The rate at which technology is currently progressing is so rapid that almost all government legislation regarding technology is out of date by the time it is written into law. In an attempt to prevent this, governments try to make legislation as technology neutral as possible, preferring to speak to the specific human or organisational aspects of a crime or facet of law. South African legislation is no different. Even the South African Electronic Communications and Transactions Act, as widely encompassing as it is, does not include all possible technology types or crimes. “The challenge is that the legal framework must be specific enough so as to be clear what is and what is not allowed, but being too specific can create loop holes for new ways of circumventing the law,” says co-founder of three6five Jeff Fletcher. “The law cannot be broad enough to encompass all forms of technology, and yet specific enough to be completely enforceable,” explains Fletcher.
What makes the law enforcement of technology related crimes even more challenging is the fact that technology crimes and criminals are so difficult to track and trace. “Hackers are extremely difficult to trace, and may perpetrate a crime from a compromised PC in another country, leaving very few legislative mechanisms with the power to effect any kind of justice in most instances. The nature of the internet and global communication technology networks is that they transcend the jurisdictions of all governments and law enforcement agencies. Apart from banning all networks and computers globally, it is difficult to track, trace and bring to justice perpetrators of technology crimes,” says Fletcher.
In response to these legislative challenges, most governments now choose to legislate companies themselves, to ensure that they keep their data, and other people’s data sources, safe and secure. “While governments cannot penalise companies for being robbed of data, they can penalise them for not taking the necessary precautions to prevent their data from being compromised,” says Fletcher. South Africa’s new Protection of Personal Information Bill will make sure that organisations adapt and comply with complex international laws on how to handle personal information. The Bill requires organisations to establish appropriate policies and procedures to protect the various forms of data that are part of their business operations.
“What complicates matters is that many South African’s still happily give their personal information to companies that fall outside of South Africa, and therefore outside the South African legal jurisdiction, such as on Facebook and other international sites. By doing this, they inhibit the protection of their information under South African law, and limit the recourse that legislators have should their information be compromised,” stresses Fletcher. “Individuals should try to keep the exposure of their personal data to the outside world to a bare minimum in order to minimise the risk of their information being compromised,” says Fletcher.
“For companies operating in South Africa that store and use peoples personal data, it is important to take all the necessary measures to keep the data source secure. It is possible to effectively manage internal and external threats, but requires vigilance and focus on the behalf of the firm’s IT team. Keep up to date on the latest exploits and threats that could affect your system and update these systems regularly to prevent data compromise,” concludes Fletcher.