The Order of Spoofing Emails and Business Emails Compromise: Perspectives from Nigeria

A. Introduction and Perspective:

1. The growth and use of the internet and intranets afford the user advanced information accessibility including simplified communications processes. With this growth has also come the tremendous increase in internet-related crimes, properly identified as “cybercrimes”. Cybercrimes largely refer to criminal activities committed against or by using computers especially to illegally access, transmit, or manipulate information. 

2. In more recent times, many businesses have faced a heightened increase in cybersecurity risks. These risks are perpetuated through a number of cybercrimes such as identity thefts, cyberstalking, cybersquatting, phishing, spamming, spread of computer virus, internet fraud, business email compromise (BEC) and spoofing, etc.

3. Statistically, all over the world, different variations of cybercrimes are now daily recorded since 2006.  Nigeria, on its own, has acquired a world-wide notoriety in criminal activities, facilitated through the use of the internet, the most recent is the popular case of the alleged internet fraudster- Ramoni Igbalode Abass, who goes by the alias “Hushpuppi”.

4. Cyber security has since attained national significance even as cybercrimes have gone beyond attacks on individuals and businesses but on countries and the international public service. In September 2019, an internationally coordinated law enforcement operations spanning the United States, United Kingdom, Nigeria, Kenya, Ghana, France, Italy, Japan, Turkey, and Malaysia resulted in 281 global arrests of cybercriminals.  Nigeria ranked no. 43 in Europe, the Middle East and Africa and further ranked third among ten nations that commit cyber-crimes in the world.  Cybersecurity will continue to be a global discourse requiring national policies, strategies and implementations.

5. Spoofing and BEC occur when a cybercriminal successfully identifies as another by falsifying data, including the sender’s email address, to gain an illegitimate advantage.  Cyber threat actors commonly spoof electronic communications from the targeted organization or a trusted partner/director in an attempt to illicitly extract information from a recipient, harvest user login credentials, commit fraud or deliver malware. With spoofing, it is more difficult to identify malicious activity in electronic communication since the accurate identity of the sender will not be easily identified unless upon close inspection. The resultant consequences of a successful spoofing may include the divulgence of sensitive information of an organisation’s clients, employees, vendors; a compromise of login credentials on various e-platforms that an organisation may transact with from day to day, which may include financial platforms; and infecting the organisation’s systems with malware.

6. This article focuses on the legal regime on the cybercrimes of spoofing and BEC; specifically highlighting organisations’ obligations on the protection and safety of personal data that they process or keep.

B. The Nigerian Cybercrimes Act

7. The Nigerian Cybercrimes (Prohibition, Prevention, Etc) Act, 2015 (the Cybercrimes Act) provides an effective, unified and comprehensive legal, regulatory and institutional framework for the prohibition, prevention, detection, prosecution and punishment of cybercrimes in Nigeria. The Cybercrimes Act also provides protection of critical national information infrastructure, and promotes cybersecurity and the protection of computer systems, networks, electronic communications, data and computer programs, and privacy rights.

8. The Cybercrimes Act empowers the President to designate certain computer systems, networks, computer programs and computer data and information infrastructure vital to  national security and public health and safety of Nigeria or the economic and social well-being of its citizens, as constituting critical national information infrastructure (CNII).  The President may prescribe minimum standards, guidelines, rules or procedures in this respect. 

9. The Cybercrimes Act prescribes a punishment of imprisonment for a term of not more than 10 years and, or a maximum fine of ₦5,000,000 for an offence committed against a system or network that has been designated CNII. Where the offence results in grievous bodily harm of any person, the offender will be liable on conviction to a term of imprisonment, not more than 15 years and where it results in the death of a person, to life imprisonment. 

10. Where a person unlawfully accesses a computer system or network for fraudulent purposes and obtains data that are vital to national security, such person will upon conviction be liable to serve an imprisonment term from a minimum of 1 year to a maximum of 7 years and, or up to a maximum fine of ₦7,000,000. 

11. Where however, a person or organisation unlawfully traffics in any password or similar information through an accessible computer and where such trafficking affects public, private or individual interest within or outside Nigeria, such person shall be liable on conviction to a fine of not more than ₦7,000,000 and, or imprisonment for a term of not more than 3 years. 

12. For organisations found to be guilty, the Act does not expressly state whether the veil will be lifted, and implicated officers will serve the term. It is noted for public institutions that the Data Protection Bill (discussed below), if it becomes law, will hold responsible the Permanent Secretary or Chief Executive Officer for institutions in the Executive arm; the Clerk to the National Assembly, State House of Assembly and Local Government Legislative Councils at the applicable levels of Government, in the legislative arm; the Secretary of the National Judicial Council or relevant Chief Registrar, for the Judiciary; and the Chief Executive Officer, for other public institutions. 

13. Although the Cybercrimes Act makes provision for a number of cybercrimes, it fails to uniquely tackle spoofing and BEC. Albeit, the inability to prosecute these crimes is not lost on the prosecuting authority inasmuch that the other cybercrimes provided for under the Cybercrimes Act, constitute ingredients of spoofing and BEC. Cybercrimes such as identity theft, computer-related forgery,  computer-related fraud,  phishing,  spamming  and use of fraudulent device or attached emails and websites  are largely similar to spoofing and BEC.

14. Obligatorily, the Cybercrimes Act mandates service providers to keep all traffic data and subscriber information, having due regard to an individual’s constitutional right to privacy and take appropriate measures to safeguard the confidentiality of the data retained, processed or retrieved for the purposes of law enforcement.  Service providers are any public or private entity that provide to users of its services the ability to communicate by means of a computer system, electronic communication devices, mobile networks and any other entity that processes or stores computer data on behalf of such communication service or the users of such service. 

15. With the recent legislative trend towards the protection of personal data and the measures against cybercrimes, various obligations have been placed on organisations, and other persons that act as data controllers and processors. Very significant, are the reporting obligations imposed in instances of data breach or cyberattacks on an organisation’s database. The disclosures on cyberattacks credits a pro-active approach to relevant regulatory authorities in combatting cybercrimes in Nigeria.

C. The Nigeria Data Protection Regulation (the “NDPR”)

16. The National Information Technology Development Agency (NITDA) is statutorily mandated by the NITDA Act of 2007 to develop regulations for electronic governance and monitoring of the use of information technology and electronic data. Conscious of the concerns around privacy and protection of Personal Data and the grave consequences of leaving personal data processing unregulated,  NITDA has issued the Nigeria Data Protection Regulation, 2019 (NDPR).

17. The key objectives of the NDPR are: to safeguard the rights of natural persons to data privacy; to foster safe conduct for transactions involving the exchange of personal data; to prevent the manipulation of personal data; and to ensure that Nigerian businesses remain competitive in international trade through the safeguards afforded by a just and equitable legal regulatory framework, in tune with best practices. 

18. The NDPR has a limited scope as it seeks only to protect the personal data of data subjects. The NDPR predominantly promotes the data subject’s rights to the ownership and control of his or her personal data. Data subjects, under the NDPR, are persons who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to physical, physiological, mental, economic, cultural or social identity. 

19. In order to protect against data breaches and cyber-attacks, the NDPR imposes the following obligations on data controllers,  that is, the obligation to: 

19.1 obtain the consent of a data subject before processing of their personal data;  

19.2 inform the data subject of the nature of data being collected and the purposes for which such data will be processed/used;  

19.3 develop security measures such as firewalls and data encryption technologies, to protect data;  

19.4 ensure that receiving third parties of personal data comply with the NDPR by executing written contracts; 

19.5 ensure international organisations or foreign countries receiving personal data have adequate levels of protection; 

19.6 not breach the rights of data subjects;  and 

19.7 notify NITDA within 72 hours of any data breach. 

20. All these obligations are monitored through an annual data protection audit for data controllers who either process the personal data of more than 1,000 data subjects in a period of six months or who process the personal data of more than 2,000 data subjects in a period of 12 months. 

21. The maximum penalty for breaches of data privacy rights can be up to ₦10 million or 2% of the annual gross revenue of the preceding year for a data controller, whichever is greater and based on the number of Data Subjects dealt with. 

D. The Data Protection Bill

22. The Data Protection Bill, 2020 (the “Bill”) seeks to establish a Data Protection Commission which shall be responsible for the protection of personal data, rights of data subjects, regulation of the processing of personal data and all matters related.

23. The Bill stipulates an annual audit for every data controller,  with no limited benchmark as seen in the NDPR.

24. The Bill further obligates a data controller to put in place optimal technical and managerial measures to protect personal data against risks such as destruction, loss, use, modification or disclosure of personal data.  Notably, the data controller shall take into account state-of-the-art data security techniques and technology in the field of data processing, commensurate with the seriousness and probability of the potential risk. 

25. The Bill provides that data controllers must establish a process to regularly test, assess and evaluate the effectiveness of technical and organisational measures for ensuring the security of their data processing. 

26. A warrant may be issued by a Judge upon satisfaction that the warrant is for the purpose of investigating cybercrime, cybersecurity breach, computer-related offences or obtaining electronic evidence. 

E. International Treaties

27. The African Union Convention on Cybersecurity and Personal Data Protection (the “Malabo Convention”) was adopted at the 23rd Ordinary Session of the Assembly, held in Malabo, Equatorial Guinea on 27th June 2014.

28. The Malabo Convention aims to deal with various aspects of information technology: electronic transactions, personal data protection, cybersecurity and cybercrimes. It sets forth the security rules essential for establishing a credible digital space for electronic transactions, personal data protection and combating cybercrime. 

29. Under the Malabo Convention, each State Party is expected to commit to establishing a legal framework aimed at strengthening fundamental rights and public freedoms, protection of physical data, and punishing any violation of privacy without prejudice to the free flow of personal data.

30. Each State Party to the Malabo Convention is expected to adopt legislative and or regulatory measures as it deems necessary to confer specific responsibility on institutions and their officials in relation to their responses to cybersecurity incidents, and coordination and cooperation in the field of restorative justice, forensic investigations, prosecutions, etc. 

31. State Parties are charged with the responsibility for clear accountability in matters of cybersecurity at all levels of Government, by defining their roles and responsibilities in precise terms. 

32. While Nigeria is a Member State of the African Union, it is yet to either sign or ratify the Malabo Convention.

F. Conclusion

33. Spoofing and BEC are examples of cybercrimes, which although Nigeria‘s Cybercrimes Act does not expressly name, can be punished as some of the other offences defined and punished under the Cybercrimes Act. While businesses have no control over the criminal attempts of cybercriminals, they have an obligation to ensure the security and protection of the personal data that they process. The NDPR currently ensures this. Accordingly, it will be a case of double liability or losses to a business that is a victim of spoofing or BEC only because it refused or neglected to implement adequate data protection practices. It should not be that the same information and communication technology which should aid businesses in advanced information accessibility including simplified communications processes, would become its nemesis; only because data protection and its attendant budgetary costs were relegated to the back burner by the business’ leadership.