Banwo & Ighodalo Logo

Milestone in Electronic Commerce: How the Cybercrimes Act 2015 impacts businesses

6. Duty of service providers to collaborate with law enforcement agents (including by providing access to data stored) in relation to electronic transactions – see sections 38, 39 & 40 of the Cybercrimes Act

7. Establishment of institutions for the enhancement of cybersecurity – see sections 42 & 44 of the Cybercrimes Act

8. Obligation of financial institutions to ascertain and secure identities of customers that are provided with “Access Devices” for computer transactions, and the prohibition of the vesting of posting and authorising access in a single employee – see sections 37 & 19 of the Cybercrimes Act

9. Provision for a well-coordinated system of administration and enforcement of the cybercrimes law – see sections 41, 42, 44, 47 & 49 of the Cybercrimes Act

10. Vesting of jurisdiction to try offences in the Federal High Court and provision for trans-border cooperation on investigation, prosecution and enforcement of court judgements in respect of cybercrimes – see sections 50, 51 & 52 of the Cybercrimes Act

WHAT TO EXPECT

Heightened risk management function

Business entities are going to tighten their belts in the area of risk management as it affects corporate information security. This will enhance the sanctity of electronic commercial transactions under the new legal regime because substantial breach of information security will not only affect customers/subscribers but will also be costly for business organisations.

Business organisations such as financial institutions, internet service providers (“ISPs”) and communication companies, among others, hold critical data of private and corporate citizens in their computer systems/programs or networks which may now be considered as “Critical Infrastructure”. Such data are vital to the country, and any incapacity or destruction of, or interference with, such system and assets could have a debilitating impact on national or economic security, national public health and safety, or any combination of those matters.

Where these entities are attacked (or are susceptible to attacks) by cybercriminals in a way that may pose serious threat to the resilience of the financial system as a whole; the President may, on the recommendation of the National Security Adviser, designate such computer systems/programs or networks as constituting Critical National Information Infrastructure (“CNII”). Given the level of technical know-how in the country, it is most likely that some business entities may be caught in the CNII web. Any affected company or business would no longer have private control of its computer system or network but would be compelled to take instructions from the government with respect to how the system or network could be accessed or data transferred therefrom.

Another risk issue for business entities is the new position that all electronic signatures on documents (with the exception of certain critical transactions listed under section 17(2) of the Cybercrimes Act) are legally presumed to be valid. The burden of proving that any electronic signature appearing on a document, evidencing a company’s transaction or contract, is forged rests squarely on that company. Therefore, it will be imperative for corporate organizations and persons to invest in cybersecurity apparatus and techniques in order to fortify their computer systems/programs against hacking or other electronic identity-theft practices.