In April 2021 a new law with wide-ranging implications for all businesses was passed in Zambia, the Cyber Security and Cyber Crimes Act, 2021 (Act). Whilst the Act made it clear that critical information infrastructure would be subject to regulation, the Minister of Technology and Science (Minister) was required to pass regulations declaring what information would constitute critical information and what infrastructure would be considered critical information infrastructure.
With just a year post enactment of the Act, which represents an explosion in the landscape of the rules around data protection, the Zambia Information and Communications Technology Authority (ZICTA) together with the Minister has proposed new regulations, the Cyber Security and Cyber Crimes (Critical Information Infrastructure) Regulations, 2022 (CII Regulations).
The CII Regulations are intended to uplift the security and resilience of critical infrastructure on which critical information lies and which Government deems necessary for the protection of essential services relied on by the public.
This brief looks at how the CII Regulations will impact businesses (Affected Businesses), with a conclusion that for many Affected Businesses, the CII Regulations will necessitate significant changes in the management of critical information.
Critical information and critical information infrastructure
Under the CII Regulations, the following information has been declared critical information:
- information processed by a public body;
- information processed by operators of electronic communications networks and the providers of electronic communications services;
- information relating to the following sectors: banking and financial services; health; transport and communication; defence and national security; energy; insurance; education; taxation or mining;
- location based or mapping data;
- sensitive personal data;
- information processed by sector computer incident response teams; and
- configuration settings of critical information.
The CII Regulations propose to declare the infrastructure on which critical information is contained as critical information infrastructure (CII).
In addition, infrastructure that is vital to the provision of essential services has also been declared as CII. Essential services have been described so as to include, among others, generation, supply or distribution of electricity; medical or hospital; water supply and sewerage; agriculture; digital financial services; automatic teller machines; payment gateway; data centres; payment switch services; and mineral mining and operation.
The above declaration of what constitutes critical information and CII has the effect of broadening the application of cyber security legislation to businesses that would not have previously been subject to this regulation.
Registration and certification
An Affected Business will be required to apply for registration and obtain certification of ownership of CII. Any change to the CII in the form of design, security, configuration or operation will require the approval of ZICTA. Further, any transfer of registration certificates will require the approval of the Minister.
Localisation and externalization of critical information
Perhaps the greatest change provided by the Act and echoed by the CII Regulations is the requirement that all CII must be located in Zambia. Affected Businesses who intend to externalise critical information may apply to the Minister for approval. This decision to approve the externalization of critical information will be settled by the Minister in consultation with ZICTA, the National Cyber Security Advisory Coordinating Council (Council) and relevant security agencies.
While the CII Regulations provide an option for the externalization of critical information, the current proposed model includes an externalization fee of 0.5% of the applicant’s previous year’s annual turnover. The fee is proposed to be an annual fee. According to ZICTA, the proposed externalisation fee model is intended to encourage Affected Businesses to host their infrastructure in Zambia as there is already existing capacity for hosting.
Further, the CII Regulations will require all Affected Businesses to localise critical information that was externalized within 12 months following the issuance of the CII Regulations.
For Affected Businesses that will opt to retain their critical information on infrastructure outside Zambia, externalization will largely depend on the adequacy of the security measures being applied to the information and infrastructure on which the information is contained; whether it is necessary for the information to be stored outside Zambia; national security; consent by the data subject; and any other factors that the Minister considers necessary.
Mandatory breach notification
The CII Regulations are proposing a mandatory data breach notification requirement in respect of CII. Where an Affected Business suffers a security breach leading to destruction, loss, alteration, unauthorised disclosure, or access to personal data, it must report that breach to the supervisory authority, ZICTA. This mandatory breach notification is in addition to the monthly cyber security incident and threat report, which Affected Businesses will be required to submit within one month following the issuance of the CII Regulations.
Particularly difficult for Affected Businesses will be the additional rule that security breaches need to be notified to ZICTA within two hours of an organisation becoming aware of the breach.
This means that Affected Businesses will need to have robust and reliable systems for identifying and reporting security breaches, especially where such breaches are caused by human error. Further, the CII Regulations provide for a two-month window for Affected Businesses to implement the incident detection and reporting mechanisms.
Way forward
The supervisory authority, ZICTA, is currently seeking stakeholder input and participation as part of a broader consultative process to improve and progress the CII Regulations.
--
Read the full publication at Bowmans.