Nigeria has been in the throes of implementing technology law and computer crime legislation for the best part of half a decade. Within this period, there have been two Bills drafted in an attempt to bring our laws up to date and in line with our counterparts in other parts of the globe.
It is to be noted however that while these attempts are an acknowledgement of the need for such legislation, the reality is that there are a number of gaps in relation to what has been proposed in these Bills and what is required for the laws to be adequate enough to tackle the growing risks, threats and vulnerabilities that can accrue to governments, organizations, and individuals when trying to legislate for computer crime.
This article provides insight into current global computer crime and privacy legislations, a critique of the Draft Nigerian Bills, followed by a recommendation for review based on the implementation of a cybercrime legislation framework for Nigeria.
Global Computer Crime and Privacy Legislation
legislation, highlight key sections before rounding up with punishment and examples of breaches that have gone before the relevant authorities.
It is to be noted that most of these legislations have come into being due to the rise of criminal activity over the internet, identity theft and the need to protect personal information. These laws have also been a reaction to such new computer crime trends.
They have also recognised the need for organisations that have been provided personal information in exchange for services to become responsible for the safeguard of such information with resultant penalties for breach.
There has also been the need to react to the changes in technological advancements which have made previous legislations redundant in their capacity to deal with the issues.
Cybercrime Convention (EU 2004)
A good starting point on what makes up good Global Computer Crime legislation is the European Cybercrime Convention.
This is a Treaty entered into force on 1st July 2004 with an additional Protocol for the criminalization of racist and xenophobic material through computer systems coming into force on 1st March 2006. It has been adopted by member states of the European Union along with the United States and South Africa, to address computer related crime by harmonizing national laws.
The Computer Crime Convention defines a number of offences which members can include in their national laws. Examples of such computer related offences include but are not limited to the following:
? Offences against the confidentiality, integrity and availability of computer data and systems
? Illegal access
? Illegal interception
? Data interference
? System interference
? Misuse of devices
? Computer-related offences
? Computer-related forgery
? Computer-related fraud
? Content-related offences
? Offences related to child pornography
? Offences related to infringements of copyright and related rights
? Offences related to infringements of copyright and related rights
? Computer-related offences
? Attempt and aiding or abetting
? Corporate liability
? Expedited preservation of stored computer data
? Expedited preservation and partial disclosure of traffic data
A key feature of the Treaty is identifying that Legal persons can be held liable for a computer crime related criminal offence established in accordance with the convention. Such criminal activity may be committed for their benefit by any natural person, acting either individually or as part of an organ of the legal person.
This takes into account industrial espionage and other corporate illegal activity.
It is to be noted that South Africa is the only African country that has signed up to the Treaty.
Computer Misuse Act (UK 1990)
The UK Computer Misuse Act of 1990 has been enacted to secure computer material against unauthorized access or modification: and for connection purposes. Prior to 1990, there were no laws in the UK relating to Computer Misuse. The Act identifies three main computer misuse offences:
? Unauthorised access to computer material.
? Unauthorised access with intent to commit or facilitate commission of further offences.
? Unauthorised modification of computer material.
Unauthorised access offences are typically punished upon conviction with up to 6 months imprisonment and or a maximum fine of £5000.
The other two offences are taken more seriously with jail terms of up to 5 years and unlimited fines.
Data Protection Directive (EU 1995)
The Data Protection Directive is a European Union directive which regulates the processing of personal data within the European Union. It is an important component of EU privacy and human rights law. The directive was implemented in 1995 by the European Commission.
It requires anyone who handles personal information to comply with a number of important principles. It also gives individuals rights over their personal information.
In the age of the Internet and the abuses that may be derived, Europeans’ guardedness of secret government files has translated into a distrust of corporate databases.
Governments in Europe have taken decisive steps to protect personal information from abuse.
Anyone who processes personal information must comply with the following eight data protection principles:
Personal Information must be processed:
? Fairly and lawfully
? Processed for limited purposes
? Adequate, relevant and not excessive
? Not kept- longer than necessary
? Processed in accordance with the data subject’s rights secure
? Not transferred to countries without adequate protection.
It is important to note that Data Protection affords redress against breaches to these principles and as such more organisations are taking heed that they could be liable to penalties in the event of such contraventions. Indeed in the UK, the limit of such fines has been raised from £5000 to £500,000.
In the UK, Mobile Phone Company Orange was criticised for not keeping its customers’ personal information secure
It was investigated after the ICO received a complaint about the way Orange processed personal information.
New staff shared user names and passwords when accessing the company IT system, which meant that information, could be accessed by unauthorised members of staff.
Orange was ordered to sign an undertaking to comply with the rules of the Data Protection Act.
Several banks were also criticised for dumping customers’ personal information in bins outside their premises.
The institutions were HBOS, Alliance & Leicester, Royal Bank of Scotland, Scarborough Building Society, Clydesdale Bank, NatWest, United National Bank, Barclays Bank, Co-operative Bank, HFC Bank and Nationwide building society.
The probe followed evidence from the BBC’s Watchdog programme which found information including details of a bank transfer for £500,000 outside a Nottingham branch of the Royal Bank of Scotland.
They promised to comply with the Data Protection Act following the investigation and can be prosecuted if they fail.
Security Breach Legislation (US 2002)
In the United States, security breach notification laws have been enacted in most states since 2002. These laws were enacted in response to the escalating number of breaches to personally identifiable information located in consumer databases.
The first of such laws, the California data security breach notification law, Cal. Civ. Code 1798.82 and 1798.29, was enacted in 2002 and became effective on July 1, 2003.
This law requires state agencies, businesses or people who conduct business in California that own or license computerised data which includes personal information to disclose in specified ways, any breach of the security of such data, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been acquired by an unauthorised person.
It is to be noted that the law permits delayed notification if a law enforcement agency determines that it would impede a criminal investigation. It also requires any entity that licenses such information to notify the owner or licensee of the information of any breach in the security of the data.
In general, most state laws follow the basic principles of California’s original law: Companies must immediately disclose a data breach to customers, usually in writing. California has since broadened its law to include compromised medical and health insurance information.
It is to be noted that the 2009 Health Information Technology for Economic and Health Act also requires covered entities to notify affected individuals and the Secretary for Health and Human Services following a breach of unsecured protected health information
Europe is in the process of passing security breach notification laws. In Nigeria, it would be wise for us to include the notification requirement in the new cybercrime bill, given that we have already suffered such issues with the recent ATM incidents and will be requiring mobile phone users to provide personal information when registering for SIM cards.
Personal Data Privacy and Security Act US (2005 updated 2009)
This legislation was enacted after security breaches at Choicepoint (See penalty below) and LexisNexis.
The Act provides criminal penalties for identity theft involving electronic personal data by: increasing penalties for computer fraud when such fraud involves personal data. It also adds fraud involving unauthorised access to personal information as a predicate offence. The Act also makes it a crime to intentionally or willfully conceal a security breach involving personal data.
It gives individuals access to, and the opportunity to correct, any personal information held by data brokers; and
? Requires entities that maintain personal data to establish internal policies that protect such data and vet third-parties they hire to process that data;
? Requires entities that maintain personal data to give notice to individuals and law enforcement when they experience a breach involving sensitive personal data;
? Limits the buying, selling or displaying of a social security number without consent from the individual whose number it is, prohibits companies from requiring individuals to use social security numbers as their account numbers and places limits on when companies can force individuals to turn over those numbers in order to obtain goods or services, and bars government agencies from posting public records that contain Social Security numbers on the Internet;
? Requires the government to establish rules protecting privacy and security when it uses data broker information, to conduct audits of government contracts with data brokers and imposes penalties on government contractors that fail to meet data privacy and security requirements.
Consumer data broker ChoicePoint, Inc., which in 2005 year acknowledged that the personal financial records of more than 163,000 consumers in its database had been compromised, will pay $10 million in civil penalties and $5 million in consumer redress to settle Federal Trade Commission charges that its security and record-handling procedures violated consumers’ privacy rights and federal laws.
The settlement requires ChoicePoint to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes, to establish and maintain a comprehensive information security program, and to obtain audits by an independent third-party security professional every other year until 2026
Identity Theft Act US 1998
Following testimony by the Federal Trade Commission in front of the US Senate, federal officials deemed it necessary to address growing concerns over identity theft scams.
The Identity Theft Act was passed in the United States to offer identity theft protection for individuals and businesses that can or have been victims to identity thieves. Fully entitled The Identity Theft and Assumption Deterrence Act, it was passed by the US Congress and signed into law by President Bill Clinton in 1998. An amendment to the law was enacted in 2003.
The law came into being due to the exponential rate in which consumer’s personal information was being exploited in the United States due to the advent of the Internet and the rise in large consumer databases. It was also fuelled by the increased access to computers which now housed detailed information about individuals and their financial records.
The Identity Theft Act identifies crimes involving loans, mortgages, credit cards and lines of credit that can be prosecuted. It also includes additional crimes to which people can be prosecuted should they be caught. US Code Title 18 was amended to include any fraud committed using identification documents or personal information. It also made it illegal to knowingly transfer this information to other people without authorisation, regardless of intent.
The identity thief needs to have the intention of defrauding a person, business or government agency within the country. Criminals can be charged if they commit identity theft either through the mail, across state lines or internationally.
The Identity Theft Act allows for punishments of 5, 15, 20 or 30 years depending on the crime. It also calls for fines determined by certain factors such as the extent of financial disparity caused.
In extreme cases, there is also a statute that defines certain incidents as “Aggravated Identity Theft” which allows for consecutive sentences to be enforced upon criminals.