Cybercrime policies/strategies
Cybercrime has been on the agenda of the Nigerian Government for many years. Investigations – in particular of fraud-related cybercrime – have been carried out in particular by the Economic and Financial Crime Commission (EFCC).
Though the Evidence Act was amended in 2011 to cater for the admissibility of electronic evidence, the absence of a legal framework on cybercrime hampered effective criminal justice measures until 2015.
In February 2015, the Government adopted the National Cybersecurity Policy and Strategy prepared by the Inter-Ministerial Committee coordinated by the Office of the National Security Adviser. It is based on the understanding that threats to information and communication technology are threats to Nigeria national security touching the “economic, political and social fabric of Nigeria.” The most significant threats identified are cybercrime, cyber-espionage, cyber conflict, cyber-terrorism and child online abuse & exploitation.
The Cybercrimes (Prohibition, Prevention, Etc) Act, 2015 was enacted and entered into force on 15th May 2015. The purpose of the Act is also to promote cybersecurity and cybercrime prevention, and it provides for obligations to the private sector – including ISPs, telecommunication operators and financial institutions – to report and cooperate with law enforcement authorities and the Nigerian Computer Emergency Response Team (ng-CERT). It provides for the National Security Adviser to coordinate LEAs and the Attorney General to oversee and strengthen the legal and institutional framework whilst establishing a Cybercrime Advisory Council to facilitate effective implementation, capacity-building, multi-stakeholder engagement and inter-agency/international cooperation.
The Nigerian Computer Emergency Response Team was established in the Office of the National Security Adviser. Its mission is “To manage the risks of cyber threats in the Nigeria’s cyberspace and effectively coordinate incident response and mitigation strategies to proactively prevent cyber-attacks against Nigeria”. The core function of ngCERT are:
- to establish a shared Situation Awareness platform - Coordinate information sharing at the National Level
- to efficiently manage and coordinate management of incident of national interest
- to support the National Cybersecurity Policy
- to provide technical support and expertise to sectorial CSIRT’s as and when required
- to serve as international Point of contact for all Internet Security Incident in Nigeria.
In March 2016 – in line with Articles 42 and 43 Cybercrimes Act – the Cybercrime Advisory Council is to be established, comprising representatives of a wide range of ministries and agencies under the overall coordination of the National Security Adviser. Functions include:
- Creating an enabling environment for sharing of information and experience
- Formulating policy guidelines regarding implementation of provisions of the Cybercrimes Act 2015
- Advice on preventive and other measures regarding cybercrime and cybersecurity
- Promoting training and education, including research and traineeships.
In 2019 the Data Protection Bill passed the approval of the National Assembly, but it wasn’t signed by the President. Following the presidential elections though, the proposal had to go back to the approval of the Parliament and it is currently being revisited to restart the legislative process.
Cybercrime legislation
State of cybercrime legislation
From 2005 onwards, attempts had been made to enact legislation on cybercrime and related issues, including:
- Computer Security and Critical Infrastructure Bill (2005); Electronic Service Provision Bill (2008)
- Interception and monitoring Bill (2009); Cyber Security Bill (2011); Criminal Code Amendment for Offences Relating to Computer Misuse and Cybercrimes (2011); Electronic Transfer of Funds Crime Bill (2011) - None of these bills passed the complex process of law making in Nigeria.
However, in 2011, the Evidence Act was amended to allow for the admissibility of electronic evidence.
Important progress was made in 2015 when the Cybercrimes (Prohibition, Prevention, Etc) Act, 2015 was enacted and entered into force on 15th May 2015. It has substantive criminal provisions, procedural rules and provisions on International cooperation.
Substantive law
The Cybercrime (Prohibition, Prevention, Etc) Act, 2015 in Part III – Offences & Penalties (comprised of Sections 5 to 36) criminalizes specific computer and computer – related offences and spells out the penalties.
These include: Unlawful access to a computer; Unauthorized disclosure of access code; Data forgery; Computer fraud; System interference; Misuse of devices; Denial of service; Identity theft and impersonation; Child Pornography, Grooming; Cyberstalking; Unlawful Interception; Cybersquatting; Cyber-terrorism; Failure of Service Providers to Perform certain Duties; Racist and xenophobic Offences; Attempt, conspiracy and abetment; and Corporate Liability.
Procedural law
The Administration of Criminal Justice Act, 2015 provides a general framework of procedural measures applicable to all criminal investigations (e.g. Sections 15(4), 18,37-39, 43 – 44, 106, 143, etc).
Evidence Act, 2011 – Sections 84 and 258 - deals with Admissibility of electronic evidence.
The Cybercrime (Prohibition, Prevention, Etc) Act, 2015 also establishes the procedural powers/ rules for cybercrime investigations and the collection of evidence in electronic form of a criminal offence.
These include: Expedited Preservation of Stored Computer Data – S. 38, Production Orders – S. 38, Search and Seizure of Stored Computer Data – S.45, Real Time Collection of Traffic Data –S.39, Interception of Content Data –S.39, etc.
Safeguards
There are constitutionally laid down safe guards enshrined as fundamental rights in Chapter IV of the Nigerian Constitution of 1999 (As Amended) which apply generally.
The Administration of Criminal Justice Act, 2015 also provides a framework of safe guards.
The Cybercrime (Prohibition, Prevention, Etc) Act, 2015 also has safe guards in Section 45 relating to Power of arrest, search and seizure.
Related laws and regulations
- Evidence Act 2011
- Administration of Criminal Justice Act 2015
Specialised institutions
In the Attorney General’s office, the Cybercrime Prosecution Unit provides the overall policy, legislation and prosecution thrust.
There is a Specialised Police Cybercrime Unit within the FCIID in the Nigeria Police Force.
The Cybercrime Advisory Council is statutory body charged with coordinating implementation and capacity-building.
The Nigerian Computer Emergency Response Team (ng-CERT and the sectoral CERT)
The National Forensics Laboratory is in an embryonic state.
The Nigeria Electronic Fraud Forum ( NeFF)
Economic and Financial Crime Commission (EFCC)
Nigerian Financial Intelligence Unit (NFIU)
International cooperation
Competent authorities and channels
The legal competence to begin and direct criminal investigations is vested in the Police and other law enforcement/security agencies to the extent of their statutory mandates – Section 41(3) CPPA, with the technical support from police.
Section 41(2)(b) CPPA vests the Attorney General of the Federation with responsibility/competence for international cooperation. This responsibility is carried through the Cybercrime Prosecution Unit, working in coordination with the Central Authority Unit which is responsible for international cooperation in criminal matters generally.
Complying with Article 35 of the Budapest Convention, a 24/7 point of contact is established, and it is based in the Police and ng-CERT. The same functionality is also used for the Interpol Network.
The 24/7 point of contact has specific competence to take urgent measures regarding expedited preservation of traffic data and urgent searches and seizure of data. The general cybercrime requests depend on the directions of the prosecutors and an authorisation from a judge.
Evidence sharing with the EFCC resulted in the arrest of the head of the Organised Crime Group, based in Nigeria, by the EFCC and the arrest and conviction of the two UK heads of the group and the individuals responsible for the laundering of the proceeds in the UK.
The groups’ assets – bank accounts and houses in Nigeria – were identified by the EFCC and have subsequently been seized with a UK court ordering they be confiscated and sold in order to reimburse the victims of the fraud.
For many years, Nigeria has cooperated with the United States on criminal investigations involving computer-related forgery, computer-related fraud, and other computer-enabled financial crimes. Notably, the EFCC and US law enforcement agencies have worked together on complex financial crimes with perpetrators in Nigeria, the US, and elsewhere. With assistance from the US and other international partners, the EFCC has developed some capability and competence to identify, collect, and analyse electronic evidence, to integrate that evidence into criminal investigations, and to use it in successful prosecutions of financial fraud and corruption cases. Nigeria and the US have also cooperated on investigations of intellectual property, child pornography and other computer-related crimes.
Jurisprudence/case law
The decision of the Supreme Court in Kubor V. Dickson (2013)4 NWLR(Pt.1345)534.
In Kubor v Dickson the Supreme Court examined the provisions of Sections 84, 34(1)(b) and 258 of the Evidence Act 2011 regarding the concept of a 'document' and the admissibility of electronic evidence.
See also: http://nji.gov.ng/images/Workshop_Papers/2016/Refresher_Magistrates/s09.pdf
Sources and links
Cybercrimes (Prohibition, Prevention, Etc) Act, 2015
A Summary Of The Legislation On Cybercrime in Nigeria, Legislative & Government Relations Unit, Public Affairs Department in The Communicator, in-house magazine of the Nigerian Communications Commission (NCC), Issue #14 - Quarter 3, 2015
The Central Bank of Nigeria - About the Nigerian financial sector