How breach disclosure and liability laws could improve Nigeria’s cyber security posture

In the last few years, various sectors of the Nigerian economy have been undergoing digital transformation. As the country gradually transitions from the margins to the mainstream of the digital economy, we are increasingly exposed to new risks that threaten our personal, corporate and national security. Some of the new risks posed by this increased digitization of our society include: data breach, cyber heist, identity theft, etc.

In April this year, Kaspersky Lab published a report about the activities of a notorious hacking group known as Lazarus, allegedly responsible for the theft of 81 million dollars from the Central Bank of Bangladesh in 2016. The report stated that Lazarus Group malicious software samples typically used for cyber fraud appeared in financial institutions in Nigeria and some other countries.

Furthermore, the Nigerian Senate a few weeks ago raised an alarm about the threatening dimensions of cyber-attacks on Nigerian firms. Similarly, the CBN Governor during the recently concluded Nigeria Electronic Fraud Forum (NeFF) Stakeholders Workshop on Cybercrime, called for an appropriate legal framework to tackle the increasing wave of all forms of cybercrime in the country.

The unfortunate thing about the law though is that it always plays catch up with technology and struggles to keep pace with changing times. In the light of the foregoing, it has become imperative for Nigeria to close the wide gap that exists between law and technology. There is an urgent need to overhaul or possibly enact new laws and policies to tackle the increasing spate of cybercrime in accordance with international best practices. The existing Cybercrime law is a good starting-point but it’s definitely not enough. Thankfully, there are two key policy intervention areas that have the potential to offer hope in the face of the prevailing cyber security challenges:

Assignment of liability for security failures

Computer systems just like other systems are likely to fail when the entity guarding them is not the entity who suffers when failure occurs. Professor Ross Anderson of the Cambridge University once said: “many hard security problems can actually be managed if we can appropriately assign responsibility when things go wrong”.

Software developers for example are often in a hurry to launch their products and online businesses in order to beat competition and in doing so, often times overlook security concerns. When hackers exploit those overlooked security concerns, who takes responsibility for the resulting damages? Liability laws (used in a manner that does not stifle innovation) provide the necessary incentive to compel software developers to write secure codes.

Security researchers have shown that many of the typical cyber security challenges we encounter are in some way a consequence of misaligned incentives. ISPs, banks, telecoms and webhosting companies and other intermediary institutions for example are in a good position to detect, prevent, and block cybercrime; and to a large extent should be made liable when things go wrong. This is the kind of incentive that is required to force them to beef up security.

It appears regulations or the lack of it favours most of these institutions in Nigeria; especially when consumer protection laws are equally weak or non-responsive to modern needs of consumers in the digital economy. According to a renowned ICT lawyer and former Director of Cybersecurity, office of the NSA, Basil Udotai Esq, “Issues around damages for data security and responsibility for breaches, which admittedly are matters for civil law, are left at the mercy of contracts. Against operators and intermediary companies, customers have no chance at those contract negotiations, as all terms and conditions are predetermined, usually with regulatory sanction. Thus, not only is there no liability for data security violations, there are no legally backed responsibility on the part of the operator to take any actions — even to alert data subjects or the public, following breaches”. There would be a marked improvement in security if the responsibility for failures is clearly assigned to the entity saddled with the responsibility of protecting data. If cyber criminals are beyond reach of law and a third party is in good position to detect/prevent the crime, then indirect intermediary liability becomes a viable option.

It was said that back in the 1990s, regulations favoured UK banks over customers. Customers who complained about fraud were easily dismissed by simply claiming that their systems were ‘secure’. Over time, fraud was no longer taken seriously as they could easily pass off the resultant costs to consumers. UK bank staff knew that customer complaints would not be taken seriously, so they became slothful, leading to an avalanche of fraud even though they spent more on security. Conversely, in the USA, banks were said to be generally liable for the costs of card fraud due to favourable consumer protection laws; when a customer disputes a transaction, the bank must either refund the money or be left with the burden of proof.

This sort of consumer friendly policy intervention should be encouraged in Nigeria. Policies that clearly spell out responsibility for security failures could greatly improve our cyber security posture.

Data protection & breach disclosure law

Nigeria does not have a comprehensive legislative framework on the protection of privacy and personal data. An all-inclusive data protection law that meets the minimum international standard would motivate companies and institutions to exercise due care when dealing with customer data stored on their systems. The Digital Rights and Freedom Bill which is hoped to address some of these concerns is still undergoing scrutiny in the National Assembly. However, the 1999 constitutions (as amended), the cybercrime act, as well as the act establishing some governmental agencies such as NCC, NITDA, NIMC, and NIS provide some data and privacy-related protections.

But as far as we know, there is no mandatory legal requirement to report data security breaches or losses to the authorities or to data subjects. The International organization for Standards (ISO) defines a data breach as compromise of security that leads to the unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data. It is basically an incident in which protected confidential data has been accessed or stolen by unauthorized persons.

Data breach disclosure laws require an entity that has been subject to a data breach to notify their customers and other parties about the breach and take other steps to remediate damages caused by the breach. The first such law, the US state of California data security breach notification law, was enacted in 2002 and have since been adopted by most US states and countries around the world. These laws were enacted in response to an escalating number of breaches of consumer databases containing personally identifiable information.

Many organisations and institutions keep large databases of sensitive personal data that is attractive to cyber criminals. For instance, NIMC, INEC, SIM card registration and BVN databases are a goldmine for cyber criminals. But because these institutions perhaps don’t shoulder the cost associated with the theft of these data, they’re not economically motivated to provide optimal security for those databases or systems. If your personal data is stolen from their systems, they would much rather not report it in order to avoid bad publicity. Security experts agree that most cyber security risk can be managed if it can be effectively measured. Financial fraud statistics are often hidden from public view, which makes it hard to estimate the true enormity of cybercrime risks. In the fight against cybercrime, policy makers have a role to play in ensuring consistent collection and dissemination of relevant incident data. Mandatory data breach notification law is one sure means of ensuring this.

According to Bruce Schneier, “there are three reasons for breach notification laws. One, it’s common politeness that when you lose something of someone else’s, you tell him. Two, it provides statistics to security researchers as to how pervasive the problem really is. And three, the potential cost of the notification and the associated bad publicity naturally leads companies to spend more money on protecting personal information — or to refrain from collecting it in the first place. Think of it as public shaming. Companies will spend money to avoid the PR costs of this shaming, and security will improve. In economic terms, the law reduces the externalities and forces companies to deal with the true costs of these data breaches.”

Security incidents are highly under reported, and until we know the actual figures all efforts to collectively manage the risk may prove abortive. The Nigeria Computer Emergency Response Team (ngCERT) was established primarily to manage cyber risks and respond to computer security incidents in the country. But a situation where corporate entities are perhaps not legally obligated to report incidents, managing cyber risk becomes extremely difficult because the statistics are hard to come by. In contrast, the Indian Computer Emergency Response Team (CERT-In) by law imposes mandatory notification requirements on service providers, data centers, corporate entities and other intermediaries upon the occurrence of cyber security incident. They in turn publish the statistics and coordinate cyber incident response activities.

“To close this gap, a comprehensive Data Protection Law needs to be enacted in Nigeria. Until that is done, Nigeria’s cybersecurity policy and the laws enacted to date, will continue to struggle to meet the narrow and usually intractable cybercrime elements, with the now familiar subpar outcomes in investigation, enforcement and convictions” says Basil Udotai Esq. Section 5.2.4 of the National Cybersecurity Strategy document of Nigeria states that: “where existing laws are inadequate, a review or new legislative processes should commence to address legal vacuum that will hinder operations of the national CERT.”

Do we know the magnitude or the true cost of cybercrime in Nigeria? Figures have been put out there but does it truly reflect the actual state of things going by reports of increasing cyber attacks here and there? In fact some of our critical systems may have already been breached but because they are never reported, we are utterly blind to the enormity of the risk — the customers are the ones that suffer the damage. A famous US Supreme Court Justice Louis Brandeis once said: “sunlight is said to be the best of disinfectants; electric light the most efficient policeman”. Mandatory data breach disclosure law will bring to light the true magnitude of cyber risk that the country is exposed to.

In an era where security breaches are a matter of when, not if, cyber security ought to be a matter of top priority for all institutions. The executive, legislators, policy makers and regulatory agencies need to wake up to their responsibilities in this regard. The security of our cyberspace is the responsibility of the leadership. Many countries around the world have implemented this law and are ripping the benefits. Examples include the US (48 states), the EU, India, Ghana and more recently Australia and South Africa. Many notable security breaches that we know of today such as Adobe Systems, Dropbox, eBay, LinkedIn, Sony Pictures and Yahoo hacks came to light as a result of this law. Nigeria must not be an exception if we are serious about fighting cyber crime. It is not enough to deal with just the symptoms; we must tackle it from the root using appropriate legal frameworks like the CBN Governor advocated.

A version of this article appeared on Thisday newspaper (print edition)