1. Introduction
With the advent of the computer age, Nigeria continues to experience rapid digital transformation as the Information Communication Technology (ICT) revolution has impacted almost every area of the human endeavor, from private businesses, and public sectors to not-for-profit organizations. ICT has simplified business processes such as sorting, summarizing, coding, as well as computing. Technology has integrated nations and the world has become a global village. However, the rise of technology and online communication has not only produced revolution but there has also been an increase in criminal activities. ICT has also brought unintended consequences such as criminal activities, spamming, credit card fraud, ATM fraud, phishing, identity theft, ransomware attacks, and other related cyber crimes. An example of a cybercrime is the recent Phobos Ransomware Group which majorly targeted the cloud service providers (majorly information technology and telecommunications services) in Nigeria as of July 2024. Criminals are using cyberspace to commit numerous cyber crimes. Recognizing the need to address this growing threat, the Nigerian government has developed a range of legal frameworks aimed at protecting against cybercrimes and ensuring a secure digital environment. These legal mechanisms include comprehensive legislation, regulatory bodies, and enforcement strategies designed to combat various forms of cybercrime, from financial fraud to data breaches.
2. Meaning of Cybercrimes
Imagine a situation where a tech-savvy thief swiped personal data from a breached social media site and used it to clone dozens of credit cards and then hack into ATMs across the city, draining accounts while users were left bewildered; this is known as identity theft which is one of the examples of cybercrimes.
Cybercrime refers to criminal activity done using computers and the Internet. This includes anything from downloading illegal music files to stealing millions from online bank accounts. Cybercrime also includes nonmonetary offenses, such as creating and distributing viruses on other computers or posting confidential business information on the Internet.
Simply put, Cyber-crime is a criminal activity involving an information technology infrastructure, including illegal access (unauthorized access), illegal interception (by technical means of non-public transmissions of computer data to, from or within a computer system), data interference (unauthorized damaging, deletion, deterioration, alteration or suppression of computer data), systems interference (interfering with the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data), misuse of devices, forgery (ID theft), and electronic fraud.
3. LEGAL FRAMEWORK FOR CYBERCRIMES IN NIGERIA
3.1.Cybercrimes (prevention, prohibition, etc) Act 2015 and Cybercrimes (prevention, prohibition, etc) (Amendment) Act 2024
The Cybercrime Act is a cornerstone of Nigeria’s legal framework for combating cyber crimes. Enacted in 2015 and amended in 2024, it provides a comprehensive legal structure to address various forms of cybercrimes as stated in the Act. As a result, it creates a cohesive, efficient, and regulatory system in Nigeria for the prevention, investigation, identification, prosecution, and punishment of cybercrime and other cyber-related offenses.
Some of the offenses created and amended by the Principal and Amendment Acts as cybercrimes are Cyberstalking which includes intentionally sending mail on computer systems that are false or pornographic which is aimed at causing a breakdown of law and order or posing a threat to life. Cybersquatting Involves the intentional use of a name, business name, trademark domain name, or other word or phrase registered, aimed, or in use by any individual body corporate or belonging to either the Federal State or Local Government in Nigeria on the Internet or any other computer network without authority or right and to interfere with their use by the owner. The Act provides that any person who manipulates any form of payment technology. (ATM, point of sale terminal, etc.), to defraud shall be guilty of an offense and upon conviction sentenced to five years imprisonment and also provides that any person who intentionally engages in computer phishing shall be liable upon conviction to three years imprisonment or a prime. Additionally, the Act provides that anyone who engages in the malicious or deliberate spread of viruses or any malware that causes damage to critical information in public private, or financial institution computers shall be guilty.
Despite the provisions in the principal act, the amended Act has made some laudable innovations. One of such is that the reporting of cyber security threats channel under the 2015 Act was required to be made directly to the National Computer Emergency Response Team (CERT) Coordination Centre, however, the Amended Act changed the reporting channel as it now requires the reporting of cyber threats to be done through sectoral CERT or sectoral Security Operations Centres (SOC). This provision is innovative as it will necessitate a quicker and more efficient handling of cyber threats at both the sectoral and national levels. The introduction of these reporting channels also included the timeline within which the report is to be made by reducing the timeline for reporting from 7 (seven) days to 72 hours. Thus, persons or institutions affected must report the cyber threats to the SOCs within 72 hours of the occurrence.
Furthermore, the Amended Act mandates that financial institutions must verify the identity of their customers conducting electronic financial transactions by presenting their National Identification Number (NIN) issued by the National Identity Management Commission (NIMC), along with other valid documents bearing their names, before being issued ATM cards, credit cards, debit cards, or similar electronic devices. Under the Principal Act, verification was limited to documents with the customer’s name, address, and other information deemed relevant by the Institution.
3.2 Constitution of the Federal Republic of Nigeria, 1999 (As Amended)
The Nigerian Constitution has further aided Nigerians by guaranteeing and securing their right to privacy, telephone calls, and so on. As a result of this, when law enforcement authorities require information from a person’s cell phone, e-mail, or other electronic devices as part of a telecom service provider investigation into cybercrime, the Nigerian Constitutional right to privacy must be taken into account. The Supreme Court in Ransome Kuti v. Attorney General of the Federation held that a Fundamental Right is a right that stands above the ordinary laws of the land and which is antecedent to the political society itself. It is a primary condition for a civilized existence.
The implication of the above is that the Nigerian Constitution protects people from unjustified searches and seizures by law enforcement agencies. It also encourages officers to obtain a search warrant before accessing a place where a person is supposed to have a reasonable degree of privacy. Computers, records, and/or information on individual computers are covered by the Nigerian Constitution from searches by law enforcement agents. A search warrant must provide and identify the area to be searched as well as the objects to be obtained in great detail.
3.3 Economic and Financial Crimes Commission (EFCC) Act
This Act provides the legal framework for the investigation of all financial crimes including advance-free fraud, money laundering, charge transfers, fraudulent encashment of negotiable instruments, computer credit card fraud, and contract scams among others. This act, enacted in 2004, gives the Commission powers to arrest and prosecute any person suspected to be involved in promoting cybercrime in any form including drug trafficking, money laundering, and terrorism.
3.4 Money Laundering (Prohibition) Act, 2022
This Act makes comprehensive provisions to prohibit the financing of terrorism, the laundering of the proceeds of a crime, or an illegal act. All financial institutions are required to report transactions made that are above specified thresholds for individuals and corporate bodies. The threshold is billed at US$10,000 or its equivalent and shall be reported to the Central Bank of Nigeria, Securities and Exchange Commission in writing within 7 days from the date of transaction. The Act is essentially structured to enable the authorities to monitor cash transactions in a bid to tackle money laundering.
3.5 Advanced Fee Fraud and Other Related Offences Act
This Act outlaws every form of fraud including obtaining property by false pretense and obtaining funds through unlawful activities. This law obliges industry players including Internet Service Providers and cybercafé operators to register with the EFCC, monitor the activities of internet users, and report any suspicious activities to the EFCC. In the Federal Republic of Nigeria v. Abdul, the accused was arraigned on a two-count charge of being in possession of documents containing false pretenses contrary to Section 6(8)(b) and 1(3) of the Advance Fee Fraud and Other Related Offences Act. The accused was arrested in a cybercafé in Benin City by a group of EFCC operatives, following a petition to the Commission by a citizen alleging the incidence of Internet crimes “yahoo yahoo” activities at the cybercafé.
3.6 Nigeria Deposit Insurance Corporation (NDIC) Act
The NDIC is mandated to carry out onsite and offsite surveillance of insured financial institutions. The principal rationale for this mandate is to prevent fraud in the banking system. Due to the potent threat of electronic/cyber fraud, the NDIC and CBN have developed the Electronic Financial Audit Sub-System (E-FASS) to fulfill their mandate.
3.7 Nigerian Communications Commission (NCC) Act
The Nigerian Communications Commission (NCC) was established under the Nigerian Communications Act. The Commission is responsible for creating an enabling environment for competition among industry operators and ensuring the provision of qualitative and efficient telecommunications services throughout the country. In furtherance of its mandate, the Commission has put in place guidelines for the provisions of Internet Service Providers (ISP) and other Internet protocol-based telecommunication services. The Guidelines require ISPs to ensure that users are informed of any statement of cybercrime prevention or acceptable internet use published by the Commission or any other authority and that failure to comply with these acceptable use requirements may lead to criminal prosecutions.
4. Factors Causing Cyber Crimes in Nigeria
Despite the legal frameworks governing cyber threats in Nigeria, there are still challenges causing Cybercrimes in Nigeria. First is Rapid technological growth, including widespread internet access and the proliferation of mobile devices, which has created numerous opportunities for cybercriminals. The lack of adequate cybersecurity measures and outdated systems often make both individuals and organizations vulnerable to attacks.
Second is insufficient funding for cybersecurity, especially with the increased implementation of levies on digital and electronic systems. Additionally, statistics indicate that by 2025, the cost of cybercrime is expected to soar to $12 trillion. This underscores the urgent need for adequate funding to combat cybercrime effectively. Thus, there is an adequate need for proper funding to curb cybercrimes.
Third is Inadequate risk management practices as many organizations in Nigeria lack comprehensive risk management strategies for cybersecurity. Thus, Insufficient investment in security infrastructure, lack of regular updates, and poor incident response plans can leave systems vulnerable to attacks and data breaches.
Fourthly is the Insufficient legal framework and enforcement, while Nigeria has established various legal frameworks to combat cybercrime, enforcement can be inconsistent due to resource constraints, lack of specialized personnel, and bureaucratic challenges. This can hinder the effective prosecution of cybercriminals and deter the implementation of robust preventive measures.
In conclusion, while Nigeria has established a solid legal foundation to counter cybercrime, ongoing efforts to address the underlying socio-economic factors and to bolster the enforcement and implementation of these laws will be essential in creating a safer digital environment. A coordinated approach that includes both legal and socio-economic strategies will be key to curbing the incidence of cybercrime and ensuring a more secure cyberspace for all Nigerians.