Lance Michalson provides an overview of ICT regulatory compliance in South Africa. He discusses the current legal compliance landscape and examples of compliance issues and technology legal risks. Key pieces of ICT legislation in South Africa are also examined, including the stages of developing an act of parliament. Issues related to privacy, monitoring communications, and critical databases are also summarized.

1. Information Technology Attorneys Snapshot of Current State of ICT Regulatory Compliance in South Africa Lance Michalson Gartner Symposium ITXPO 2005 01 August 2005 Cape Town, South Africa

2. Current Legal Compliance Landscape

3. Compliance v Best Practice v Risk Management Compliance Best Practice Risk Management Technology Risk Tech Legal Risk Wide Narrow

4. Example Compliance issues Issue Offence Crypto supplier not registered with DOC Offence (fine or imprisonment not exceeding 2 years) No corporate info on e-mail Offence ito Companies Act s50.1.c arw s50.4, s171.1 arw s441.1.m, s50.1.c arw s441.1.k No express or implied consent to monitoring paper and electronic communications Fine not exceeding R2m or imprisonment not exceeding 10 years | Inadmissible evidence

5. Example Tech Legal Risk Issues Issue Risk No software development agreement in place Company does not own the software Various factors might influence the admissibility and evidential weight of electronic documents Inadmissibility of evidence. Compromised chances of success of litigation (resulting possible reputational damage, monetary loss – damages, legal costs etc.) No e-mail footer (signature / disclaimer) Vicarious liability (e.g. for defamation)

7. Legislative Process LEGISLATURE Parliament Makes new laws Amend existing laws Repeal old laws Provincial Legislatures Municipal Councils EXECUTIVE JUDICIARY CONSTITUTION

8. South African ICT Regulatory Hype Cycle Visibility Trough of Disillusionment Slope of Enlightenment Plateau of Productivity Business Trigger Maturity Peak of Inflated Expectations

9. Process followed What was included Primary ICT laws in SA NB SA adopted Standards NB foreign laws impacting some SA Companies What was excluded Secondary laws affected by primary laws (e.g. record retention laws)

10. South African ICT Regulatory Hype Cycle Compliance requirements develop at different rates Visibility Trough of Disillusionment Slope of Enlightenment Plateau of Productivity Business Trigger Peak of Inflated Expectations Maturity Acronym Key ASPs = Authentication Service Providers RIC = Regulation of Interception of Communications etc. Act 70 of 2002 Less than two years Two years to five years Five years to 10 years Key: Time to Plateau Infosec / SANS 17799 ECT Act (2002) Basel II (1999) RM / SANS 15489 PROATIA (2000) Sarbanes-Oxley Act (2002) RIC (monitoring) Data Privacy SANS 15801 Critical Databases, Crypto Providers and ASPs Convergence Bill (2005) King II (2002) EU Data privacy Directive FICA

11. Life Cycle of an Act of Parliament Issue Paper Discussion Paper Green Paper White Paper or Fast Track to Bill Bill Parliamentary Portfolio Committee Hearings Act before National Council of Provinces Act before National Assembly Signed by President & Gazetted Regulations, Notices DRAFTING PERIOD INFLUENCE PERIOD PREPARE TO COMPLY IP PC Cabinet Source : Department of Justice and Constitutional Development http://www.doj.gov.za/2004dojsite/legislation/legprocess.htm Last updated: 01 August 2005

12. Where Key Pieces of Legislation Fit in Issue Paper Discussion Paper Green Paper White Paper or Fast Track to Bill Bill Parliamentary Portfolio Committee Hearings Act before National Council of Provinces Act before National Assembly Signed by President + Gazetted Regulations, Notices IP PC Data Privacy Convergence Bill RIC (not yet promulgated) ECT Act Critical Database Regs ECT Act Crypto, ASP, Domain Name Regs Regs not published for comment Regs published for comment, not yet promulgated Key: Status of Regulations PC IP DRAFTING PERIOD INFLUENCE PERIOD PREPARE TO COMPLY Last updated: 01 August 2005 Cabinet

13. Optimum points of engagement June 2005 August 2005 December 2005 Convergence Bill Data Privacy Discussion Paper / Green Paper Critical Database Regulations comments & Crypto Provider enactment (ECT Act) January 2006 Possible Gazetting of Monitoring Act (anytime)

14. What can be done now? Critical Databases Data Privacy Monitoring King II Information Security Best Practice Guide for South African Directors

17. Chapter lX: Protection of Critical Databases Chapter lX: Protection of Critical Databases Scope of Critical Database Protection S57 S56 S55 S54 S53 S58 Identification of critical data and databases Registration Of Critical Databases Management Of Critical Databases Restrictions On disclosure of Information Right of Inspection Non Compliance with Chapter S52 Chapter lX: Protection of Critical Databases Aim is to facilitate the identification and registration of critical databases within the Republic. Critical databases are defined as databases that contain information that if compromised could threaten the security of the Republic or the economic and social well being of it’s citizens. The Act stipulates criteria for the identification, registration and management of critical databases as well as controls to ensure that the integrity and confidentiality of data relating to and contained in these databases is maintained such as the right to audit and restrictions and penalties resulting in unauthorised or illegal disclosure of information contained in or about these databases. In November 2003 the Minister of Communications awarded a tender to a consortium of Consultants to undertake an inventory of all major databases in South Africa.

18. Management of Critical Databases Management of critical databases The Minister may prescribe minimum standards or prohibitions in respect of- the general management of critical databases; access to, transfer and control of critical databases; infrastructural or procedural rules and requirements for securing the integrity and authenticity of critical data; procedures and technological methods to be used in the storage or archiving of critical databases ; disaster recovery plans in the event of loss of critical databases or parts thereof; and any other matter required for the adequate protection, management and control of critical databases.

19. Privacy

20. State of SA privacy regulation Law Reform Commission Issue Paper recommends: privacy and data protection should be regulated by legislation ; a statutory regulatory agency should be established; a flexible approach should be followed in which industries will develop their own codes of practice (in accordance with the principles set out in the legislation) which will be overseen by the regulatory agency; general principles of data protection should be developed and incorporated in the legislation.

21. Data Protection Principles Limitation on collection (consent) Specified purpose Limitation on disclosure Data quality (relevance) Security safeguards Against unauthorised access, destruction use, modification disclosure Role of crypto

22. Monitoring

23. Monitoring e-communications 1992 v 2002 (RIC) Acts RIC is all about: Monitoring in a “legally compliant manner” Putting the correct processes and procedures in place

24. Monitoring Section 7 “business exception” System controller (SC) (CEO) 4 requirements: Express / implied consent of SC Particular purpose E-communications tools owned by business Reasonable efforts by SC to give advanced notice OR express / implied consent of person being monitored R2m or 10 years

25. Some Monitoring Issues What constitutes written consent? What constitutes implied consent? Is per interception consent necessary? Will a blanket consent suffice? How does the CEO demonstrate “reasonable efforts” How does one protect the CEO?

26. Monitoring Matrix Implied consent and reasonable efforts demonstrated by Written consent demonstrated by CEO is protected by Monitoring Policy Acceptance of Monitoring Policy CEO Delegation to IT department FAQ Pro-Forma Interception Request Glossary of Terms Pro-Forma Interception Report to the Board Log-on Notice Log-on Notice Monitoring Policy Notice to Users Reminder e-mail from IT department

28. Compliance & Risk Cocktail ACTS OF PARLIAMENT ECT ACT PROATIA, 2002 Monitoring Act COMMON LAW BEST PRACTICE INFORMATION RISK MANAGEMENT Contract Delict (Negligence – duty to take reasonable steps) SANS 17799 MISS (Govt depts) COSO ERM COBIT SEE OUR INFORMATION & TECHNOLOGY COMPLIANCE AND LEGAL RISK MATRIX KING II GOOD GOVERNANCE Compliance crosses several disciplines from HR to IT to Legal to risk management Compliance is a combination of policy, process, and technology

29. THANK YOU FOR YOUR TIME!! Lance Michalson [email_address] “ IT Law with Insight” www.michalsons.com Copyright © Michalsons 2002-2009 The information contained in this presentation is subject to change without notice. Michalsons makes no warranty of any kind with regard to the material, including, but not limited to, the implied warranties of fitness for a particular purpose. Michalsons shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. This document contains proprietary information that is protected by copyright. All rights are reserved. No part of this document may be photocopied, reproduced, or translated to another language without the prior written consent of Michalsons This document is an unpublished work protected by the copyright laws and is proprietary to Michalsons. Disclosure, copying, reproduction, merger, translation, modification, enhancement, or use by any unauthorised person without the prior written consent of Michalsons is prohibited. Contact Lance Michalson at lance@michalsons.com for permission to copy.