Cybercrime Act: Still a long way to curbing cyberspace-related crimes

As technology evolves in Nigeria, there is a compelling need to review the legal framework that regulates the sector to curb the growing cyberspace-related crimes. Though the Cybercrimes Act 2015 was enacted to serve that purpose and was recently amended, a lot of grey areas in its provisions still need to be reviewed to achieve effectiveness, NGOZI EGENUKA reports. 

Daily, hundreds of people are being scammed through e-channels. From getting calls asking Internet users to send their two-step authentication numbers, to sending links and being persuaded to click on them, perpetrators are increasingly exploiting the proliferation of online transactions, e-commerce platforms, and electronic messaging systems to engage in illicit activities.

According to the Central Bank of Nigeria (CBN), 70 per cent of attempted or successful fraud/forgery cases in the Nigerian banking system stem from electronic channels.

There is also the introduction of cryptocurrency platforms, where financial exchanges are done via people-to-people (P2P) devoid of the mainstream channels.

This great innovation, because of its highly unregulated features, has also increased cyber crimes where fraudulent people exchange money without being traced.

In 2015, the Cybercrime Act was enacted, with a major function to provide an effective and unified legal, regulatory, and institutional framework for the prohibition, prevention, detection, prosecution, and punishment of cybercrimes in Nigeria.

Its other objectives are to ensure the protection of critical national information infrastructure, promote cybersecurity, protection of computer systems and networks, electronic communications, data and computer programmes, intellectual property, and privacy rights.

However, despite this Act, cyber crimes have increased, taking on innovative forms. This led to the recent amendment signed by President Bola Tinubu, on February 28, 2024. This amendment was among other things aimed at addressing factors that have impeded the effective implementation of the principal Act; bolstering Nigeria’s cybersecurity framework; safeguarding the country’s critical infrastructure; combating terrorism and violent extremism; enhancing national security, and protecting Nigeria’s economic interests.

But despite this, there are still grey areas. For instance, a provision of the Act mandates the CBN to demand all financial institutions to set aside 00.5 per cent as a cybersecurity levy for all electronic transactions. The deduction is to be remitted to the National Cybersecurity Fund (NCF), which shall be administered by the Office of the National Security Adviser (ONSA).

A lawyer and Head of Technology and Innovation at Scotts Legal, Chidumebi Onyetube, said that as matters stand, there is ambiguity in levy collection, oversight, and use of funds regarding constitutional consistency, adding that clarification is needed to avoid misinterpretations and potential exploitation.

According to her, the Act has not specified whether the levy should be borne by businesses or passed on to customers.

“That the CBN issued implementation guidelines without explicit reference to the Attorney General’s oversight raises concerns about regulatory overreach and proper checks and balances,” she said about the controversial attempt to commence its implementation by the CBN.

She continued: “There is no detailed framework on how the collected levies will be utilised. So, transparency and accountability mechanisms should be established to ensure that funds are effectively used for cybersecurity enhancements, and the provision for direct collection of levies may conflict with the constitutional requirement for all federal revenues to be deposited into the Federation Account. This legal inconsistency needs to be addressed.”

On whether the Act provides adequate punishment for cyber crimes, Onyetube noted that the amendments to sections 17, 21, 22, and 24 indicate an effort to update and tighten regulations.

She, however, stated that the effectiveness of these measures depends on robust enforcement and the judiciary’s capacity to handle cybercrime cases swiftly and efficiently, adding that preventive measures and cybersecurity education are equally crucial.

For the former chair of Technology Committee, Nigerian Bar Association Section on Business Law (NBA-SBL), Rotimi Ogunyemi, there are several areas where the Act could be improved to better protect and encourage digital investments.

He explained that the Act primarily focuses on criminalising cyber offences rather than proactively securing digital investments, which reveals a fundamental flaw in the country’s cybercrime and cybersecurity legal framework.

“It is imperative to separate Cybersecurity and Cybercrime into distinct legal frameworks. Cybercrime focuses on the prevention, detection, prosecution, and punishment of criminal activities conducted via cyberspace. Cybersecurity, on the other hand, involves the measures, protocols, and practices designed to protect systems, networks, and data from cyber threats and vulnerabilities,” he stated.

Ogunyemi continued: “It encompasses proactive strategies to prevent cyber incidents and ensure the resilience of digital infrastructure. A dedicated Cybersecurity Act, (distinct from a Cybercrimes Act), focusing on preventive measures, risk management, and compliance standards could provide a more robust framework for protecting digital assets,” he said.

He added also that there is a need for incentives to encourage businesses to invest in cybersecurity measures. This could include, tax breaks, grants, or other forms of financial support for companies that adhere to high cybersecurity standards.

He further noted that the lack of clear definitions in the Act for key terms like cybercrime, cyberwarfare, and cyberterrorism can create ambiguities that hinder effective enforcement and protection efforts, stating that clear definitions would help in setting precise legal parameters and standards.

According to Ogunyemi, some sections, such as those related to cybercafés, are outdated and do not reflect current Internet access methods. These should be updated to focus on modern Internet service providers and access points.

“Penalties for cyber offences are not uniform and do not always correspond to the severity of the crimes. Standardising penalties based on the impact of the offence can ensure more effective deterrence. While the Act includes penalties for cyber crimes, some punishments may not be sufficiently stringent to deter sophisticated cybercriminals. Defining and enhancing penalties for severe offences like cyber espionage and large-scale data breaches is also necessary.

“Additionally, strengthening enforcement mechanisms and providing regulators and enforcement agencies with the necessary powers to investigate and prosecute cyber crimes effectively will enhance the Act’s ability to curb cyber crimes,” he stated.

The Lead Partner, Infusion Lawyers, Senator Ihenyen, explained that when the CBN restricted crypto-related transactions in Nigeria’s banking and financial sector in February 2021, it was the Security and Exchange Commission (SEC) that introduced a regulatory framework for digital assets in May 2022.

According to him, SEC could not implement it owing to the noticeable and understandable conflict with the CBN stance on crypto. “Presently, SEC has proposed amendments to its earlier-issued regulatory framework, introducing corporate governance, anti-money laundering, and counter-terrorism measures, etc., that Virtual Asset Service Providers (VASPs) in Nigeria must comply with.

While applauding SEC for introducing different measures to protect digital transactions, he noted that those measures need to form part of the cybercrime law.

For digital innovation to thrive, cybersecurity, he explained, is key since cyberspace that is insecure and unsafe will not be conducive to innovation.

He, however, noted that in its amendment, there is an addition of “or any other payment technology means” under Section 30 of the Act, which covers the manipulation of ATM/POS terminals.

“This could be interpreted to mean that cryptocurrencies, which have been enjoying increasing adoption over the years even in the face of regulatory restrictions in the country, are also a payment technology, since, among other functions, they serve as a medium of exchange, although privately issued,” Ihenyen argued.

Looking at the positive side of the amended Act, Ihenyen, however, explained that the introduction of sanctions under Section 41 regarding the failure to pay the Cybersecurity Levy (which now attracts sanctions) on the part of banks and other financial institutions, telecom companies, the Nigerian Stock Exchange, and insurance companies can potentially boost the resources available to the government to provide improved cybersecurity in Nigeria’s cyberspace.

“There are now the Sectoral Operation Centres (SOCs) that would feed into the Computer Emergency Response Team (CERT), as provided under sections 21 and 44 of the Act. Considering the current gaps in coordination regarding emergency response, I think this is a welcome development.

“Also, considering how the adoption of digital innovations has increasingly become ubiquitous, as well as, the crimes they bring with them, there are certain additions to the Act that now apply to employees of both public and private organisations, not financial institutions only.

“Specifically, identity theft and impersonation, as well as, conspiracy, aiding and abetting by an employee is no longer limited to employees of financial institutions. This amends sections 22 and 27 of the Act respectively.

“Section 38 of the Act has been amended to recognise the Nigerian Data Protection Act for the purpose of service providers who perform the function of data controllers and processors regarding traffic data and subscriber information. Data, indeed, is the engine of the digital economy. No digital innovation can thrive without ensuring the safe and secure use of personal data, given their implications for data protection and privacy in an increasingly data-centric world.”

“Though the Cybercrimes Act already criminalises cybersquatting with the unauthorised use of trademarks or brand identity, I recommend that it also covers theft of intellectual property generally, especially considering that in today’s world of digital innovation, the most important asset is the intangible assets—from copyright in software applications to patents in new and inventive innovations in the knowledge economy and the digital age,” he stressed.