Banks want protection of data under Cybercrimes Act
FINANCIAL institutions are concerned that they could face serious risk and liability exposure from clients if not properly protected under the Cybercrimes Act, from the authorities having access to information or data which are not relevant to their investigations of an offence.
In its submission yesterday to the Joint select Committee which is considering changes to the 2015 Cybercrimes Act, the Jamaica Bankers’ Association said it was concerned about whether there were protection mechanisms in place in the event of a warrant for seizure, where an entity’s computer is used by an employee to commit an offence.“What procedure does the Cybercrimes Authority have in place to ensure that only the relevant information is accessed by the investigators in relation to the offence, and that any other information accessed which may come to their attention (not related to the investigations) will not be used or divulged due to confidentiality concerns? Is there a process on how this process will be handled in relation to a company?” the bankers’ association queried.
The financial sector operators said there is also general concern about whether they could find themselves liable for actions of employees who use company hardware or software in committing a cybercrime. “There should be legislative provisions… whereby the authority guarantees confidential treatment of all information obtained on the computer, which is not related to the offence,” the association said.The bankers’ association also pointed to the strict liability imposed on directors, managers, and other officers at that level, for offences committed by corporate bodies. It said these criminal sanctions only appear to target officers, and that these should rightly be imposed on the employees who actually commit the offence.“The due diligence required of a corporation should also be spelt out so that it is abundantly clear that liability will not attach to the officers in such case. We would also recommend that specific liability be imposed on an employee in circumstances where the employee uses the company’s computer or data storage medium for personal use,” the association argued.The institutions noted also that financial institutions also experience fraud-related losses, and not just individuals, and that Section 8 of the Bill should therefore be clarified to include companies.
Furthermore, the association said, after proving that a person acted fraudulently, it is unnecessary to also require proof that the person acted with intent to procure an advantage for himself or another person, as proof of fraud should be sufficient.The absence of a definition for data storage device in the current Cybercrimes Act was also raised, with bankers noting that while the definition of “computer” referenced “data storage device” or “electronic communications systems”, a data storage device doesn’t need to be connected to a network, or form part of an electronic communications system.
“It should be clear whether the Cybercrimes Act is intended to cover only crimes covered over a ‘network’, whether public or private, or is intended to cover crimes committed using an electronic device generally,” the association said.
A proposal has also been made for the Cybercrimes Act and the Law Reform (Fraudulent Transactions) Special Provisions Act to be reviewed at the same time, as both legislations overlap substantially in the criminal acts which they cover: “This would ensure that there are no gaps and that the policy underlying each, if the same, is reflected in the penalties, which are vastly different, depending on whether the person is convicted under the Cybercrimes Act or the Fraudulent Transactions Act,” the association said.
Now you can read the Jamaica Observer ePaper anytime, anywhere. The Jamaica Observer ePaper is available to you at home or at work, and is the same edition as the printed copy available at https://bit.ly/epaper-login