CYBER SECURITY AND CYBER CRIMES ACT
Arrangement of Sections
Section
PART I
PRELIMINARY PROVISIONS
PART II
REGULATION OF CYBER SECURITY SERVICES
6. Constitution of Zambia Computer Incidence Response Team
7. Constitution of National Cyber Security Advisory and Co-ordinating Council
PART III
INSPECTORATE
8. Appointment of cyber inspector
9. Power to inspect and monitor
11. Power to access, search and seize
12. Obstruction of cyber inspector
13. Appointment of cyber security technical expert
14. Emergency cyber security measures and requirements
PART IV
INVESTIGATION OF CYBER SECURITY INCIDENTS
PART V
PROTECTION OF CRITICAL INFORMATION INFRASTRUCTURE
16. Scope of protecting critical information infrastructure
17. Declaration of critical information
18. Localisation of critical information
19. Registration of critical information infrastructure
20. Change in ownership of critical information infrastructure
21. Register of critical information infrastructure
22. Auditing of critical information infrastructure to ensure compliance
23. Duty to report cyber security incident in respect of critical information infrastructure
24. National cyber security exercises
25. Non-compliance with Part V
PART VI
INTERCEPTION OF COMMUNICATIONS
26. Prohibition of interception of communication
27. Central Monitoring and Co-ordination Centre
29. Interception of communication to prevent bodily harm, loss of life or damage to property
30. Interception of communication for purposes of determining location
31. Prohibition of disclosure of intercepted communication
32. Disclosure of intercepted communication by law enforcement officer
33. Privileged communication to retain privileged character
34. Prohibition of random monitoring
35. Protection of user from fraudulent or other unlawful use of service
36. Interception of satellite transmission
37. Prohibition of use of interception device
38. Assistance by service provider
39. Duties of service provider in relation to customers
40. Interception capability of service provider
PART VII
LICENSING OF CYBER SECURITY SERVICE PROVIDERS
41. Prohibition from providing cyber security services without licence
44. Refusal to grant or renew licence
46. Revocation or suspension of licence
PART VIII
INTERNATIONAL CO-OPERATION IN MAINTAINING CYBER SECURITY
47. Identifying areas of co-operation
PART IX
CYBER CRIME
49. Unauthorised access to, interception of or interference with computer system and data
50. Illegal devices and software
51. Computer related misrepresentation
54. Publication of information
55. Aiding, abetting, counselling etc.
56. Prohibition of pornography
60. Introduction of malicious software into computer system
62. Unsolicited electronic messages
63. Prohibition of use of computer system for offences
64. Application of offences under this Act
66. Minimisation etc. of genocide and crimes against humanity
67. Unlawful disclosure of details of investigation
68. Obstruction of law enforcement officer or cyber inspection officer
69. Harassment utilising means of electronic communication
PART X
ELECTRONIC EVIDENCE
73. Admissibility of electronic evidence
PART XI
GENERAL PROVISIONS
76. Prohibition of disclosure of information to unauthorised persons
80. Partial disclosure of traffic data
81. Collection of traffic data
85. Evidence obtained by unlawful interception not admissible in criminal proceedings
87. Power of court to order cancellation of licence, forfeiture etc.
AN ACT
to provide for cyber security in the Republic; provide for the constitution of the Zambia Computer Incidence Response Team and provide for its functions; provide for the constitution of the National Cyber Security Advisory and Coordinating Council and provide for its functions; provide for the continuation of the Central Monitoring and Co-ordination Centre; provide for the protection of persons against cyber crime; provide for child online protection; facilitate identification, declaration and protection of critical information infrastructure; provide for the collection of and preservation of evidence of computer and network related crime; provide for the admission; in criminal matters, of electronic evidence; provide for registration of cyber security service providers; and provide for matters connected with, or incidental to, the foregoing.
[1st April, 2021]
Act 2 of 2021,
SI 2 of 2021.
PART I
PRELIMINARY PROVISIONS
This Act may be cited as the Cyber Security and Cyber Crimes Act.
In this Act, unless the context otherwise requires-
"access" has the meaning assigned to the word in the Electronic Communications and Transactions Act;
"advanced electronic signature" has the meaning assigned to the words in the Electronic Communications and Transactions Act;
"article" means any data computer program, computer data storage medium or computer system which-
(a) is concerned with, connected with or is, on reasonable grounds, believed to be concerned with or connected with the commission of a crime or suspected commission of a crime;
(b) may afford evidence of the commission or suspected commission of a crime; and
(c) is intended to be used or is, on reasonable grounds, believed to be intended to be used in the commission of a crime;
"Authority" has the meaning assigned to the word in the Information and Communication Technologies Act;
"cache" means the storing of data in a transmission system in order to speed up data transmission or processing;
"caching" has the meaning assigned to the word in the Electronic Communications and Transactions Act;
"child" has the meaning assigned to the word in the Constitution;
"child pornography" means pornography in audio, visual, text or other digital format that depicts or represents a child engaged in sexually explicit conduct;
"child solicitation" means persuading, luring, or attempting to persuade or lure a child into sexual activity through the use of a computer system or device, regardless of the outcome;
"computer" has the meaning assigned to the word in the Electronic Communications and Transactions Act;
"computer data" means a representation of facts, concepts or information in a form suitable for processing in a computer system, including a program suitable to cause a computer system to perform a function;
"computer data storage medium" means an apparatus or object from which electronic information is capable of being reproduced, with or without the aid of an article or device;
"computer system" means a set of integrated devices that input, output, process, and store data and information including internet;
"controller" means a person, either alone or in common with other persons, who controls and is responsible for critical information infrastructure;
"Council" means the National Cyber Security Advisory and Coordinating Council constituted under section 7;
"critical information" means information that is declared by the Minister to be critical for the purposes of national security or the economic and social well-being of the Republic;
"critical information infrastructure" means the cyber infrastructure that is essential to vital services for public safety, economic stability, national security, international stability and for the sustainability and restoration of critical cyberspace;
"cyber" means the-
(a) computer simulated environment; or
(b) state of connection or association with electronic communications systems or networks including the internet;
"cyber crime" means a crime committed in, by or with the assistance of the simulated environment or state of connection or association with electronic communications or networks including the internet;
"cyber ecosystem" means the interconnected information infrastructure of interactions among persons, processes, data, and information and communication technologies, along with the environment and the conditions that influence those interactions;
"cyber inspector" means a person appointed as cyber inspector under section 8;
"cyber security" means tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurances and technologies that can be used to protect the cyber environment, organisation and user assets;
"cyber security incident" means an act or activity on or through a computer or computer system, that jeopardises or adversely impacts, without lawful authority, the security, availability or integrity of a computer or computer system, or the availability, confidentiality or integrity of information stored on, processed by, or transiting a computer or computer system;
"damage" means the impairment to the integrity or availability of data, a program, a system or information;
"device" includes-
(a) components of computer systems such as graphic cards, memory chips and processors;
(b) storage components such as hard drives, memory cards, compact discs and tapes;
(c) input devices such as keyboards, mouse, trackpad, scanner and digital cameras;
(d) output devices such as printer and screens; and
(e) an apparatus which can be used to intercept a wire, oral or electronic communications;
"denial of service" means rendering a computer system incapable of providing a normal service to its legitimate user;
"digital forensics" means the application of scientific investigatory techniques to cyber crimes by collecting, identifying and validating the digital information for purposes of reconstructing past events;
"digital forensic tool" means hardware or software used for conducting digital forensics;
"Director-General" means a person appointed as Director-General under the Information and Communication Technologies Act;
"electronic communications" has the meaning assigned to the word in the Electronic Communications and Transactions Act;
"electronic communications service" means any service which provides the ability to send, receive, process or store electronic communications;
"electronic signature" has the meaning assigned to the word in the Electronic Communications and Transactions Act;
"explicit sexual conduct" includes sexual intercourse, or other sexual conduct whether between persons or between a person and an animal, masturbation, sexual sadistic or masochistic abuse, or the lascivious exhibition of the genitals or pubic area of any person;
"Genocide" has the meaning assigned to the word in the United Nations Convention on the Prevention and Punishment of the Crime of Genocide;
"hate speech and conduct" means verbal or non-verbal communication, action, material whether video, audio, streaming or written, that involves hostility or segregation directed towards an individual or particular social groups on grounds of race, ethnicity, antisemitism, tribalism, sex, age, disability, colour, marital status, pregnancy, health status and economic status, culture, religion, belief, conscience, origin;
"hosting" has the meaning assigned to the word in the Electronic Communications and Transactions Act;
"hyperlink" means a clickable electronic reference or link of a data message that contains information about another source and when clicked points to and causes to display another data message;
"interception" means an act, by a person who is not a party to a conversation, of wiretapping subscribers or aural or other acquisition of conversation of any wire, electronic or oral communication through the use of an electronic, mechanical or other device;
"internet connection record" shall include-
(a) connections which are made automatically by a person, browser or device;
(b) a customer account reference such as an account number or identifier of the customer's device or internet connection;
(c) the time stamp of the session log;
(d) the source and destination IP addresses and their associated identity information;
(e) the volume of data transferred in either, or both, directions;
(f) the name of the internet service or server connected to;
(g) those elements of a URL which constitutes communications data; or
(h) any other related meta data;
"information infrastructure" means the communication networks and associated software that support interaction among people and organisations;
"Information Technology Auditor" means a person who possesses the expertise to examine and evaluate an information security management system as it relates to information technology infrastructure;
"Judge" means a Judge of the High Court;
"law enforcement officer" means-
(a) a police officer above the rank of subinspector;
(b) an officer of the Anti-Corruption Commission;
(c) an officer of the Drug Enforcement Commission;
(d) an officer of the Zambia Security Intelligence Service; and
(e) any other person appointed as such by the Minister for purposes of this Act;
"malicious software" means a computer program written to allow access to a computer system, whether with or without user intervention for purposes of negatively affecting normal computer system usage or modifying data or transmitting data to another computer system;
"meta data" means data that describes other data;
"multiple electronic mail message" means a mail message including e-mail and instant messaging sent more than once to a recipient;
"penetration testing service" means a service for assessing, testing or evaluating the cyber security of a computer or computer system and the integrity of any information stored in or processed by the computer or computer system, by searching for vulnerabilities in, and compromising, the cyber security defences of the computer or computer system with express permission of the system owner;
"pornography" means audio or visual material that depicts images of a person engaged in explicit sexual conduct;
"premises" includes a computer and data messages;
"racist and xenophobic material" includes any image, video, audio recording or any other representation of ideas or theories, which advocates, promotes or incites hatred, discrimination or violence, against any individual or group of individuals, based on race, colour, descent or national or ethnic origin;
"service provider" means a public or private entity authorised to-
(a) provide or offer an electronic communication system;
(b) process or store computer data on behalf of a communication service or user of such service; or
(c) own an electronic communication system to provide or offer an electronic communication service;
"traffic data" means digital data that-
(a) relates to a communication by means of a computer system;
(b) is generated by a computer system that is part of the chain of communication; and
(c) shows the communication's origin, destination, route, time, date, size, duration or the type of underlying services;
"Uniform Resource Locator (URL)" means the unique address of the world wide web page; and
"Zambia Computer Incidence Response Team" means the Zambia Computer Incidence Response Team constituted under section 6.
Subject to the Constitution, where there is an inconsistency between the provisions of this Act and the provisions of any other written law relating to the regulation of cyber security, cyber crimes and digital forensics, the provisions of this Act shall prevail to the extent of the inconsistency.
PART II
REGULATION OF CYBER SECURITY SERVICES
The Authority is responsible for the implementation of this Act.
(1) The functions of the Authority are to-
(a) co-ordinate and oversee activities relating to cyber security and the combatting of cyber crime;
(b) provide quarterly reports to the Council;
(c) assess the work of the incident response teams within the public and private sectors;
(d) disseminate information on emerging cyber threats and vulnerabilities as presented;
(e) develop and promote an all inclusive secure cyber ecosystem;
(f) create a safe cyber space in critical information infrastructure;
(g) issue guidelines, cyber security codes of practice and standards of performance for implementation by owners of critical information infrastructure;
(h) promote, develop, maintain and improve competencies, expertise and professional standards in the cyber security community;
(i) promote research and development in the use of new and appropriate technologies and techniques in cybercrimes;
(j) promote education and awareness of the need for and importance of cyber security;
(k) establish international co-operation with foreign states and cyber security entities and strengthen partnerships in combatting cyber crime;
(l) undertake information security audits and penetration testing services on all critical information infrastructure;
(m) maintain a register of cyber security service providers;
(n) co-ordinate with law enforcement agencies to ensure safe cyber space and investigations of cyber incidences; and
(o) issue guidelines relating to digital forensics.
(2) The Authority shall in performing its functions, collaborate with the Ministry responsible for security, defence, and other relevant agencies on matters relating to cyber security.
6. Constitution of Zambia Computer Incidence Response Team
(1) The Authority shall constitute the Zambia Computer Incidence Response Team which shall-
(a) be the first point of contact with reference to the handling of cyber incidents and communication between local, regional and international cyber security emergency response teams or cyber security incident response teams;
(b) provide incident response and management services in a co-ordinated manner through established industry standard policies and procedures to manage threats associated with cyber incidents;
(c) provide alerts and warnings on the latest cyber threats and vulnerabilities which may impact the national community;
(d) assess and analyse the impact of incidents such as network security breaches, website hackings, virus and network attacks;
(e) assess and co-ordinate the work of sectorial cyber incidence response teams within the public and private sector;
(f) participate in information sharing and disseminate information with international cyber security incidence response teams and computer emergency response teams on the emerging threats to critical information infrastructure and internet resources;
(g) participate in and be a member of regional and international computer emergency response team groups; and
This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.