ICT / IT Law (Cyberlaw)


Published on

This presentation provides in-house counsel with a brief overview of IT / ICT related legislation within South Africa and the impact it might have on its organisations and its people

Ф franciscronje.com
regulatory compliance explained

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

ICT / IT Law (Cyberlaw)

  2. 2. <ul><li>An overview of relevant Legislation pertaining to Cyberlaw and how they relate to in-house counsel </li></ul><ul><li>Electronic Communications and Transactions Act of 2002; </li></ul><ul><li>Regulation of Interception of Communications and Provision of Communications related Information Act of 2002; </li></ul><ul><li>Promotion to Access of Information Act of 2000. </li></ul>Francis Cronjé
  3. 3. <ul><li>Electronic Communication and Transactions Act </li></ul><ul><li>Most NB part of this Act for in-house counsel is Chapter III </li></ul><ul><li>Chapter III deals with the facilitation of Electronic Transactions and consists of two parts: </li></ul><ul><ul><li>Part 1 thereof provides for the legal requirements of data messages, while </li></ul></ul><ul><ul><li>Part 2 deals with the communication of data messages </li></ul></ul>Francis Cronjé
  4. 4. <ul><li>Part 1 </li></ul><ul><li>Gives legal recognition to electronic documents (Sec 11); </li></ul><ul><li>Gives legal recognition to electronic signatures (Sec 13) </li></ul><ul><ul><li>No type of technology is prescribed, therefore a signature can be: </li></ul></ul><ul><ul><ul><li>Scanned image of your signature; </li></ul></ul></ul><ul><ul><ul><li>Name at the end of an email; or </li></ul></ul></ul><ul><ul><ul><li>Digital signature </li></ul></ul></ul><ul><li>HOWEVER!!! </li></ul>Francis Cronjé
  5. 5. <ul><li>Part 1 (Cont.) </li></ul><ul><li>Where a Law requires a signature, then such requirement will only be met once an Advanced Electronic Signature (AES) is used. </li></ul><ul><ul><li>This constitutes a reliable form of signature and can only be issued by an Authentication Provider which have been accredited in terms of sections 37 and 38 of the ECT Act. </li></ul></ul>Francis Cronjé
  6. 6. <ul><li>Part 1 (Cont.) </li></ul><ul><li>Fulfills the requirement of law that a document or information must be in “writing” (Sec 12) if the document or information is: </li></ul><ul><ul><li>In the form of a data message; AND </li></ul></ul><ul><ul><li>Accessible in a manner usable for subsequent reference </li></ul></ul>Francis Cronjé
  7. 7. <ul><li>Part 2 </li></ul><ul><li>Gives validity to agreements concluded electronically (Sec 22); </li></ul><ul><li>Provides for the time and place of communications, dispatch and receipt (Sec 23); </li></ul><ul><li>Expression of intent or other statement (Sec 24); </li></ul>Francis Cronjé
  8. 8. Francis Cronjé
  9. 9. Francis Cronjé
  10. 10. <ul><li>Regulation of Interception of Communications & Provision of Communication-related Information Act (RICA) </li></ul><ul><li>The fundamental principle of RICA for in-house counsel is that an employee’s communications can’t be monitored or intercepted unless it falls under the exceptions as provided for in RICA (Heavy penalties if not complying) </li></ul><ul><li>These exceptions are dealt with in sections 4, 5 and 6 of the Act and are as follow: </li></ul>Francis Cronjé
  11. 11. <ul><li>RICA (Cont.) </li></ul><ul><li>By a person if that person is a party to the communication; </li></ul><ul><li>With the prior written consent of a party to the communication; </li></ul><ul><li>When the interception occurs in connection with carrying on of business (the so-called “business exception”) where written consent is not necessarily required and where express or implied consent suffices. </li></ul>Francis Cronjé
  12. 12. <ul><li>RICA (Cont.) </li></ul><ul><li>Monitoring of e-mails </li></ul><ul><li>It can only be legal if and when: </li></ul><ul><ul><li>Monitoring of the employee’s email must have been authorised by the system controller; </li></ul></ul><ul><ul><li>The email being monitored must relate to the business of the employer; </li></ul></ul><ul><ul><li>The purpose of the monitoring of the emails must be to monitor or keep record of the emails; </li></ul></ul><ul><ul><li>The System Controller must have made a reasonable effort to inform employees or third parties in advance that the email would be monitored or the System Controller must have received implied or express permission from the party who’s email is being monitored. </li></ul></ul>Francis Cronjé
  13. 13. <ul><li>Promotion to Access of Information Act (PAIA) </li></ul><ul><li>Section here that is relevant to Cyberlaw and In-house counsel is the fact that the PAIA manual in terms of sections 14 (In the case of a public body) and 51 (In the case of a private body) must be made available on the Public or Private Body’s website. </li></ul>Francis Cronjé
  14. 14. <ul><li>The Impact Cyberlaw has on Electronic Transactions </li></ul><ul><li>E-Commerce: </li></ul><ul><ul><li>NB to realise, that when drafting any terms and conditions on an E-Commerce site, always stipulate that the products or content for sale, do not constitute an offer to sell, but merely an invitation to buy. This due to the effect of sections 23 and 24 of the ECT Act and the impact of Electronic Agents (Example – price mistake, not enough stock etc.) </li></ul></ul><ul><ul><li>Have due regard to the consumer protection clauses as stipulated in Sections 43 and 44 which deals with the information that needs to be provided as well as the cooling of periods for services and products. </li></ul></ul>Francis Cronjé
  15. 15. <ul><li>The Impact Cyberlaw has on Electronic Transactions (Cont.) </li></ul><ul><li>E-mail: </li></ul><ul><ul><li>The same (as with E-Commerce) would imply for concluding agreements via email (Take for instance the automated out of office reply) Make sure that the terms of the email disclaimer verifies that an email is only deemed received once confirmed by the recipient and that an out of office reply does not constitute such a confirmation. </li></ul></ul><ul><ul><li>Unsolicited email (Section 45) </li></ul></ul>Francis Cronjé
  16. 16. <ul><li>Protection of Domain Names and Online Dispute Resolution </li></ul><ul><li>Protection of domain names </li></ul><ul><li>Most important aspect for In-house counsel is to ensure that they have an IP Policy. </li></ul><ul><li>Domain names and its administration and registration should form part and parcel of this Policy, since domain names can be valued as immensely important assets to a company. </li></ul>Francis Cronjé
  17. 17. <ul><li>Protection of Domain Names and Online Dispute Resolution (Cont.) </li></ul><ul><li>This Policy should be read in conjunction with the company’s IT Security Policy and it should be the responsibility of In-house to make the CEO, CFO and CIO aware of these policies and advise on its implementation. </li></ul><ul><li>In the IT Security Policy, issues would relate for instance to how one can effectively protect your own websites against defamation etc. </li></ul>Francis Cronjé
  18. 18. <ul><li>Protection of Domain Names and ODR (Cont.) </li></ul><ul><li>Online Dispute Resolution </li></ul><ul><li>Important to realise that there are different dispute mechanisms for the different level domains out there. </li></ul><ul><li>For all the generic Top Level Domains (gTLD), ICANN makes provision for ODR through WIPO making use of its Uniform Dispute Resolution Policy (UDRP). http://www.wipo.int/amc/en/domains/gtld/index.html </li></ul><ul><li>It also makes provision for certain country code Top Level Domains (ccTLD). http://www.wipo.int/amc/en/domains/cctld/index.html </li></ul>Francis Cronjé
  19. 19. <ul><li>Protection of Domain Names and ODR (Cont.) </li></ul><ul><li>Online Dispute Resolution </li></ul><ul><li>In order to file a complaint, a Complainant will have to prove 3 things: </li></ul><ul><ul><li>That he has a registered trade mark reflecting the name; and </li></ul></ul><ul><ul><li>That the Respondent has no legitimate interest in the domain name; and </li></ul></ul><ul><ul><li>That the Respondent has acted in bad faith. </li></ul></ul>Francis Cronjé
  20. 20. <ul><li>Protection of Domain Names and ODR (Cont.) </li></ul><ul><li>Online Dispute Resolution </li></ul><ul><li>With the South African ccTLD, . co.za , a local dispute resolution mechanism (DomainDisputes.co.za) is used, run by the South African Institute of Intellectual Property Law (SAIIPL). http://www.domaindisputes.co.za/index.php </li></ul>Francis Cronjé
  21. 21. <ul><li>Protection of Domain Names and ODR (Cont.) </li></ul><ul><li>Online Dispute Resolution </li></ul><ul><li>In order to file a complaint, a Complainant here will only have to prove a combination of 2 things or can also make use of an alternative option: </li></ul><ul><ul><li>a) the complainant has rights in respect of a name or mark which is identical or similar to the domain name and, in the hands of the registrant the domain name is an abusive registration; or </li></ul></ul><ul><ul><li>(b) the domain name, in the hands of the registrant, is an offensive registration. </li></ul></ul><ul><li>http://www.domaindisputes.co.za/content.php?tag=7 </li></ul>Francis Cronjé
  22. 22. <ul><li>Document Management and the Protection of the Privacy of Sensitive Information </li></ul><ul><li>First it is important to distinguish between the following: </li></ul><ul><ul><li>Document Management (Record Retention); </li></ul></ul><ul><ul><li>Information Management; and </li></ul></ul><ul><ul><li>Protection of Personal Information (Privacy) </li></ul></ul>Francis Cronjé
  23. 23. <ul><li>Document Management and the Protection of the Privacy of Sensitive Information (Cont.) </li></ul><ul><li>Document Management has to do with the retention of Business Records according to a law or statute (for example the retention of an invoice); </li></ul><ul><li>Information Management has to do with the distinction between various forms of information and its sensitivity with regards to distribution and accessibility (for example trade secrets); while </li></ul><ul><li>Protection of Personal Information (Privacy) deals with the protection of information relating to individuals, whether they are employees or clients (for example the address or health status of a person). </li></ul>Francis Cronjé
  24. 24. <ul><li>Document Management and the Protection of the Privacy of Sensitive Information (Cont.) </li></ul><ul><li>Electronic Document Management (Record Retention) </li></ul><ul><li>As an example we are going to look at emails: </li></ul><ul><ul><li>An email is a business record if a regulation or statute says it must be retained; </li></ul></ul><ul><ul><li>It contains valuable information about business operations; </li></ul></ul><ul><ul><li>It contains info that must be filed with a regulator (ICASA or JSE); </li></ul></ul><ul><ul><li>It contains information used to negotiate a contract; </li></ul></ul><ul><ul><li>A sales forecast depends on information it contains; </li></ul></ul><ul><ul><li>It is the final version of a contract etc. </li></ul></ul>Francis Cronjé
  25. 25. <ul><li>Document Management and the Protection of the Privacy of Sensitive Information (Cont.) </li></ul><ul><li>Electronic Document Management (Record Retention) </li></ul><ul><li>Certain sections of Chapter III of the ECT Act allows the use of electronic documents, emails and other forms of electronic information as evidence (sec 15) </li></ul><ul><ul><li>An audit trail of authenticity ; as well as </li></ul></ul><ul><ul><li>Integrity of information in terms of structure, content and context must be shown; </li></ul></ul><ul><li>Email messaging systems such as Microsoft Outlook was not designed to guarantee the above </li></ul>Francis Cronjé
  26. 26. <ul><li>Document Management and the Protection of the Privacy of Sensitive Information (Cont.) </li></ul><ul><li>Electronic Document Management (Record Retention) </li></ul><ul><li>It is therefore suggested that such emails be stored in a proper records management system. </li></ul><ul><li>It is imperative to have a Document (Records) Management Policy in place. </li></ul>Francis Cronjé
  27. 27. <ul><li>Document Management and the Protection of the Privacy of Sensitive Information (Cont.) </li></ul><ul><li>Protection of the Privacy of Sensitive Information </li></ul><ul><li>This is also known as data protection and relates to the protection of personal information, in other words, retaining the privacy of an individual. </li></ul><ul><li>Taking once again the example of an email, it should be noted that in information so classified, methods of encryption must be used. </li></ul>Francis Cronjé
  28. 28. <ul><li>Electronic Crime and IT Security </li></ul><ul><li>Electronic crimes are a daily occurrence and impacts every company (Edgars an ABSA example); </li></ul><ul><li>Most of these crimes happen behind the firewall (disgruntled employee); </li></ul><ul><ul><li>It is therefore imperative to have the right policies in place, ranging from Electronic Communications Policies through to IT Security policies </li></ul></ul><ul><li>When these crimes occur from the outside, then the ECT Act makes provision for criminal liability in terms of its sections 85 to 88. </li></ul>Francis Cronjé
  29. 29. <ul><li>Electronic Crime and IT Security (Cont.) </li></ul><ul><li>In-house counsel must be aware of section 424 of the Companies Act which relates to a director’s liabilities. </li></ul><ul><li>Where a director has for instance not given heed to advice received with regards to the implementation of policies, it might be concluded that such a director has acted recklessly and might incur personal liability for losses that the company has suffered. </li></ul>Francis Cronjé
  30. 30. <ul><li>Conclusion </li></ul><ul><li>Due diligence reports relating to a company’s implementation of Corporate Governance must be conducted on regular intervals; </li></ul><ul><li>This will lead to the implementation of sufficient policies which could and should curtail most onslaughts that face the ever increasing demands that are required from companies’ Information and Communication Technology systems, which in turn; </li></ul><ul><li>Has an impact on its Corporate Responsibilities. </li></ul>Francis Cronjé
  31. 31. <ul><li>THANK YOU! </li></ul><ul><li>Francis Cronjé </li></ul><ul><li>[email_address] </li></ul><ul><li>Mobile: 079 0985 309 </li></ul>Francis Cronjé