NIGERIAN CYBERCRIME ACT 2015 A Legal Review Focusing on Compliance and Enforcement Challenges Basil Udotai, Esq., Managing Partner, Technology Advisors ICT LAWYERS & CONSULTANTS
Digital Weak Link For years the Nigerian digital economy had carried on with the absence of a legal framework for cybercrime/ cybersecurity; a glaring gap in law enforcement/ nalonal security framework as well as a debilitalng weak link in our digital economy value chain; Has the Nigerian Cybercrime Act ably responded by filling the gap and strengthening the weak link? Does the law enforcement framework insltuted in the law reflect current cybercrime and cybersecurity challenges; would it lead to effeclve and efficient enforcement of the Act; and facilitate ease of compliance?
Milestones Pat on the Back: First ever statutory instrument criminalizing online aclons, prescribing punishment and crealng legal procedures for inveslgalon, proseculon and enforcement; InternaLonal Legal CooperaLon bealng the Dual Criminality challenge; CriLcal InformaLon Infrastructure ProtecLon (CIIP); InsLtuLonalized CERT and a NaLonal Forensic Lab; CreaLon of Regulatory Mandate over Cybercrime & Cybersecurity in the A\orney General of the FederaLon; Created a Stakeholder Community through the Advisory Council; Truly ground breaking with potenlal to greatly impact jurisprudence and legal development; governance (egovt); businesses and commercial aclviles; law enforcement and nalonal security; foreign direct investment and economic growth, etc
What are the Challenges? Challenges: Decentralized and Distributed Enforcement Framework; Issues with compliance; Possible ConsLtuLonal challenge (the NSA Act); Impact of the Cybersecurity Fund doub_ul; Technology- specificity; Special provisions on the Financial Sector worrisome (needless really); and tendency for focus shiaing dangerous; Unnecessarily TransacLonal in certain areas;
Why? Long, tortuous and complicated LegislaLve History: 2004/5 Cybercrime Bill 2005 by the Nigerian Cybercrime Working Group (NCWG) 2006 2008 Computer Security Bill; 2009 2010 More than 10 different bills (including the Electronic Fraud ProtecLon Bill sponsored by Senator Ayo Arise of EkiL) 2011 HarmonizaLon of the various bills by the ONSA culminated in the Cybersecurity Bill 2011; and 2012 2015 A\orney General inilated process resulted in the Cybercrimes Act 2015; - The Former A\orney General and the last NaLonal Assembly could have done a be\er job at this NOTE: I was involved in the process up to 2011; provided only nonbinding and informal advise between 2014 15
There is no operalng system or technology that has not yet been hacked! And some of the most protected and secured corporalons and governments insltulons have already been compromised!!!
Dr. Ibe Kachikwu - Appointed August 4; Impersonated same day, NNPC reacted August 16
Ideally The principles around Cybercrime LegislaLons require that the law focuses on : computer- related offences; Content- related offences; Computer integrity offences; JurisdicLon and Procedural issues: InternaLonal harmonizalon/relalons; A review of the law indicates that in addilon to meelng the foregoing milestones commendably, the draaers made strenuous efforts in seeking to bank transaclons: the DANGER of a single story
INTRODUCTION Summary of the Act Summary of the Act The Cybercrime Act is made up of: 59 SecLons 8 Parts; and 2 Schedules; 1st Schedule lists the Cybercrime Advisory Council; 2nd Schedule lists businesses to be levied for the purpose of the Cybersecurity Fund under S.44(2)(a): GSM service providers and all telecom companies Internet service providers Banks and other financial insltulons Insurance companies Nigerian Stock Exchange
Summary of the Act The Act is comprehensive in its coverage: CriLcal Infrastructure ProtecLon; Computer related offences; Content related offences; Offences against integrity, funclonality and confidenlality of systems and networks; Procedural provisions inveslgalon, proseculon and general enforcement; JurisdicLon and InternaLonal CooperaLon
SecLon- by- SecLon Review Part I- Objects and ApplicaLon SecLon 1: ObjecLves SecLon 2: ApplicaLon Part II- proteclon of crilcal NaLonal InformaLon Infrastructure SecLon 3: DesignaLon of certain computer systems or networks as CriLcal NaLonal InformaLon Infrastructure. SecLon 4: Audit and InspecLon of CriLcal NaLonal InformaLon Infrastructure.
SecLon- by- SecLon Part III- offences & PenalLes SecLon 5: Offences against CriLcal NaLonal InformaLon Infrastructure SecLon 6: Unlawful Access to computers SecLon 7: RegistraLon of Cybercafé SecLon 8: System Interference. SecLon 9: IntercepLng Electronic Messages, Emails Electronic Money Transfers. SecLon 10: Tampering with CriLcal Infrastructure SecLon 11: Willful MisdirecLon of Electronic Messages. SecLon 12: Unlawful interceplons. SecLon 13: Computer Related Forgery. SecLon 14: Computer Related Fraud. SecLon 15: Thea of Electronic Devices. SecLon 16: Unauthorized modificalon of computer systems, network data and System interference. SecLon 17: Electronic Signatures. SecLon 18: Cyber Terrorism.
SecLon- by- SecLon Offences & PenalLes SecLon 19: ExcepLons to Financial InsLtuLons PosLng and authorized oplons. SecLon 20: Fraudulent issuance of E- InstrucLons. SecLon 21: ReporLng of Cyber Threats. SecLon 22: IdenLty thea and impersonalon. SecLon 23: Child pornography and related offences. SecLon 24: Cyberstalking. SecLon 25: Cybersquapng. SecLon 26: Racist and xenophobic offences. SecLon 27: A\empt, conspiracy, aiding and abepng. SecLon 28: ImportaLon and fabricalon of E- Tools. SecLon 29: Breach of Confidence by Service Providers SecLon 30: ManipulaLon of ATM/POS Terminals. SecLon 31: Employees Responsibility SecLon 32: Phishing, Spamming, Spreading of Computer Virus. SecLon 33: Electronic cards related fraud. SecLon 34: Dealing in Card of Another. SecLon 35: Purchase or Sale of Card of Another SecLon 36: Use of Fraudulent Device or A\ached E- mails and Websites.
SecLon- by- SecLon Offences & PenalLes/AdministraLon Part IV- DuLes of Financial InsLtuLons SecLon 37: DuLes of Financial InsLtuLons DuLes of Service Providers SecLon 38: Records retenlon and proteclon of data. SecLon 39: IntercepLon of electronic communicalons SecLon 40: Failure of service provider to perform certain dules. Part V- AdministraLon and Enforcement SecLon 41: Co- ordinalon and enforcement. SecLon 42: Establishment of the Cybercrime Advisory Council SecLon 43: FuncLons and powers of the Council SecLon 44: Establishment of NaLonal Cyber Security Fund
SecLon- by- SecLon Part VI- Arrest, Search, Seizure and ProsecuLon SecLon 45: Power of arrest, search and seizure. SecLon 46: ObstrucLon and refusal to release informalon SecLon 47: ProsecuLon of offences SecLon 48: Order of forfeiture of assets. SecLon 49: Order for payment of compensalon or resltulon. Part VII- JurisdicLon and InternaLonal Co- operalon SecLon 50: JurisdicLon SecLon 51: ExtradiLon. SecLon 52: Request for mutual assistance SecLon 53: Evidence pursuant to a request. SecLon 54: Form of request from a foreign state. SecLon 55: Expedited PreservaLon of computer data SecLon 56: DesignaLon of contact point. Part VIII- Miscellaneous SecLon 57: RegulaLons. SecLon 58: InterpretaLon. SecLon 59: CitaLon
Enforcement Framework Is there a conspiracy to ensure Nigeria doesn t enforce cybercrime? You may feel that way if you look at the enforcement framework designed for this Law. But I think it was an error, which should be corrected: Decentralized and Distributed Enforcement Framework: NSA to coordinate enforcement by all LEA and Security Agencies ( relevant law enforcement agencies ); - Cybercrime inveslgalon, proseculon and enforcement separated? - TradiLonal approach in our Criminal JusLce System; - Usually based on CONFERED Authority; - Unprecedented departure from the norm, and very unlikely to work; - Threat of chaolc compliance
Possible ConsLtuLonal Challenge The NSA Act CONSTITUTION OF THE FEDERAL REPUBLIC OF NIGERIA SecLon 315 315. (1) Subject to the provisions of this ConsLtuLon, an exislng law shall have effect with such modificalons as may be necessary to bring it into conformity with the provisions of this ConsLtuLon and shall be deemed to be - (a) an Act of the NaLonal Assembly to the extent that it is a law with respect to any ma\er on which the NaLonal Assembly is empowered by this ConsLtuLon to make laws; and (b) a Law made by a House of Assembly to the extent that it is a law with respect to any ma\er on which a House of Assembly is empowered by this ConsLtuLon to make laws. (2) The appropriate authority may at any Lme by order make such modificalons in the text of any exislng law as the appropriate authority considers necessary or expedient to bring that law into conformity with the provisions of this ConsLtuLon. (3) Nothing in this ConsLtuLon shall be construed as affeclng the power of a court of law or any tribunal established by law to declare invalid any provision of an exislng law on the ground of inconsistency with the provision of any other law, that is to say- (a) any other exislng law; (b) a Law of a House of Assembly; (c) an Act of the NaLonal Assembly; or (d) any provision of this ConsLtuLon. (4) In this seclon, the following expressions have the meanings assigned to them, respeclvely - (a) "appropriate authority" means - (i) the President, in relalon to the provisions of any law of the FederaLon, (ii) the Governor of a State, in relalon to the provisions of any exislng law deemed to be a Law made by the House of Assembly of that State, or (iii) any person appointed by any law to revise or rewrite the laws of the FederaLon or of a State;
ConsLtuLon and the NSA Act (b) "exislng law" means any law and includes any rule of law or any enactment or instrument whatsoever which is in force immediately before the date when this seclon comes into force or which having been passed or made before that date comes into force aaer that date; and (c) "modificalon" includes addilon, alteralon, omission or repeal. (5) Nothing in this ConsLtuLon shall invalidate the following enactments, that is to say - (a) the NaLonal Youth Service Corps Decree 1993; (b) the Public Complaints Commission Act; (c) the NaLonal Security Agencies Act; (d) the Land Use Act, and the provisions of those enactments shall conlnue to apply and have full effect in accordance with their tenor and to the like extent as any other provisions forming part of this ConsLtuLon and shall not be altered or repealed except in accordance with the provisions of seclon 9 (2) of this ConsLtuLon. (6) Without prejudice to subseclon (5) of this seclon, the enactments menloned in the said subseclon shall hereaaer conlnue to have effect as Federal enactments and as if they related to ma\ers included in the Exclusive LegislaLve List set out in Part I of the Second Schedule to this ConsLtuLon.
Cybersecurity Fund MAY NOT DELIVER: - By SecLon 44 (a) levy of 0.005 of all electronic transaclons by the businesses specified in the second schedule to this Act: GSM service providers and all telecom companies Internet service providers Banks and other financial insltulons Insurance companies Nigerian Stock Exchange With a trillion or so worth of transaclons, someone put the number that is likely to result to the fund at N600m
CONCLUSION The Cybercrime Act though long in coming and beset with certain challenging components, may be applied to effeclve tackle Nigeria s cybercrime and cybersecurity challenges. But deliberate efforts have to be made by the key players; ONSA and the OAGF working with stakeholders to make this a reality
CONTACT: basil@ta.com.ng 08033066004 THANK YOU