Computer Misuse and Cyber Crimes Act Bill of 2018

The Computer Misuse and Cybercrimes Act of 2018 was drafted and assented to on the 16th May 2018. It comes into force in a few days, (30th May 2018). The bill is set to monitor, control and get rid of cybercrimes, which have been on the rise recently The bill received contributions from ICT stakeholders as well as part of the public

It is an ACT of Parliament to provide for offences relating to computer systems; to enable timely and effective detection, prohibition, prevention, response, investigation and prosecution of computer and cybercrimes; to facilitate international co-operation in dealing with computer and cybercrime matters; and for connected purposes.

There is established the National Computer and Cybercrimes Co-ordination Committee that came as a result of the bill, some of the functions of the committee are;

  • advise the Government on security related aspects touching on matters relating to blockchain technology, critical infrastructure, mobile money and trust accounts;
  • advise the National Security Council on computer and cybercrimes;
  • co-ordinate national security organs in matters relating to computer and cybercrimes;
  • receive and act on reports relating to computer and cybercrimes;
  • develop a framework to facilitate the availability, integrity and confidentiality of critical national information infrastructure including telecommunications and information systems of Kenya;
  • co-ordinate collection and analysis of cyber threats
  • establish codes of cyber-security practice and standards of performance for implementation by owners of critical national information infrastructure;
  • develop and manage a national public key infrastructure framework;
  • develop a framework for training on prevention and mitigation of computer and cybercrimes and matters connected thereto

The offences include, Unauthorized access of information (infringing security measures, with intent to gain access, and knowing such access is unauthorized,) is liable on conviction, to a fine not exceeding five million shillings or to imprisonment for a term not exceeding three years, or to both.

Access to unauthorized information with intent to commit further offence, is liable, on conviction, to a fine not exceeding ten million shillings or to imprisonment for a term not exceeding ten years, or to both.

Unauthorized interference caused by having unauthorized information, which may result to significant financial loss to any person; threatens national security; causes physical injury or death to any person; or threatens public health or public safety, is liable, on conviction, to a fine not exceeding twenty million shillings or to imprisonment for a term not exceeding ten years, or to both.

Unauthorized interception through transmission of data to or from a computer system over a telecommunication system commits an offence and is liable, on conviction, to a fine not exceeding ten million shillings or to imprisonment for a term not exceeding five years, or to both. Unauthorized interception is not directed at – a telecommunication system; any particular computer system data; a program or data of any kind; or a program or data held in any particular computer system. It is immaterial whether an unauthorized interception or any intended effect of it is permanent or temporary. If threatens public health or public safety, is liable, on conviction to a fine not exceeding twenty million shillings or to imprisonment for a term not exceeding ten years, or to both.

Illegal devices and access codes. A person who knowingly manufactures, adapts, sells, procures for use, imports, offers to supply, distributes or otherwise makes available a device, program or in possession of a program or computer password, access code or similar data designed or adapted primarily for the purpose of committing any offence under this Part, commits an offence and is liable, on conviction, to a fine not exceeding twenty million shillings or to imprisonment for a term not exceeding ten years, or to both. However, the above activities, do not constitute an offence if any act intended for the authorized training, testing or protection of a computer system; or the use of a program or a computer password, access code, or similar data is undertaken in compliance of and in accordance with the terms of a judicial order issued or in exercise of any power under this Act or any law.

Unauthorized disclosure of password or access code, for any wrongful gain, for any unlawful purpose; or to occasion any loss, is liable, on conviction, up to a fine not exceeding 10 million shillings or to imprisonment for a term not exceeding five years, or to both.

Enhanced penalty for offences involving protected computer system, that person shall be liable, on conviction, to a fine not exceeding twenty five million shillings or imprisonment for a term not exceeding twenty years or both.

Cyber espionage, by unlawfully and intentionally performing or authorizing or allowing another person to perform a prohibited act envisaged in this Act, in order gain access to critical data, a critical database or a national critical information infrastructure; or intercept data, from or within a critical database or a national critical information infrastructure, with the intention to directly or indirectly benefit a foreign state against the Republic of Kenya, commits an offence and is liable, on conviction, to imprisonment for a period not exceeding twenty years or to a fine not exceeding ten million shillings, or to both.

False publications, by intentionally publishing false, misleading or fictitious data or misinforms with intent that the data that is likely to propagate war; or incite persons to violence; or constitutes hate speech, or constitutes ethnic incitement, or negatively affects the rights or reputations of others or Vilification of others or incitement to cause harm shall be considered or acted upon as authentic, with or without any financial gain, commits an offence and shall, on conviction, be liable to a fine not exceeding five million shillings or to imprisonment for a term not exceeding two years, or to both.

Publication of false information. A person who knowingly publishes information that is false in print, broadcast, data or over a computer system, that is calculated or results in panic, chaos, or violence among citizens of the Republic, or which is likely to discredit the reputation of a person commits an offence and shall on conviction, be liable to a fine not exceeding five million shillings or to imprisonment for a term not exceeding ten years, or to both.

Child pornography. A person who, intentionally publishes child pornography through a computer system; produces child pornography for the purpose of its publication through a computer system; downloads, distributes, transmits, disseminates, circulates, delivers, exhibits, lends for gain, exchanges, barters, sells or offers for sale, lets on hire or offers to let on hire, offers in another way, or make available in any way from a telecommunications apparatus pornography; or possesses child pornography in a computer system or on a computer data storage medium, commits an offence and is liable, on conviction, to a fine not exceeding twenty million or to imprisonment for a term not exceeding twenty five years, or both. With exceptions of publication which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper, writing, drawing, painting, art, representation or figure is in the interest of science, literature, learning or other objects of general concerns.

Computer forgery attracts a fine not exceeding ten million shillings or to imprisonment for a term not exceeding five years, or to both.

Computer fraud, unlawfully gains; occasions unlawful loss to another person; or obtains an economic benefit for oneself or for another person is liable, on conviction, to a fine not exceeding twenty million shillings or imprisonment term for a term not exceeding ten years, or to both.

Cyber harassment, communicating either directly or indirectly, with another person is likely to cause those persons’ apprehension or fear of violence to them or damage or loss on that persons’ property; or detrimentally affects that person; or is in whole or part, of an indecent or grossly offensive nature and affects the person is liable, on conviction, to a fine not exceeding twenty million shillings or to imprisonment for a term not exceeding ten years, or to both.

Cybersquatting, through intentionally taking or making use of a name, business name, trademark, domain name or other word or phrase registered, owned or in use by another person on the internet or any other computer network, without authority or right, commits an offence and is liable on conviction to a fine not exceeding two hundred thousand shillings or imprisonment for a term not exceeding two years or both.

Identity theft and impersonation by fraudulently or dishonestly makes use of the electronic signature, password or any other unique identification feature of any other person commits an offence and is liable, on conviction, to a fine not exceeding two hundred thousand shillings or to imprisonment for a term not exceeding three years or both.

Phishing. A person who creates or operates a website or sends a message through a computer system with the intention to induce the user of a website or the recipient of the message to disclose personal information for an unlawful purpose or to gain unauthorized access to a computer system, commits an offence and is liable upon conviction to a fine not exceeding three hundred thousand shillings or to imprisonment for a term not exceeding three years or both.

Interception of electronic messages or money transfers attracts a fine not exceeding two hundred thousand shillings or to a term of imprisonment not exceeding seven years or to both.

Willful misdirection of electronic messages is liable on conviction to a fine not exceeding one hundred thousand shillings or to imprisonment for a term not exceeding two years or to both.

Cyber terrorism through accessing a computer or computer system or network for purposes of carrying out a terrorist act, commits an offence and shall on conviction, be liable to a fine not exceeding five million shillings or to imprisonment for a term not exceeding ten years, or to both.

Fraudulent use electronic data will attract a fine not exceeding two hundred thousand shillings or imprisonment for a term not exceeding two years, or to both.

Reporting of cyber threat. If one is found not to have reported, is liable upon conviction a fine not exceeding two hundred thousand shillings or imprisonment for a term not exceeding two years, or to both.

Aiding or abetting in the commission of an offence under this ACT will attract a fine of not exceeding seven million shillings or to imprisonment for a term not exceeding four years, or to both.

Offences by a body corporate and limitation of liability under this ACT, the body corporate is liable, on conviction, to a fine not exceeding fifty million shilling.

The Act – which spells out stiff punishment to cybercriminals – provides for timely and effective detection, prohibition, prevention, response, investigation and prosecution of computer and cybercrimes. This includes search and seizure of stored computer data, record of and access to seized data, production order for data, expedited preservation, partial disclosure, real-time collection and interception of data.