The Cybersecurity and Cybercrime Act 2021

The new Cybersecurity and Cybercrime Act 2021 (the ‘’Act’’) enacted on 19 November 2021 repeals the Computer Misuse and Cybercrime Act 2003. The new legislation provides for a National Cybersecurity Committee (the ‘‘Committee’’) and a comprehensive legal framework to deal with cybercrime.

Bodies established by the Act

Amongst its several functions, the Committee established under the Act will advise Government on cybersecurity and cybercrime and implement Government policy relating to cybersecurity and cybercrime. 

Moreover, the Act further establishes the Computer Emergency Response Team of Mauritius (CERT-MU) which will act as the national agency for coordinating cybersecurity response activities and promoting cybersecurity at national level.

Offences

Part III of the Act covers a multiple range of offences which may impact the cyber security operations of a business. Most of these offences will involve acts conducted intentionally and/or without an authorization. Some of these offences include:   

  1. unauthorised access to any program or data held in a computer system; 
  2. unauthorised interception of computer service;
  3. hindering of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data, also referred to as an unauthorized interference;
  4. gaining of access to any computer program or computer data held in a computer system with intent to commit offences;
  5. unauthorised modification of computer data;
  6. unauthorised disclosure of any password, access code, biometric authentication, token, two-factor authentication, multi-factor authentication or any other means of gaining access to any computer program or computer data held in a computer system for its production, sale, procurement for use, import or distribution; 
  7. electronic fraud which occurs when a person, causes loss of property to another person by:
    1. any input, alteration, deletion or suppression of data; or
    2. any interference with the functioning of a computer system, to procure for himself or another person any form of advantage.
  8. computer-related forgery;
  9. cyber extortion which involves the use of the internet to demand money or other goods or behaviour from another person by threatening to inflict harm to his person, reputation, or property;
  10. infringement of copyright and related rights which would involve: 
    1. the attempt to use, publish or distribute another person’s work for commercial purpose, through a computer system;
    2. the downloading of movies, music files or pirated software applications for gain or against remuneration; or
    3. the posting of a copyrighted work such as writing or graphics, online for gain or against remuneration,

without the express authorization of the copyright author or owner of the copyright.

Investigatory powers

Investigatory authorities have been vested with powers for the implementation or enforcement of the Act. The Act defines an investigatory authority as the police or any other body lawfully empowered to investigate any offence. 

An investigatory authority can now serve a notice on a person who is in possession or control of traffic data for the expedited preservation or partial disclosure of the traffic data.

Following the principles of the Computer Misuse and Cybercrime Act 2003, an investigatory authority may have recourse to the Courts of Mauritius (more specifically the Judge in Chambers) for, amongst others : 

  1. Production orders where the disclosure of data is required for the purpose of a criminal investigation or prosecution of an offence; 
  2. The issue of warrants to enter any premises to access, search and seize stored data relevant for the purpose of an investigation or the prosecution of an offence
  3. Orders compelling the real-time collection or recording of traffic data
  4. Orders for the interception of content data
  5. Orders for the deletion or destruction of computer data. 

Critical Information Infrastructure 

The critical information infrastructure newly introduced in the Act is an asset, facility, system, network or process, whose incapacity, destruction or modification would have – (a) a debilitating impact on the availability, integrity or delivery of essential services, including those services whose integrity, if compromised, could result in significant loss of life or casualties, or (b) a significant impact on national security, national defence, or the functioning of the State.

The Committee, after consultation with a regulatory authority in control of any information infrastructure can identify an information structure which needs to be declared a critical information infrastructure.

A system is selected as a critical information infrastructure if a disruption of the system or its data would result in:

  1. the interruption of a life sustaining service such as the supply of water, health services and energy;
  2. an important effect on the economy;
  3. an event that would result in massive casualties or fatalities; or
  4. failure or substantial disruption of the money market.

Certain offences committed on a critical information infrastructure will result in increased penalties which could on conviction, attract a fine not exceeding 2 million rupees and imprisonment for a term not exceeding 25 years.

Important Note: This article is not intended to be a substitute for legal advice or a legal opinion. It deals in broad terms only and is intended to merely provide a brief overview and give general information.

Emmanuel Travailleur, Associate

Sameer K. Tegally, Partner