Nigeria is more qualified to be a world power than any African Nation. The pathway to achieving this is to view every bill passed into law by the National Assembly as an opportunity to realise this national ambition.
Corporate organisations must see the economic value of the Cyber Crime Act 2015 instead of its express punitive provisions against cyber criminals. Nigerians, especially corporate organisation should not view this law as only mechanism for punishing online scam.
This law is capable of attracting foreign investment and fortifying the integrity of our cyber space. Highlighted below are highlights of the provisions in the Cyber Crime Act of 2015 that could affect the interests of various private organisations doing business in Nigeria.
1. President’s Power to Designate
The President may on the recommendation of the National Security Adviser, designate certain Computer systems as constituting Critical National Information Infrastructure.
The provision of this section is to the effect that the president can decide to take over certain computer systems in any company as Critical ‘National Information infrastructure’. The power to designate is similar to the power to declare a ‘State of Emergency’ on the Computer system/network of any organization, if the interference with such system and asset would have a debilitating impact on the security, public health and safety of the nation.
Therefore, an organization must protect its computer systems /network from any form of hacking or interference, otherwise the president would be compelled to make orders with respect to how the system could be accessed or how data could be transferred from the system. Sec 3 (2)
2. Electronic Signature
There is the need for all organizations to ensure that their electronic signature is secure and difficult to be forged or cloned. The law provides that an electronic signature in respect of purchase of goods or online order is binding on the author of such electronic message. Where the presumed author claims that the signature was forged, he would have to discharge the heavy burden of proving that the signature did not emanate from his computer system or network.
3. Reporting of Cyber Threats -Section 21 (1-3)
The act has imposed obligations on any person or institution, who operates a computer system/network, whether public or private, to inform the National Computer Emergency Response Team (CERT) of any attacks, intrusions or disruptions liable to hinder the functioning of another computer system or network within (7) Seven days of such occurrence, so that the National CERT can take the necessary measures to tackle the issues.
When this threat is reported to the national CERT, CERT may propose isolation of the affected computer systems or network, pending resolution of the issues. 21(2)
The breach of this provision by any company attracts denial of internet services and additional payment of N2,000,000.00 into the Cyber security fund.
This provision is worthy of note, as companies would be caught in between two choices of either reporting an intrusion into its system (which may result in isolation of its systems pending resolution of issues and could take a long time, thereby hurting the business) or mobilise expertise to deal with the issues in- house without informing the CERT. This is obviously a dilemma, especially where the latter option is not properly executed by the in-house consultant, thereby attracting heavy liability on the organization under section 21(3).
4. Breach of Confidence by Service Providers- Section (29)
In the recent past, service providers were ‘lords unto themselves’ and the only redress available to dissatisfied consumers was the termination of their service contracts. With the enactment of this Act, companies can now hold their internet service providers accountable for poor services under section 29 (1), especially when the monetary value of the loss sustained by the consumer can be quantified and proven. Companies are now empowered to demand quality from their internet service providers.
The major flaw of this Act is the failure of its drafters to establish an agency for enforcement and prosecution. Which government agency has the specialized capability to address petitions or complaints in cases of breach by Service providers? The Police? The EFCC? We are not sure these agencies have the in-depth technical ability to investigate and prove the contravention of this provision beyond reasonable doubt in the court of law.
It is unfortunate that while the agitation for a special agency is still ongoing, companies would have to depend on existing law enforcement agencies to make service providers accountable.
5. Employees Responsibility- Section 31
Regardless of any contract of employment, all employees must relinquish or surrender all codes and access rights to their employers immediately upon disengagement. Failure to comply would be presumed as an attempt to hold the employer to ransom and the punishment is 3 years imprisonment or fine of N3 Million or both.
The HR departments of organisations should take advantage of the protection offered by the Act by inserting this provision in their standard disengagement/termination letters.
6. Duties of Service Providers to Law enforcement Agencies Section 40
This is a situation where the right to privacy must bow to national security in view of the global insecurity of the 21st century.
Service Providers are now under the obligation to provide information requested by any law enforcement agencies. Failure to assist law enforcement agencies attracts a fine of N10 million. In addition, the owners of the service-providing company could also be liable for three years imprisonment and N7 million fine.
The best way for organisations to seek protection under this act is by inserting clauses in their service agreements that would entitle them to be informed by their service providers of any request for information from law enforcement agencies relating to the organisation’s data or computer system.