Three topics will top the list of priorities for executives in the technology, media and telecommunications (TMT) sector in South Africa in 2021, according to by Warren Hero, Dario Milo, Ziyanda Ntshona, Candice Meyer, Karl Blom from Webber Wentzel. They are cyber security, B-BBEE and the allocation of high frequency radio spectrum to enable the roll-out of 5G.
Cyber security, B-BBEE and spectrum allocation all have legal implications for companies, both those in the TMT sector and their customers.
Cyber security – put measures in place ahead of an attack
According to Warren Hero, Webber Wentzel’s chief information officer, 90% of cyber-attacks still start with an email. That requires companies to train employees properly, stop auto-forwarding emails, and introduce multi-factor authentication.
Hero and Webber Wentzel’s partner specialising in data breach law, Dario Milo, agree that cyber-attacks on organisations are inevitable. Milo says there are obligations on companies under the Protection of Personal Information Act (POPIA) which require parties to put appropriate, technical and reasonable measures in place to prevent a cyber-attack. Companies should also act swiftly to minimise financial and reputational harm when a cyber-attack strikes.
Hero says this means giving employees the minimum access to sensitive information that is necessary to perform their jobs, making sure that systems are in place to pick up data breaches quickly (most South African entities take about eight months to discover they have been attacked), and having response measures in place. The first step in the event of an attack is to quarantine the damage, identify what databases have been accessed illegally and make concise, accurate reports of the extent of damage.
Milo adds that a multidisciplinary crisis response team should be established, including IT, legal and insurance experts, and they should oversee an immediate investigation to determine what happened and why, and to ensure that steps are taken to prevent a recurrence of the attack.
In the event of a ransomware attack, Hero says it is essential not to simply pay a ransom because it may not result in the recovery of the data and may make the organisation the target of future attacks.
Milo says the “big five” priorities that arise from a data breach from a litigator’s perspective are notifications to the Information Regulator and any other industry regulator; stakeholder management; potential civil applications to recover data; preparing for civil litigation against the company for breaches of data privacy; and preparing for investigations by the Information Regulator, which may result in fines.
Webber Wentzel’s view is that it will not be legally required to inform the information regulator of a data breach before POPIA comes into full effect on 1 July, but an organisation would be wise to inform both the regulator and the data subjects in any event, to protect its reputation and rebuild the trust of all stakeholders.
B-BBEE regulations create opportunities for upskilling
Ziyanda Ntshona, partner in the firm’s M&A team and the head of the firm’s Corporate Department, says the ICT sector struggles to meet the 30% ownership and management control levels laid down in the ICT Sector Code. According to the B-BBEE Commission’s Annual Report, 2020, the media, advertising and communication sector’s average black ownership level is only 19.55%, and black leadership is largely confined to junior and mid-management level.
In an apparent effort to secure greater transparency and accountability on the implementation of transformation measures in South Africa, the B-BBEE Commission in January issued Explanatory Notice 1 of 2021, entitled “Guidelines for Completing the Compliance Matrix for Submission of a Compliance Report in terms of section 13G(1) and (2) of the B-BBEE Act“. It takes effect from 1 April 2021.
Webber Wentzel M&A partner Candice Meyer says this notice expands the compliance matrix which must be submitted annually to the B-BBEE Commission by government, public entities, organs of state and JSE-listed companies on their B-BBEE compliance. It demands a greater level of detail on procurement and spending. There has been some criticism that this level of detailed reporting is extremely onerous, since it is in addition to the formal B-BBEE verification process.
The draft ICASA Regulations will require that applicants for, and holders of, individual licences in terms of the Electronic Communications Act will be obliged to be 30% black-owned and have level 4 B-BBEE status for B-BBEE purposes. They will also be required to be 30%-owned by historically disadvantaged persons or groups, i.e. owned by black people, and women, youth and people with disabilities, who before the Constitution came into force were unfairly discriminated against on grounds of race, gender, sexual orientation, disability, or religion. The definition of historically disadvantaged persons does not appear to be limited to black persons.
Meyer says some licence holders may currently be less than 30% black-owned, so this will need to be rectified. New applicants and existing licence holders must comply within 24 months and must achieve 50% compliance within 12 months. If they do not, once the transitional period has expired for ownership compliance, a penalty of ZAR5 million or 10% of turnover, whichever is greater, may be levied on the licence holder who fails to meet or maintain the strict ownership requirements at any time during the licence period.
The Employment Equity Bill intends to strengthen black representation at all levels within the economy. The bill will grant the minister power to set sectoral numerical targets for different occupational levels across sectors and sub-sectors of the economy. Those entities that do not comply with the targets, if mandatory, will not be able to secure a compliance certificate needed to conduct business with the state.
These interventions should be accompanied by measures to broaden access to affordable mobile data, which is needed for education and taking advantage of economic opportunities. Measures are also needed to grow the pool of IT skills in South Africa so that the fast-growing ICT sector can provide jobs and absorb those that are being shed elsewhere in the economy as a result of digitisation. Without interventions on matters such as education and requiring greater compliance by entities operating in the ICT sector, it will be harder to meet the ICT sector B-BBEE objective, Ntshona says.
Challenges to spectrum allocation could perpetuate high data costs
Karl Blom, senior associate at Webber Wentzel, says recent legal challenges to the Independent Communication Authority of South Africa’s (ICASA) allocation of high-frequency spectrum threaten to delay the roll-out of 5G and next-generation devices, potentially for years. As long as this roll-out is delayed, it means continuing high infrastructure costs for operators, which translates into higher data costs for their customers.
Current litigation is focused on two invitations to apply (ITAs) recently issued by ICASA: (i) an invitation for applicants to apply for a licence to operate a Wireless Open Access Network (the WOAN); and (ii) an invitation for licensees to apply for international mobile telecommunication (IMT) spectrum, which will be instrumental to the deployment of 5G in South Africa.
Telkom, MTN and eTV have challenged the two ITAs on various grounds. Telkom’s application for an interdict to halt both ITAs was heard in early February and is supported, in part, by eTV. If successful, the spectrum auction could be delayed, potentially for years, Blom says, while the matter proceeds through the courts.
MTN has challenged the “tier 1” and “tier 2” classifications introduced by ICASA in IMT ITA, on the basis that these classifications are not accurately defined and unfairly prejudice applicants that are categorised as “tier 1”. Should MTN succeed in its challenge, ICASA may dispute the outcome, which would result in delays to the spectrum issuing process.