyberlaw and In-house Section here that is relevant to Cyberlaw and In-house counsel is the fact that the PAIA manual in terms of counsel is the fact that the PAIA manual in terms of sections 14 (In the case of a public body) and 51 (In the sections 14 (In the case of a public body) and 51 (In the case of a private body) must be made available on the case of a private body) must be made available on the Public or Private Body’s website.Public or Private Body’s website.


The Impact Cyberlaw has on Electronic TransactionsThe Impact Cyberlaw has on Electronic Transactions

E-Commerce:E-Commerce:

NB to realise, that when drafting any terms and conditions on an NB to realise, that when drafting any terms and conditions on an E-Commerce site, always stipulate that the products or content E-Commerce site, always stipulate that the products or content for sale, do not constitute an offer to sell, but merely an invitation for sale, do not constitute an offer to sell, but merely an invitation to buy. This due to the effect of sections 23 and 24 of the ECT to buy. This due to the effect of sections 23 and 24 of the ECT Act and the impact of Electronic Agents (Example – price Act and the impact of Electronic Agents (Example – price mistake, not enough stock etc.)mistake, not enough stock etc.)

Have due regard to the consumer protection clauses as Have due regard to the consumer protection clauses as stipulated in Sections 43 and 44 which deals with the information stipulated in Sections 43 and 44 which deals with the information that needs to be provided as well as the cooling of periods for that needs to be provided as well as the cooling of periods for services and products.services and products.


The Impact Cyberlaw has on Electronic Transactions The Impact Cyberlaw has on Electronic Transactions (Cont.)(Cont.)

E-mail:E-mail:

The same (as with E-Commerce) would imply for concluding The same (as with E-Commerce) would imply for concluding agreements via email (Take for instance the automated out of agreements via email (Take for instance the automated out of office reply) Make sure that the terms of the email disclaimer office reply) Make sure that the terms of the email disclaimer verifies that an email is only deemed received once confirmed by verifies that an email is only deemed received once confirmed by the recipient and that an out of office reply does not constitute the recipient and that an out of office reply does not constitute such a confirmation.such a confirmation.

Unsolicited email (Section 45)Unsolicited email (Section 45)


Protection of Domain Names and Online Dispute Protection of Domain Names and Online Dispute ResolutionResolution

Protection of domain namesProtection of domain names

Most important aspect for In-house counsel is to ensure Most important aspect for In-house counsel is to ensure that they have an IP Policy.that they have an IP Policy.

Domain names and its administration and registration Domain names and its administration and registration should form part and parcel of this Policy, since domain should form part and parcel of this Policy, since domain names can be valued as immensely important assets to names can be valued as immensely important assets to a company.a company.


Protection of Domain Names and Online Dispute Protection of Domain Names and Online Dispute Resolution (Cont.)Resolution (Cont.)

This Policy should be read in conjunction with the This Policy should be read in conjunction with the company’s IT Security Policy and it should be the company’s IT Security Policy and it should be the responsibility of In-house to make the CEO, CFO and responsibility of In-house to make the CEO, CFO and CIO aware of these policies and advise on its CIO aware of these policies and advise on its implementation.implementation.

In the IT Security Policy,In the IT Security Policy, issues would relate for instance issues would relate for instance to how one can effectively protect your own websites to how one can effectively protect your own websites against defamation etc.against defamation etc.


Protection of Domain Names and ODR (Cont.)Protection of Domain Names and ODR (Cont.)

Online Dispute ResolutionOnline Dispute Resolution

Important to realise that there are different dispute Important to realise that there are different dispute mechanisms for the different level domains out there.mechanisms for the different level domains out there.

For all the generic Top Level Domains (gTLD), ICANN For all the generic Top Level Domains (gTLD), ICANN makes provision for ODR through WIPO making use of makes provision for ODR through WIPO making use of its Uniform Dispute Resolution Policy (UDRP). its Uniform Dispute Resolution Policy (UDRP). http://www.wipo.int/amc/en/domains/gtld/index.html http://www.wipo.int/amc/en/domains/gtld/index.html

It also makes provision for certain country code Top It also makes provision for certain country code Top Level Domains (ccTLD). Level Domains (ccTLD). http://www.wipo.int/amc/en/domains/cctld/index.html http://www.wipo.int/amc/en/domains/cctld/index.html




In order to file a complaint, a Complainant will have to In order to file a complaint, a Complainant will have to prove 3 things:prove 3 things:

That he has a registered trade mark reflecting the name; That he has a registered trade mark reflecting the name; andand That the Respondent has no legitimate interest in the domain That the Respondent has no legitimate interest in the domain

name; name; andand That the Respondent has acted in bad faith.That the Respondent has acted in bad faith.




With the South African ccTLD, .With the South African ccTLD, .co.zaco.za, a local dispute , a local dispute resolution mechanism (DomainDisputes.co.za) is used, resolution mechanism (DomainDisputes.co.za) is used, run by the South African Institute of Intellectual Property run by the South African Institute of Intellectual Property Law (SAIIPL). Law (SAIIPL).

http://www.domaindisputes.co.za/index.phphttp://www.domaindisputes.co.za/index.php




In order to file a complaint, a Complainant here will only In order to file a complaint, a Complainant here will only have to prove a combination of 2 things or can also have to prove a combination of 2 things or can also make use of an alternative option:make use of an alternative option:

a) the complainant has rights in respect of a name or mark which a) the complainant has rights in respect of a name or mark which is identical or similar to the domain name and, in the hands of is identical or similar to the domain name and, in the hands of the registrant the domain name is an abusive registration; the registrant the domain name is an abusive registration; oror

(b) the domain name, in the hands of the registrant, is an (b) the domain name, in the hands of the registrant, is an offensive registration.offensive registration.

http://www.domaindisputes.co.za/content.php?tag=7 http://www.domaindisputes.co.za/content.php?tag=7


Document Management and the Protection of the Document Management and the Protection of the Privacy of Sensitive InformationPrivacy of Sensitive Information

First it is important to distinguish between the following:First it is important to distinguish between the following:

Document Management (Record Retention);Document Management (Record Retention);

Information Management; andInformation Management; and

Protection of Personal Information (Privacy)Protection of Personal Information (Privacy)


Document Management and the Protection of the Document Management and the Protection of the Privacy of Sensitive Information (Cont.)Privacy of Sensitive Information (Cont.)

Document Management has to do with the retention of Document Management has to do with the retention of Business Records according to a law or statute (for Business Records according to a law or statute (for example the retention of an invoice);example the retention of an invoice);

Information Management has to do with the distinction Information Management has to do with the distinction between various forms of information and its sensitivity between various forms of information and its sensitivity with regards to distribution and accessibility (for example with regards to distribution and accessibility (for example trade secrets); whiletrade secrets); while

Protection of Personal Information (Privacy) deals with Protection of Personal Information (Privacy) deals with the protection of information relating to individuals, the protection of information relating to individuals, whether they are employees or clients (for example the whether they are employees or clients (for example the address or health status of a person).address or health status of a person).



Electronic Document Management (Record Retention)Electronic Document Management (Record Retention)

As an example we are going to look at emails:As an example we are going to look at emails:

An email is a business record if a regulation or statute says it An email is a business record if a regulation or statute says it must be retained;must be retained;

It contains valuable information about business operations;It contains valuable information about business operations; It contains info that must be filed with a regulator (ICASA or It contains info that must be filed with a regulator (ICASA or

JSE);JSE); It contains information used to negotiate a contract;It contains information used to negotiate a contract; A sales forecast depends on information it contains;A sales forecast depends on information it contains; It is the final version of a contract etc.It is the final version of a contract etc.




Certain sections of Chapter III of the ECT Act allows the Certain sections of Chapter III of the ECT Act allows the use of electronic documents, emails and other forms of use of electronic documents, emails and other forms of electronic information as evidence (sec 15)electronic information as evidence (sec 15)

An audit trail of An audit trail of authenticityauthenticity; as well as ; as well as IntegrityIntegrity of information in terms of structure, content and context of information in terms of structure, content and context

must be shown;must be shown;

Email messaging systems such as Microsoft Outlook Email messaging systems such as Microsoft Outlook was not designed to guarantee the abovewas not designed to guarantee the above




It is therefore suggested that such emails be stored in a It is therefore suggested that such emails be stored in a proper records management system.proper records management system.

It is imperative to have a Document (Records) It is imperative to have a Document (Records) Management Policy in place.Management Policy in place.



Protection of the Privacy of Sensitive InformationProtection of the Privacy of Sensitive Information

This is also known as data protection and relates to the This is also known as data protection and relates to the protection of personal information, in other words, protection of personal information, in other words, retaining the privacy of an individual.retaining the privacy of an individual.

Taking once again the example of an email, it should be Taking once again the example of an email, it should be noted that in information so classified, methods of noted that in information so classified, methods of encryption must be used. encryption must be used.


Electronic Crime and IT SecurityElectronic Crime and IT Security

Electronic crimes are a daily occurrence and impacts Electronic crimes are a daily occurrence and impacts every company (Edgars an ABSA example);every company (Edgars an ABSA example);

Most of these crimes happen behind the firewall Most of these crimes happen behind the firewall (disgruntled employee);(disgruntled employee);

It is therefore imperative to have the right policies in place, It is therefore imperative to have the right policies in place, ranging from Electronic Communications Policies through to IT ranging from Electronic Communications Policies through to IT Security policiesSecurity policies

When these crimes occur from the outside, then the ECT When these crimes occur from the outside, then the ECT Act makes provision for criminal liability in terms of its Act makes provision for criminal liability in terms of its sections 85 to 88.sections 85 to 88.


Electronic Crime and IT Security (Cont.)Electronic Crime and IT Security (Cont.)

In-house counsel must be aware of section 424 of the In-house counsel must be aware of section 424 of the Companies Act which relates to a director’s liabilities.Companies Act which relates to a director’s liabilities.

Where a director has for instance not given heed to Where a director has for instance not given heed to advice received with regards to the implementation of advice received with regards to the implementation of policies, it might be concluded that such a director has policies, it might be concluded that such a director has acted recklessly and might incur personal liability for acted recklessly and might incur personal liability for losses that the company has suffered.losses that the company has suffered.


ConclusionConclusion

Due diligence reports relating to a company’s Due diligence reports relating to a company’s implementation of Corporate Governance must be implementation of Corporate Governance must be conducted on regular intervals;conducted on regular intervals;

This will lead to the implementation of sufficient policies This will lead to the implementation of sufficient policies which could and should curtail most onslaughts that face which could and should curtail most onslaughts that face the ever increasing demands that are required from the ever increasing demands that are required from companies’ Information and Communication Technology companies’ Information and Communication Technology systems, which in turn;systems, which in turn;

Has an impact on its Corporate Responsibilities.Has an impact on its Corporate Responsibilities.


THANK YOU!THANK YOU!


[email protected]@cybersmart.co.za

Mobile: 079 0985 309Mobile: 079 0985 309

ict / it law (cyberlaw)

Technology

transactions act

related information

ect act

employees email

email disclaimer

employees communications

terms of sections

party whos email