Cybercrimes Act 2015: Legal risk exposures of information technology companies

Continued from Tuesday last week
Section 8 delves into the real cybercrimes. The technical name for the crime here is hacking. Any person who does an act which causes directly or indirectly the serious hindering of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data or any other form of interference with the computer system, which prevents the computer system or any part thereof, from functioning in accordance with its intended purpose, commits an offence. Sections 385-389 of the Criminal Law of Lagos State 2011 is analogous to this section.

It must however be noted that crime in the real world is not always on all fours with crime in cyberspace. We can have ‘white-hat hacking’ or ‘black-hat hacking’. As the names imply, one is a ‘white’ witch, the other is a ‘black’ witch. Both of them stalk your system, they try to see your vulnerability. They only differ at the point of what they do with their access.
To be exculpated from charges of illegal system interference, an IT professional must include a term in his contract that recognises his right to test the system vulnerability and carry out some other clandestine activities on the ‘target system’. In essence ‘white-hat’ hacking must now be formally recognised in contracts of employment and related contracts.

According to UK Computer Misuse Act 1990 and similar legislations, the criminal act of hacking are-
(i) Unauthorised erasure, copying or moving data
(ii) Unauthorised production from a computer or using the output
(iii) Illegal performance of the unlawful activity after knowing it is unlawful
While the criminal intent of hacking are-
(i) Intent to secure access to any program or data in a computer
(ii) Knowledge that he commits the offence because the access being sought is unauthorised.

In the English case of RE WHITELEY (1991) 93 Cr. App. R 25 – the defendant hacked into an academic computer system in order to delete, amend and add files. He had enough computer skills to know how to detect and delete a programme that could implicate him. His lawyer argued that the computer discs had not been damaged and his activities only affected the information stored on them which was intangible and therefore not a property. The court disagreed. It held that the computer discs had been damaged because their usefulness had been impaired.

Section 9 makes it illegal to intercept electronic messages, emails or electronic money transfers. Bankers, security agents and Internet Service Providers (ISP) are especially susceptible to being accused of this. Although the act must have been done unlawfully to be criminal, however it is still too early in the day to state how courts may interpret this. It is now the favourite past-time of intelligence agents to monitor, decrypt and trace suspected mails and electronic financial transactions. While US has legalised this through its Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (PATRIOT Act), yet the constitutional issue of invasion of privacy cannot be wished away.

The legal risk here is that sometimes a bank or ICT firm may want to investigate an issue of which it needs to establish some facts. There is the tendency to use the electronic and human resources available to prove its case. The accused party may object to any evidence brought about by violating this section. In essence, the section is not clear and very susceptible to being used as veneer for greater crimes. See also section 12.

Section 13 relates to forgery while 14 deals with fraud. Both are different and of differing ramifications, but they usually go together. One of the most popular cybercrimes is the Nigerian money letter offer which involves both forgery and fraud. Owing to its nature, perpetrators of this obnoxious scheme usually access information on the internet and go on to modify the contents in order to deceive their victims. There are several examples of Nigerian money letters available on the internet. One remarkable example is summarised as follows; a Pune (a city in India) based businessman received an e-mail from the ‘Vice President’ of the Asia Development Bank (ADB) offering him a lucrative contract in return for a large sum of money. The victim verified the e-mail from the website of ADB and found it correct so he sent the required amount into the specified bank account. It later turned out that the e-mail was actually sent by a Nigeria based Indian! This underscores how supportive cybercriminals have found the Nigerian environment for their nefarious activities.

According to the Internet Fraud Watch, the Nigerian Money Letter offer is the 7th topmost internet crime activity in year 2000. This cybercriminal activity became so notorious at one time that some countries started issuing warning notices to their citizens alerting them of the Nigerian money letter.

Section 19(1) provides from the commencement of this Act, no financial institution shall give posting and authorizing access to any single employee. This section is clear and definitive. Violating this section makes the bank or other financial institutions liable under the Act. Banks must as a duty to their customers put in place effective counter-fraud measures to safeguard their sensitive information. The CBN guidelines on electronic banking specified certain things a bank must do to exculpate itself from liabilities. They are summarised as follows-

Ensure security protocols are up-to-date and are not vulnerable to cybercriminal activities see Art. 1.1 Guidelines
ii. Customer identification and authorisation protocol must be strict. Unauthorised persons must not be freely given access to the back-ends of the Bank’s network. Art. 1.2 Guidelines
iii. Banks are required to employ or designate an ICT compliance officer whose responsibilities should include compliance with standards contained in the guidelines as well as the bank’s policies on ICT.- Art. 1.3g Guidelines
iv. Banks should segregate the responsibilities of the Information Technology (IT) security officer / group which deals with information systems security from the IT division, which implements the computer systems.- Art. 1.3h Guidelines
v. Different e-banking channels should be treated separately. For example, the software security model required for telephone banking would differ from that of an Any Time Money (ATM) machine. While the phone would run on a telecommunications providers network, the ATM is not connected to a telecoms network.
vi. Internet Service Providers (ISPs) should exercise due diligence to ensure that only websites of financial institutions duly licensed by the CBN are hosted on their servers. ISPs that host unlicensed financial institutions would therefore be held liable for all acts committed through the hosted websites. Art.1.4.8 Guidelines.
vii. Article 1.5.3 of the Guidelines deal with Access Control. It admonishes thus-
Banks should introduce logical access controls over ICT infrastructure deployed. Controls instituted by banks should be tested through periodic Penetration Testing, which should include but should not be limited to;
a. Password guessing and cracking
B. Search for back door traps in programs.
c. Attempts to overload the system using Ddos (Distributed Denial of Service & DoS (Denial of Service) attacks.
d. Check if commonly known vulnerabilities in the software still exist. e. Banks may for the purpose of such Penetration Testing employ external experts.

Section 21 provides that there must be a report of any attacks, intrusions and other disruptions liable to hinder the functioning of another computer system or network to the National Computer Emergency Response Team (CERT) Coordination Centre.

Section 22 criminalises identity theft while section 25 criminalises cybersquatting.
Identity theft is the use of another person’s personal information (e.g., name, Social Security number, credit card number, passport information details etc.) without that person’s knowledge and the fraudulent use of such knowledge. It has also been described as having occurred when someone uses or exploits the personal identifying information of another person such as: name, social security number, mother’s maiden name, ID number, etc…to commit fraud or engage in other unlawful activities.

Cybersquatting is the act of reserving a domain name on the internet, thereby denying the true users of the name from using it. The cyber squatter does this to either sell the name for cut-throat prices or cause embarrassment to the owner.

Companies must put measures in place to check identity thefts in the organisation. You must also be sure that you have not registered a domain name that looks so much like an established brand. This can be basis for civil and criminal action.

As an IT service provider section 38 (1) of the Act provides A service provider shall keep all traffic data and subscriber information as may be prescribed by the relevant authority for the time being.

From the foregoing, it is crystal clear that there are many legal implications of the Cybercrime Act on the operation of an IT company or IT user. Every information technology company or user must get sound legal advice on how this and related laws affect its operations. Lack of understanding of these basic principles would wreck the best of ideas and idealists.
Daniel is the Author of Introduction to Computer Law in Nigeria 2015.