R1000 fine for attempting to "steal" 30 000 clients?
One of the first criminal convictions under the ECT Act shows a worrying trend towards light sentencing relative to the potential harm.
In one of the first criminal cases heard under section 86(1) of the Electronic Communications and Transactions Act, passed in August last year, it appears that the courts may be following a worrying trend of passing out light sentences for computer-related crimes, with fines vastly out of proportion in comparison to the losses, or in this case, potential losses that could be borne by the victims.
The accused in the Northern Transvaal regional division case of S v Douvenga  , who attempted to e-mail her company's entire client database of 30 000 names and addresses to her fiancé, so that she could take it with her to new employment at an opposition company, was sentenced to a fine of R1000.00 or 3 months in prison! While it must be borne in mind that she failed in her attempt to take the data (as her e-mails were so large that they blocked the network), the potential damage is enormous.
Her (previous) employers could have stood to suffer vast losses should the data have been given to their competitors. While it is difficult to calculate such losses in purely monetary terms, a fine of R1000.00 would appear to be a minor sanction in comparison.
Strong comparisons can be drawn with similar developments in the United Kingdom. In the notorious case of R v Whitely  , the accused was sentenced to a fine of £1650.00, when he had caused damages in excess of £50 000.00! This case, along with the Bedworth case  , created a public outcry, but perhaps as the use of the Internet and computers was not as central to business as it is today, these cases could be distinguished.
Should this be the case in South Africa today? Many employers put their employees in positions of trust, especially in relation to sensitive data, and many millions of rands are spent on computer security. But if an employee knows that at best, they risk a minimal fine, they would be far more tempted to take a chance and "steal" such data. Similarly, there are unfortunately many businesses that are unscrupulous enough to take advantage of this and make offers to potential employees who would bring with them such potentially useful data from their competitors.
In the Douvenga case, counsel for the accused argued that the legislature had proscribed only a fine or a maximum of one year's imprisonment for unlawfully accessing data, while sections 86(4) and (5), which deal with hacking through security measures, carry the greater penalty of 5 years imprisonment or a fine, indicated that the legislature had not considered these crimes as very damaging, in comparison to the potential damage.
Counsel for the accused argued:
"die wetgewer eintlik baie laag gemik het met die strafbepaling as 'n mens kan dink aan wat die omvang en die mooilikhede is waar heirdie misdade dan gepleeg kan word"
So while it is arguable that the legislature should have proscribed greater penalties, it is difficult to see how this could convince the court that a meagre sentence of one thousand rands was appropriate!
Paul Esselaar, managing director of Trustenforce.org, South Africa's leading online dispute resolution company, stated:
"This decision could set a dangerous precedent. If employees feel that they can illegally access and remove sensitive data and then use it to their advantage, and all they risk is a relatively small fine, it could encourage such behaviour, and undermine the growth of the South African IT sector."
This is one of the first such cases, but probably by no means the last. The judiciary should take heed of the damage to business that such illegal actions can create, and use the proscribed sanctions that the Act gives to their fullest extent, so as to eradicate this threat before it becomes more widespread.
Counsel for the accused argued that because it is "a new law" and there are no precedents as to how sentencing should be passed, the court should be guided by the relatively low proscribed maximum jail sentence (there is no proscribed maximum fine). This argument however should not be taken too far, but rather the courts should seek to impose prohibitions more commensurate with the harm or potential harm caused.
 Unreported judgement, S v Douvenga case no 111/150/2003, dated 2003/08/19 Northern Transvaal Regional Division
 93 Cr App R 25
 R v Bedworth  4 All ERR v Whitely (1991)
02 Dec 2003
This article is intended to provide general guidance and does not constitute professional advice relating to specific instances. Should you wish to place any reliance on the information presented in this article we strongly advise that you consult your legal advisor or the Electronic Law Consultancy - firstname.lastname@example.org