We use cookies to customise content for your subscription and for analytics.
If you continue to browse the International Law Office website, we will assume you are happy to receive all of our cookies. For further information please read our Cookie Policy.

Tackling cybercrime: a review of the draft Cybersecurity Bill 2011 - International Law Office

International Law Office

IT & Internet - Nigeria

Tackling cybercrime: a review of the draft Cybersecurity Bill 2011

September 04 2012

Introduction
Legal and regulatory framework
Comment


Introduction

In an attempt to bridge the gap between Nigeria and more developed economies, the financial service regulators have made major efforts to promote and initiate innovative financial services – all supported by technology and intense cyber activity. An increasing number of institutions, particularly banks and their customers, have become targets of phishing attacks, with varying degrees of success. Scam emails flood customers' inboxes on an almost-daily basis. Such emails are drafted to create the impression that the customers are being contacted by their banks. A number of these emails ask customers to divulge confidential information such as their account numbers, PINs and passwords. ATM cards are also targeted for cloning in order to commit fraud. The increasing use of smartphones to conduct financial transactions and the associated vulnerabilities make it even more imperative for action to be taken sooner rather than later.

Given the negative and often devastating impact of cybercrime on businesses around the world, and the concerns raised by such activity in Nigeria, the calls for legal and, to some extent, political intervention in the fight against cybercrime have grown steadily. Although the Nigerian security agencies, particularly the Economic and Financial Crimes Commission, have made efforts to tackle this malaise, they have had little success, primarily because Nigeria has no legislation that specifically targets cybercrime or improves cybersecurity. This has led to various efforts in recent years to fill the void with legislation that effectively tackles the threat of cybercrime.

Despite the concerted efforts of some stakeholders to have cybersecurity legislation passed by the National Assembly, there have been several setbacks over the years. The Cybersecurity Bill 2011, the product of several years of effort and lobbying, is aimed at providing "measures for national cybersecurity and for the prevention, detection, response and prosecution of cyber crimes and other related matters". Several versions of the bill, sponsored by different stakeholders, have found their way into the legislative houses, making it difficult to achieve the desired level of progress. This prompted the Office of the National Security Adviser to take charge of harmonising the various versions of the bill on cybersecurity that have appeared since 2004 in order to present a bill to the National Assembly.

Legal and regulatory framework

The bill is divided into six parts:

  • Part I deals with the bill's general objectives;
  • Part II specifies offences and penalties;
  • Part III targets the protection of critical information infrastructure;
  • Part IV provides for search, arrest and prosecution procedures; and
  • Parts V and VI deal with international cooperation (in the form of mutual assistance requests, extradition, expedited preservation of data, evidence pursuant to a request and the form of such requests), and miscellaneous issues such as directives and regulations, respectively.

Part II provides that the following activities constitute offences:

  • unlawful access to a computer;
  • unlawful interception of communications;
  • unauthorised modification of a computer program or data;
  • system interference;
  • misuse of devices;
  • computer-related forgery;
  • child pornography and related offences;
  • identity theft and impersonation;
  • cybersquatting;
  • cyberterrorism;
  • racist and xenophobic offences;
  • record retention and protection of data by service providers;
  • interception of electronic communications; and
  • failure of the service provider to perform certain duties.

Section 2(1) of the bill provides that:

"any person, who without authorisation or in excess of authorisation, intentionally accesses in whole or in part, a computer system or network, commits an offence [and is] liable on conviction to imprisonment for a term of two years or to a fine of not less than N5,000,000 or to both imprisonment and fine."

Section 2(2) provides that:

"where the offence provided in subsection (1) is committed with the intent of obtaining computer data, securing access to any program, commercial or industrial secrets or confidential information, the punishment shall be imprisonment for a term of three years or a fine of not less than N7,000,000 or both imprisonment and fine."

Furthermore, Section 2(3) provides that:

"any person who, with the intent to commit an offence under this section, uses any device to avoid detection or otherwise prevent identification with the act or omission, commits an offence [and is] liable on conviction to imprisonment of three years or to a fine of not less than N7,000,000 or to both imprisonment and fine."

In addition, Section 3 of the bill makes it an offence for anyone, intentionally and without authorisation, to intercept transmissions of non-public computer data, content data or traffic data – including electromagnetic emissions or signals from a computer system or connected system or network – by technical means. Such person would face imprisonment for two years, a fine of not less than N5 million or both.

Section 7 deals with computer-related fraud, stating that:

"any person who knowingly and without authority or in excess of authority, causes any loss of property to another by altering, erasing, inputting or suppressing any data held in any computer, whether or not for the purpose of conferring any economic benefits whether for himself or another person, commits an offence..."

Similarly:

"any person who with intent to defraud sends electronic message to a recipient, where such electronic message materially misrepresents any fact or set of facts upon which reliance, the recipient or another person is caused to offer any damage or loss, commits an offence..."

With regard to impersonation – which is one of the most common forms of cybercrime in Nigeria – and identity theft, Section 10 of the bill seeks to punish any person who, in the course of using a computer, computer system or network, knowingly obtains or possesses another person or entity's identity information with the intent to deceive, defraud or fraudulently impersonate another entity or person, living or dead, with the intent to:

  • gain some advantage;
  • obtain property or an interest in property;
  • cause disadvantage to the entity or person or another person;
  • avoid arrest or prosecution; or
  • obstruct, pervert or defeat the course of justice.

Section 12 criminalises the use of a computer, computer system or network for the purpose of terrorism.

Service providers' obligations
Sections 14, 15 and 16 set down the obligations of service providers:

  • Record retention – a service provider must keep all traffic data and subscriber information as may be required by the Nigerian Communications Commission (NCC) and, at the request of the NCC or any law enforcement agency, shall preserve, hold or retain any traffic data, subscriber information or related content, or release any information required by the NCC. This must be done with due regard to the right of privacy guaranteed by the 1999 Constitution (as amended), and the service provider shall take appropriate measures to safeguard the confidentiality of the data retained, processed or retrieved for the purpose of law enforcement.
  • Interception of communication – where there are reasonable grounds to suspect that the contents of any electronic communication are reasonably required for the purposes of a criminal investigation, a judge may order a service provider to allow the competent authorities to collect or record data associated with specified communications transmitted by means of a computer system, or assist them with collecting or recording such data.
  • At the request of any law enforcement agency or on its own initiative, a service provider shall provide assistance with:
    • the identification, apprehension and prosecution of offenders;
    • the identification, tracking and tracing of proceeds of any offence or any property, equipment or device used in the commission of any offence; or
    • the freezing, removal, erasure or cancellation of the offender's services which enables the offender either to commit the offence or to hide or preserve the proceeds of any offence or any property, equipment or device used to commit the offence.

Search, arrest and prosecutions
The bill empowers an authorised officer of any law enforcement agency that is entitled to enforce the bill to:

  • search any premises, computer or network;
  • arrest any person suspected of committing an offence; and
  • seize any computer system used in the commission of an offence under the bill.

Jurisdiction to try offences under the proposed law is vested in the Federal High Court and the high courts of the states and the Federal Capital Territory, Abuja.

International cooperation
Offences under the bill are extraditable under the Extradiction Act (Chapter E25, Laws of the Federal Republic of Nigeria 2004). This means that the attorney general may request or receive assistance from any agency or authority of a foreign country in the investigation or cooperation carried out for the purpose of detecting, preventing, responding and prosecuting any offence specified in the bill. The bill provides that this joint investigation may be carried out whether or not any bilateral or multilateral agreements exist between Nigeria and the requested or requesting countries. How this will work in practice remains to be seen.

Comment

The bill faces a number of challenges on its path to becoming law. These range from turf battles among the relevant law enforcement authorities and security agencies to a lack of committed pressure groups and the lack of integration of public and private sector stakeholders and sustained lobbying of members of the legislature to ensure the speedy consideration of the bill. One of the criticisms of the bill is that while it empowers the officers of security agencies to enforce its provisions, it does not assign responsibility for the enforcement of specific offences and inadvertently engenders conflict between these agencies. As the bill is drafted at present, it is foreseeable that the non-delineation of responsibility among the security agencies could lead to the duplication of efforts.

For further information on this topic please contact Jumoke Lambo or Godson Ogheneochuko at Udo-Udoma & Belo-Osagie by telephone (+234 1 462 2307 10), fax (+234 1 462 2311) or email (jumoke.lambo@uubo.org or godson.ogheneochuko@uubo.org).


Comment or question for author

ILO provides online commentaries as specialist Legal Newsletters. Written in collaboration with over 500 of the world's leading experts and covering more than 100 jurisdictions, it delivers individually requested information via email to an influential global audience of law firm partners and international corporate counsel. Please click here to register for the service.

The materials contained on this website are for general information purposes only and are subject to the disclaimer.

ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription. Register at www.iloinfo.com.