September 04 2012
In an attempt to bridge the gap between Nigeria and more developed economies, the financial service regulators have made major efforts to promote and initiate innovative financial services – all supported by technology and intense cyber activity. An increasing number of institutions, particularly banks and their customers, have become targets of phishing attacks, with varying degrees of success. Scam emails flood customers' inboxes on an almost-daily basis. Such emails are drafted to create the impression that the customers are being contacted by their banks. A number of these emails ask customers to divulge confidential information such as their account numbers, PINs and passwords. ATM cards are also targeted for cloning in order to commit fraud. The increasing use of smartphones to conduct financial transactions and the associated vulnerabilities make it even more imperative for action to be taken sooner rather than later.
Given the negative and often devastating impact of cybercrime on businesses around the world, and the concerns raised by such activity in Nigeria, the calls for legal and, to some extent, political intervention in the fight against cybercrime have grown steadily. Although the Nigerian security agencies, particularly the Economic and Financial Crimes Commission, have made efforts to tackle this malaise, they have had little success, primarily because Nigeria has no legislation that specifically targets cybercrime or improves cybersecurity. This has led to various efforts in recent years to fill the void with legislation that effectively tackles the threat of cybercrime.
Despite the concerted efforts of some stakeholders to have cybersecurity legislation passed by the National Assembly, there have been several setbacks over the years. The Cybersecurity Bill 2011, the product of several years of effort and lobbying, is aimed at providing "measures for national cybersecurity and for the prevention, detection, response and prosecution of cyber crimes and other related matters". Several versions of the bill, sponsored by different stakeholders, have found their way into the legislative houses, making it difficult to achieve the desired level of progress. This prompted the Office of the National Security Adviser to take charge of harmonising the various versions of the bill on cybersecurity that have appeared since 2004 in order to present a bill to the National Assembly.
The bill is divided into six parts:
Part II provides that the following activities constitute offences:
Section 2(1) of the bill provides that:
"any person, who without authorisation or in excess of authorisation, intentionally accesses in whole or in part, a computer system or network, commits an offence [and is] liable on conviction to imprisonment for a term of two years or to a fine of not less than N5,000,000 or to both imprisonment and fine."
Section 2(2) provides that:
"where the offence provided in subsection (1) is committed with the intent of obtaining computer data, securing access to any program, commercial or industrial secrets or confidential information, the punishment shall be imprisonment for a term of three years or a fine of not less than N7,000,000 or both imprisonment and fine."
Furthermore, Section 2(3) provides that:
"any person who, with the intent to commit an offence under this section, uses any device to avoid detection or otherwise prevent identification with the act or omission, commits an offence [and is] liable on conviction to imprisonment of three years or to a fine of not less than N7,000,000 or to both imprisonment and fine."
In addition, Section 3 of the bill makes it an offence for anyone, intentionally and without authorisation, to intercept transmissions of non-public computer data, content data or traffic data – including electromagnetic emissions or signals from a computer system or connected system or network – by technical means. Such person would face imprisonment for two years, a fine of not less than N5 million or both.
Section 7 deals with computer-related fraud, stating that:
"any person who knowingly and without authority or in excess of authority, causes any loss of property to another by altering, erasing, inputting or suppressing any data held in any computer, whether or not for the purpose of conferring any economic benefits whether for himself or another person, commits an offence..."
"any person who with intent to defraud sends electronic message to a recipient, where such electronic message materially misrepresents any fact or set of facts upon which reliance, the recipient or another person is caused to offer any damage or loss, commits an offence..."
With regard to impersonation – which is one of the most common forms of cybercrime in Nigeria – and identity theft, Section 10 of the bill seeks to punish any person who, in the course of using a computer, computer system or network, knowingly obtains or possesses another person or entity's identity information with the intent to deceive, defraud or fraudulently impersonate another entity or person, living or dead, with the intent to:
Section 12 criminalises the use of a computer, computer system or network for the purpose of terrorism.
Service providers' obligations
Sections 14, 15 and 16 set down the obligations of service providers:
Search, arrest and prosecutions
The bill empowers an authorised officer of any law enforcement agency that is entitled to enforce the bill to:
Jurisdiction to try offences under the proposed law is vested in the Federal High Court and the high courts of the states and the Federal Capital Territory, Abuja.
Offences under the bill are extraditable under the Extradiction Act (Chapter E25, Laws of the Federal Republic of Nigeria 2004). This means that the attorney general may request or receive assistance from any agency or authority of a foreign country in the investigation or cooperation carried out for the purpose of detecting, preventing, responding and prosecuting any offence specified in the bill. The bill provides that this joint investigation may be carried out whether or not any bilateral or multilateral agreements exist between Nigeria and the requested or requesting countries. How this will work in practice remains to be seen.
The bill faces a number of challenges on its path to becoming law. These range from turf battles among the relevant law enforcement authorities and security agencies to a lack of committed pressure groups and the lack of integration of public and private sector stakeholders and sustained lobbying of members of the legislature to ensure the speedy consideration of the bill. One of the criticisms of the bill is that while it empowers the officers of security agencies to enforce its provisions, it does not assign responsibility for the enforcement of specific offences and inadvertently engenders conflict between these agencies. As the bill is drafted at present, it is foreseeable that the non-delineation of responsibility among the security agencies could lead to the duplication of efforts.
For further information on this topic please contact Jumoke Lambo or Godson Ogheneochuko at Udo-Udoma & Belo-Osagie by telephone (+234 1 462 2307 10), fax (+234 1 462 2311) or email (firstname.lastname@example.org or email@example.com).
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.