Cyber Security

Doing business in Nigeria? What you need to know about the Cyber Crime Act, 2015

By Kayode Adeniji

Nigeria is more qualified to be world power than any African Nation. The pathway to achieving this is to view every bill passed into law by the National Assembly as an opportunity to realize the country’s ambition to become a major global player.

Corporate organizations must see the economic value of the Cyber Crime Act of 2015 and not just its provisions against cyber criminals. Nigerians, especially corporate organization should not view this law as only mechanism for punishing online scammers.

This law is capable of attracting foreign investment and fortifying the integrity of our cyber space. Below are highlights of the provisions in the Cyber Crime Act of 2015 that could affect the interests of various private organizations .

1.     President’s Power to Designate

The President may on the recommendation of the National Security Adviser, designate certain Computer systems as constituting Critical National Information Infrastructure.

The provision of this section is to the effect that the president can decide to take over certain computer systems in any company as Critical ‘National Information infrastructure’. The power to designate is similar to the power to declare a ‘State of Emergency’ on the Computer system/network of any organization, if the interference with such system and asset would have a debilitating impact on the security, public health and safety of the nation.

Therefore, an organization must protect its computer systems /network from any form of hacking or interference, otherwise the president would be compelled to make orders with respect to how the system could be accessed or how data could be transferred from the system.  Sec 3 (2)

2.    Electronic Signature

There is the need for all organizations to ensure that their electronic signature is secure and difficult to be forged or cloned. The law provides that an electronic signature in respect of purchase of goods or online order is binding on the author of such electronic message.  Where the presumed author claims that the signature was forged, he would have to discharge the heavy burden of proving that the signature did not emanate from his computer system or network.

3.    Reporting of Cyber Threats -Section 21 (1-3)

The act has imposed obligations on any person or institution, who operates a computer system/network, whether public or private, to inform the National Computer Emergency Response Team (CERT) of any attacks, intrusions or disruptions liable to hinder the functioning of another computer system or network within (7) Seven days of such occurrence, so that the National CERT can take the necessary measures to tackle the issues.

When this threat is reported to the national CERT, CERT may propose isolation of the affected computer systems or network, pending resolution of the issues. 21(2)

The breach of this provision by any company attracts denial of internet services and additional payment of N2,000,000.00 ($10,000) into the Cyber security fund.

This provision is worthy of note, as companies would be caught in between two choices of either reporting an intrusion into its system (which may result in isolation of its systems pending resolution of issues and could take a long time, thereby hurting the business) or mobilise expertise to deal with the issues in- house without informing the CERT. This is obviously a dilemma, especially where the latter option is not properly executed by the in-house consultant, thereby attracting heavy liability on the organization under section 21(3).

4.    Breach of Confidence by Service Providers - Section (29)

In the recent past, service providers were ‘lords unto themselves’ and the only redress available to dissatisfied consumers was the termination of their service contracts. With the enactment of this Act, companies can now hold their internet service providers accountable for poor services under section 29 (1), especially when the monetary value of the loss sustained by the consumer can be quantified and proven. Companies are now empowered to demand quality from their internet service providers.

The major flaw of this Act is the failure of its drafters to establish an agency for enforcement and prosecution. Which government agency has the specialized capability to address petitions or complaints in cases of breach by Service providers? The Police? The EFCC? We are not sure these agencies have the in-depth technical ability to investigate and prove the contravention of this provision beyond reasonable doubt in the court of law.

It is unfortunate that while the agitation for a special agency is still ongoing, companies would have to depend on existing law enforcement agencies to make service providers accountable.

5.    Employees Responsibility - Section 31

Regardless of any contract of employment, all employees must relinquish or surrender all codes and access rights to their employers immediately upon disengagement. Failure to comply would be presumed as an attempt to hold the employer to ransom and the punishment is 3 years imprisonment or fine of N3 Million ($15,000) or both.

The HR departments of organisations should take advantage of the protection offered by the Act by inserting this  provision in their standard disengagement/termination letters.

6.    Duties of Service Providers to Law enforcement Agencies Section 40

This is a situation where the right to privacy must bow to national security in view of the global insecurity of the 21st century.

Service Providers are now under the obligation to provide information requested by any law enforcement agencies. Failure to assist law enforcement agencies attracts a fine of N10 Million ($50,000). In addition, the owners of the service-providing company could also be liable for 3 years imprisonment and N7 Million ($35,000)  fine.

The best way for organisations to seek protection under this act is by inserting clauses in their service agreements that would entitle them to be informed by their service providers of any request for information from law enforcement agencies relating to the organisation’s data or computer system.

Kayode Adeniji is a dispute lawyer and resolution expert and the author of Righteous Man in Power.

One thought on “Doing business in Nigeria? What you need to know about the Cyber Crime Act, 2015

  1. Karl Obayi

    Very informative article. However, my biggest friction point, is that the necessary infrastructure to effectively implement the Act is not in place. I am particularly concerned, that the stakeholders - Lawyers, Judges and the prosecution barely have the requisite technical skills to implement this Act.

    The proof or otherwise of cyber crimes requires at a minimum, some nodding acquaintance with the technical nuance associated with the use of computers, the workings of the internet and communication technologies.

    I am not quite sure how this Act in the absence of the relevant technical skills and competent personnel will be judiciously implemented. The stake holders already identified, would need at a minimum, basic training on how computers and the internet work. A knowledge of how to send emails and surf the internet is not enough.

    Barrister Karl Obayi

Leave a Reply

Your email address will not be published. Required fields are marked *