On Monday, May 6, 2024, when the Central Bank of Nigeria (CBN) released the circular that directed a 0.5% cybersecurity levy on all electronic transactions, Nigerians took the X to express their discontentment with the directive.
Many pointed out that it would significantly increase transaction costs, impeding the cash policy the CBN has been pushing for years.
However, a closer look at the Cybercrime Act — which the CBN references as the basis of the directive — shows that the cybersecurity levy only affects some businesses and not everyone.
While the CBN is yet to provide clarity about the Act and who it is meant for, it has drawn our attention to the Cybercrime Act.
It turns out that the nine-year-old Act has some interesting laws. In case you didn’t know, here are 11 interesting things about the Cybercrime Act.
Interesting things about the Cybercrime Act
The Cybercrime Act of 2015 was created to fight cybercrime as an increase in Internet penetration meant an increase in bad actors that would use it for the wrong things.
The Act’s explanatory memorandum says it provides “an effective, unified and comprehensive legal, regulatory and institutional framework for the prohibition, prevention, detection, prosecution and punishment of cybercrimes in Nigeria.”
Per Vanguard, the bill was first introduced in 2011 by Senator Gbenga Kaka (APC, Ogun East), however, it received some pushback. It was re-introduced in 2013 as the “Cybercrime Bill, 2013” and was passed by the Senate the following year.
While the Act has gotten its new-found popularity due to a widely disliked cybersecurity levy, its passage in 2015, marked a milestone in Nigeria as Internet crimes are bound to increase as connectivity becomes easier.
If you’re just learning about the Cybercrime Act, here are 11 interesting things about it.
Hacking the government is a five-year sentence
If you access intel on national security without authorization, you’ll be sentenced to five years in prison, or be asked to pay a ₦5 million fine or both.
However, if you’re found guilty of destruction or interference to computers, networks, and data traffic designated to Nigeria, you could bag yourself a 10-year prison sentence without bail option.
The punishment is stiff because destroying such infrastructure could severely affect the economy and national security.
If you also extract information from a government employee under false pretences, you’ll bag yourself a two-year jail term or pay a fine of ₦2 million or do both.
Cybercafés must be registered
According to the Act, cybercafés must be registered with “Computer Professionals’ Registration Council in addition to a business name registration with the Corporate Affairs Commission.”
The cafes must also have a register that keeps track of people who use their services at any time.
Anyone who perpetrates online fraud through these establishments faces a three-year jail term or a fine of ₦1 million or both.
If the cafe commits fraud in partnership with the individual, the owners will get a three-year jail term or a ₦2 million fine or both.
For bank employees who commit fraud
If bank employees or staff of any financial institution divert electronic messages with the intent to commit fraud, they will be imprisoned for five years or pay a fine of ₦7 million. In some cases, they could do both.
For ATM thieves
Anyone daring enough to steal an automated teller machine (ATM), will be sentenced to seven years in prison or pay a fine of ₦10 million and in some cases do both.
Stealing an ATM is a rather difficult undertaking, so the Act says that if you attempt it, and it is understandably unsuccessful, you get a one-year sentence or pay ₦1 million fine, and in some cases do both.
What happens when money is stolen from your bank account
Banks are meant to keep your funds safe, but if there’s a breach, they might not be held responsible. The Act says you — the customer — have to prove that they could have done more to protect your funds.
This essentially means that as a bank customer, you have some responsibility for keeping your funds safe.
However, it also means that in cases where the financial institution has failed in its duties, the customer needs to have the financial resources to prove that the institution was negligent.
It is also important to note that the CBN has a process of settling these disputes between the customer and the bank.
Organisations must report when they have been breached
Public or private organisations that operate computer systems or networks, must report breach cases to the national computer emergency response team.
This is because breaching one organisation could make it to breach another.
The computer emergency response team could isolate that company’s system before solving the problem.
However, if such companies refuse to report after they have been breached, they are liable to pay a ₦2 million fine to the cybersecurity fund.
Cyberstalking and cyberbullying is a serious crime
Cyberstalking and cyberbullying have some of the most severe fines and punishments in the act, even more than hacking the government.
There’s a very long list of what constitutes cyberstalking and bullying, and they carry different sentencing and fines.
Posting information to bully and harass someone, for example, attracts a jail term of 10 years and/or a fine of ₦25 million. Related crimes such as sending pornographic or offensive messages to someone carries a fine of ₦7 million or three years in prison or sometimes both.
Using other people’s name or trademark
Using the name of a person, business, trademark, word or even phrase that is registered on the Internet attracts a two-year prison sentence or a fine of ₦2 million or in some cases both.
Banks are expected to refund unauthorised debits
If you get a debit alert that you did not authorise, and inform your bank about it, they are expected to provide you with legal authorisation for the debit or refund you, within 72 hours.
If your bank or financial institution does not do so in the stipulated time, it’ll pay a ₦5 million fine.
The infamous cybersecurity levy
The Act provides the legal basis for the creation of the cybersecurity fund. The fund will be funded through fines paid by organisations that do not report security breaches and a 0.5% cybersecurity levy on all electronic transactions.
Cybercriminals will have their passports cancelled
Anyone who has been convicted of any crime in the Cybercrime Act will have their passports cancelled. It will only be reissued if the person has paid the fines or served prison sentences for their crimes.
