Cybercrimes Act 2015: Legal risk exposures of information technology companies

THE Nigerian 7th National Assembly would go down as one of the most sensational gathering of eminent Nigerians ever. One of its feats was the world-record breaking feat of passing 46 Bills within 10 minutes on its last legislative day. As the legislators were working in frenzy, President Goodluck Jonathan was also in a hurry to etch his name on the halls of fame. One clincher of a bill he signed into law was the Cybercrime Act 2015.

Nigeria ought to celebrate the passage of this bill to law in the lowest of keys as this is so late in coming; nevertheless, we now have something to gobble. I say this because our contemporaries such as Canada passed her Information Technology Act in 2000; Singapore- Electronic Transactions Regulations (1999) – Governs the actions of certification and related authorities in Singapore; Australia-NSW Electronic Transactions Act (2000) – Application of legal requirements to electronic communications; Mauritius- Electronic Transactions Act (2002); South Africa- Electronic Communications and Transactions Act (2002)- Modification of UNCITRAL Model law on E- commerce etc. All these countries have woken up since the beginning of the millennium while Nigeria waited for fifteen long years to scratch the surface.

Some scholarly efforts have been made to explore the legal and technical essence of the Act. This article however, is to update the IT company, IT department or IT enthusiasts, that the rules of the game has become drastically altered and knowledge of these changes may make or mar your burgeoning enterprise.

We await the President’s designation of some computers, networks and other cyber resources as ‘critical national information infrastructures’ (CNII). Mr. President must however, be properly guided that mere placid compliance with section 3 would not meet the exigency of our current national cyberspace vulnerability. Nigeria must as a matter of urgency invest in data clouds to domesticate our national data such as voter registration, banking details, military and intelligence information and data etc.

It is worth noting that the Act has vested the office of the National Security Adviser with the coordination of our national cyberspace. The implication of this is that we must as a matter of urgency start rethinking those we appoint as NSA’s. Being a transactional node for opaque military supplies and slush political funds disbursement would no longer help this vital office to perform its crucial role in the emerging security milieu.

Section 5 makes any offence against CNII punishable with up to 10 years imprisonment without the option of fine. For conviction to take effect, however, there must be Federal gazette with legal specifications of what constitutes CNII. Please don’t be afraid if you never intended any harm but your geek practice went out of order, just get a good techy lawyer. The Prosecution must prove there was an intention to illegally violate the national asset among other legal and technical complexities.

Cybercafé operators must register their enterprise with the Computer Professionals’ Registration Council (CPRC) in addition to their registration with the Corporate Affairs Commission (CAC). Also, you are required to have a register of users to be made available to security agents upon request. This provision in section 7, to me, is illegal. The CPRC Act does not provide for the function of registering cybercafés, the question then is, can the Cybercrime Council call a child a name the parents never gave it? That would be left to judges and lawyers to sort.

Cybercafés can be charged for connivance with cyber criminals if the prosecution can prove it according to law. To prove that a cybercafé owner connived in the commission of the offence the prosecution must prove the following beyond reasonable doubt-

The cybercafé negligently or intentionally refused to adopt legally required measures to inform its customers of prohibition of certain forms of illegal acts.

The owners performed acts which were more than that reasonably expected of the operator of such café for the benefit of its customer.

That the commission or omission of the act was done in expectation of a reward or avoidance of a responsibility.