In the last few years, various sectors of the Nigerian economy have been undergoing digital transformation. As the country gradually transitions from the margins to the mainstream of the digital economy, we are increasingly exposed to new risks that threaten our personal, corporate and national security. Some of the new risks posed by this increased digitization of our society include: data breach, cyber heist, identity theft, etc.
There are reports about increasing spate of cyber attacks and fraud on critical sectors of our economy. The CBN Governor during the recently concluded Nigeria Electronic Fraud Forum (NeFF) Stakeholders Workshop on Cybercrime, called for an appropriate legal framework to tackle these challenges. The unfortunate thing about the law is that it always struggles to keep pace with technology. There is an urgent need to overhaul the state of cyber security regulation in Nigeria in accordance with international best practices to boost cyber risk management in the wider economy.
We need to assign liability for security failures
Computer systems just like other systems are likely to fail when the entity guarding them is not the entity who suffers when failure occurs. Professor Ross Anderson of the Cambridge University once said: “many hard security problems can actually be managed if we can appropriately assign responsibility when things go wrong”.
Research has shown that many of the typical cyber security challenges we encounter are in some way a consequence of misaligned incentives. Incentives when rightly applied help to stimulate appropriate response. Software developers, ISPs, banks, telecoms and webhosting companies and other intermediary institutions for example are in a good position to prevent, detect, and block cybercrime or cyber attack; and to a large extent should somehow be made liable when things go wrong. This is the kind of incentive that is required to force them to beef up security.
It appears regulations or the lack of it favour most of these institutions in Nigeria; especially when consumer protection laws are equally weak or non-responsive to modern needs of consumers in the digital economy. According to a renowned ICT lawyer and former Director of Cybersecurity, office of the NSA, Basil Udotai Esq, “Issues around damages for data security and responsibility for breaches, which admittedly are matters for civil law, are left at the mercy of contracts. Against operators and intermediary companies, customers have no chance at those contract negotiations, as all terms and conditions are predetermined, usually with regulatory sanction. Thus, not only is there no liability for data security violations, there are no legally backed responsibility on the part of the operator to take any actions — even to alert data subjects or the public, following breaches”. There would be a marked improvement in security if the responsibility for failures is clearly assigned to the entity saddled with the responsibility of protecting data. If cyber criminals are beyond reach of law and a third party is in good position to detect/prevent the crime, then indirect intermediary liability becomes a viable option.
It was said that back in the 1990s, regulations favoured UK banks over customers. Customers who complained about fraud were easily dismissed by simply claiming that their systems were ‘secure’. Over time, fraud was no longer taken seriously as they could easily pass off the resultant costs to consumers. UK bank staff knew that customer complaints would not be taken seriously, so they became slothful, leading to an avalanche of fraud even though they spent more on security. Conversely, in the USA, banks were said to be generally liable for the costs of card fraud due to favourable consumer protection laws; when a customer disputes a transaction, the bank must either refund the money or be left with the burden of proof.
This sort of consumer friendly policy intervention should be encouraged in Nigeria. Policies that clearly spell out responsibility for security failures could greatly improve our cyber security posture.
We need to enact laws on data protection & breach disclosure
Nigeria does not have a comprehensive legislative framework on the protection of privacy and personal data. An all-inclusive data protection law that meets the minimum international standard would motivate companies and institutions to exercise due care when dealing with customer data stored on their systems. The Digital Rights and Freedom Bill which is hoped to address some of these concerns is still undergoing scrutiny in the National Assembly. Although, the 1999 constitutions (as amended), the cybercrime act, as well as the act establishing some governmental agencies such as NCC, NITDA, NIMC, and NIS provide some data and privacy-related protections.
But as far as we know, there is no mandatory legal requirement to report data security breaches or losses to the authorities or to data subjects. Data breach disclosure laws require an entity that has been subject to a data breach to notify their customers and other parties about the breach and take other steps to remediate damages caused by the breach. The first such law, the US state of California data security breach notification law, was enacted in 2002 and have since been adopted by most US states and countries around the world. These laws were enacted in response to an escalating number of breaches of consumer databases containing personally identifiable information.
Many organisations and institutions keep large databases of sensitive personal data that is attractive to cyber criminals. For instance, NIMC, INEC, SIM card registration and BVN databases are a goldmine for cyber criminals. But because these institutions perhaps don’t shoulder the cost associated with the theft of these data, they’re not economically motivated to provide optimal security for those databases or systems. If your personal data is stolen from their systems, they would much rather not report it in order to avoid bad publicity. Cyber fraud or cyber attacks statistics are often hidden from public view, which makes it hard to estimate the true enormity of the risks. In the fight against cybercrime, policy makers have a role to play in ensuring consistent collection and dissemination of relevant incident data. Mandatory data breach notification law is one sure means of ensuring this.
According to Bruce Schneier, “there are three reasons for breach notification laws. One, it’s common politeness that when you lose something of someone else’s, you tell him. Two, it provides statistics to security researchers as to how pervasive the problem really is. And three, the potential cost of the notification and the associated bad publicity naturally leads companies to spend more money on protecting personal information — or to refrain from collecting it in the first place. Think of it as public shaming. Companies will spend money to avoid the PR costs of this shaming, and security will improve. In economic terms, the law reduces the externalities and forces companies to deal with the true costs of these data breaches.”
Security incidents are highly under reported, and until we know the actual figures all efforts to collectively manage the risk may prove abortive. “To close this gap, a comprehensive Data Protection Law needs to be enacted in Nigeria. Until that is done, Nigeria’s cybersecurity policy and the laws enacted to date, will continue to struggle to meet the narrow and usually intractable cybercrime elements, with the now familiar subpar outcomes in investigation, enforcement and convictions” says Basil Udotai Esq.
In fact some of our critical systems may have already been breached but because they are never reported, we are utterly blind to the enormity of the risk. A famous US Supreme Court Justice Louis Brandeis once said: “sunlight is said to be the best of disinfectants; electric light the most efficient policeman”. Mandatory security breach disclosure law will bring to light the true magnitude of cyber risk that the country is exposed to. Many countries around the world have implemented this law and are ripping the benefits. Examples include the US (48 states), the EU, India, Ghana and more recently Israel, Australia and South Africa. Nigeria must not be an exception if we are serious about improving our cyber security posture.