Where Delict and Cyber Security Meet

How Cyber Incidents May Trigger Legal Responsibility

With cybercrime on the rise and stricter data protections taking hold, the intersection of law and digital security becomes increasingly significant. In South Africa, delict – a cornerstone of civil law – offers a framework for understanding one’s legal responsibility in cases of harm. As cyber security incidents rise, it is essential for businesses, policymakers and individuals alike to examine how delict principles apply in the digital realm.

What is a Delict?

Under South African law, a delict arises when one party’s wrongful and culpable conduct causes harm to another. To establish delictual liability, you need to prove five essential elements:

1. Conduct: An act or omission by the alleged wrongdoer.

2. Wrongfulness: The act must infringe on a legally protected right or interest.

3. Fault: The wrongdoer must act intentionally or negligently.

4. Harm: The victim must suffer damage or injury.

5. Causation: A direct link must exist between the conduct and the harm.

The law of Delict serves to compensate victims, deter harmful behaviour, and uphold societal norms. While traditionally associated with physical or financial harm, its principles also extend into the virtual world, where cyber incidents can cause substantial damage.

The Cyber Security Landscape in South Africa

South Africa faces a high prevalence of cybercrime, from ransomware attacks to data breaches and phishing scams. The consequences are severe – financial losses, reputational damage, and legal repercussions. For businesses, safeguarding systems and sensitive data is not just a technical challenge but also a legal obligation under laws like the Protection of Personal Information Act (POPIA) and others.

When a cyber-attack occurs, questions often arise about liability. Could a business be held accountable if inadequate security measures allowed the breach? What recourse does a victim have if their data is compromised due to another party’s negligence? This is where delict comes into play.

Applying Delict to Cyber Security

The principles of delict can help determine liability in cyber security incidents. Here’s how the five elements align:

1. Conduct
In a cyber context, conduct by the company could involve either a failure to implement adequate and/or generally accepted security protocols or a deliberate malicious insider act.

2. Wrongfulness
To prove wrongfulness, it must be shown that the conduct violated a legal duty, such as the obligation to protect a customer’s personal information or the obligation to protect against cybersecurity threats.

3. Fault
Establishing fault involves demonstrating that the wrongdoer acted negligently or intentionally. Negligence in cyber security might include failure to implement industry best practices. On the other hand, an employee deliberately leaking sensitive information would fall under intentional acts.

4. Harm
The harm caused by cyber incidents often extends beyond financial loss. In fact, cyber-security researchers have identified a total of at least 57 different ways in which cyber-attacks can have a negative impact. Among others, victims may suffer business interruption, theft of funds, identify theft, reputational damage, or emotional distress. In cases of ransomware, operational disruptions can cripple businesses, resulting in significant losses.

5. Causation
The final step is proving that the harm directly resulted from the wrongful conduct. For example, if a data breach occurs because a company failed to encrypt sensitive information, the breach – and subsequent harm to customers – can be linked to the company’s negligence. Alternatively, if a company hasn’t protected its domain from spoofing and this is used in business email compromise (BEC), ransomware, phishing, or malware crime, this could also be linked to the company’s negligence.

Regulatory Environment: South Africa

In South Africa, several legislative and regulatory frameworks impose explicit duties on organisations to safeguard digital communication channels. Notably, the financial services industry is governed by specific standards that complement data protection laws. The following are noteworthy excerpts drawn from various laws and regulations.

1. Protection of Personal Information Act (POPIA)

POPIA imposes explicit duties on responsible parties to safeguard personal information, which extends to securing digital communication channels. Key sections addressing these obligations include:

Condition 7 Security Safeguards: POPIA requires a responsible party to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable, technical, and organisational measures to prevent the unlawful access to, or processing of personal information.

To demonstrate compliance with this provision, the responsible party must put measures in place to:

• Identify any possible internal and external risks to personal information in its possession or under its control;
• Establish and maintain appropriate safeguards against the risks identified;
• Regularly verify that the safeguards are effectively implemented; and
• Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

The responsible party must have due regard to generally accepted information security practices and procedures that may apply to it.

2. Financial Advisory and Intermediary Services (FAIS) Act

Board Notice 194 Of 2017 | Determination Of Fit And Proper Requirements For Financial Services Provider | Section 37: Governance Requirements. Among others, an FSPs governance framework must include:

• Systems and procedures that are adequate to safeguard the security, integrity, and confidentiality of information, including electronic data security and internal and external cybersecurity.

3. Joint Standard 1 – IT Governance and Risk Management for Financial Institutions

Governing bodies at financial institutions are responsible for complying with the Joint Standard. It places several obligations on financial institutions to ensure that they establish a sound and robust IT risk management framework, integrate technology risk management into their overall management system, and implement information security controls for the information held on IT systems. Within the IT Risk Management Framework section, the following two clauses are notable:

• The identification and prioritisation of IT assets, and protecting them from unauthorised access, misuse or fraudulent modification;
• The implementation of appropriate practices and controls to manage risks;

4. Joint Standard 2 – Cybersecurity and Cyber Resilience Requirements For Financial Institutions

Governing bodies at financial institutions are responsible for complying with the Joint Standard. It places several obligations on financial institutions to ensure that they establish appropriate and effective cyber resilience capabilities and cybersecurity practices to prevent, limit or contain the impact of a potential cyber event. Within the Data Security section, these two clauses are notable:

• Ensure that only authorised IT systems, endpoint devices and data storage mediums, are used to process, retrieve, communicate, transmit or store sensitive information;
• Ensure that security controls are implemented to prevent and detect the use of unauthorised internet services which allow users to communicate or store sensitive data;

5. The King IV Report and King Code (King IV)

The King IV Report and King Code (King IV) is an important instrument that governs the leadership of anorganisation through principles of ethics and good governance. The instrument is structured like a report, and it includes a Code.

Principle 12, IT Governance: The purpose of this principle is to support the organisation to set and achieve its objectives. Among others, it recommends that the governing body oversees that any IT risks are identified and managed, including appropriate responses to developments in technology and the management of disruptive effects;

6. Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA)

Section 2: Prohibits the interception of communications without consent but allows for lawful interception under specific conditions, thereby imposing duties to ensure the security and confidentiality of communications.

7. National Cybersecurity Policy Framework (NCPF)

Establishes a coordinated national approach to cybersecurity, assigning responsibilities to government entities and private organisations to protect information infrastructure and respond effectively to cyber threats.

In Conclusion

These legislative instruments collectively underscore the importance of implementing robust data security measures across various sectors. Organisations are advised to familiarise themselves with these laws and ensure compliance to mitigate legal risks and enhance cybersecurity resilience.

As technology evolves, so too will the application of legal principles like delict. Courts will need to grapple with complex questions about fault, causation, and harm in the digital age. For businesses, understanding the intersection of delict and cyber security is a strategic imperative.

By recognising the legal implications of their cyber security practices, organisations can better protect themselves, their stakeholders, and the general public. In doing so, they contribute to a safer, more secure digital ecosystem.

Delict and cyber security may seem worlds apart, but they share a common goal: protecting individuals and entities from harm. By aligning legal frameworks with technological realities, South Africa can foster accountability and resilience in the face of ever-evolving cyber threats.

Stay ahead of digital and legal exposures by strengthening your risk management and understanding South Africa’s legislative and regulatory frameworks.