1. According to a Report by Serianu, a Pan-African based cybersecurity and Business Consulting firm, Kenya’s economy lost more than Ksh. 29.5 billion from cyber-attacks in 2018.[1]The Communication Authority of Kenya further reported that Cyber threats rose over 10% in the first quarter of 2019.[2]The National Cybersecurity Centre in the period 2018-2019 has detected 51.9 million threats as compared to 2017-2018 where 22.1 million threats were recorded.[3] The Communication Authority has attributed the increase in number of cyber security threats to the global increase in malware that includes ransomware attacks during this period.[4]This then makes cyber security a very pertinent issue in Kenya.
    Space
  2. Cyber security in Kenya is governed by various provisions of law including Article 31 of the Constitution of Kenya 2010, The Kenya Information and Communication Act No.2 of 1998, the Computer Misuse and Cyber Crimes Act No. 5 of 2018 and the Data Protection Act No. 24 of 2019.
    Space
  3. The Kenya Information and Communications Act provides that cyber security refers to means of collecting the tools, policies, security concepts, guidelines, security safeguards, risk management approaches, actions, best practices, assurance and technologies that can be used to protect the cyber technologies.[5]
    Space
  4. The Computer Misuse and Cybercrimes Act give no description of what cyber security entails however it lists some of the cybercrimes. These include: Section 2 and Section 28, cybersquatting which is the acquisition of a domain name over the internet in bad faith to profit, mislead, destroy reputation or deprive another from registering the same. In most cases the cyber squatters register, sell or use the domain name with the intent of profiting from the goodwill of someone’s trademark.[6]
    Space
  5. Cyber-squatting is therefore a cyber-crime and an infringement to Trademark and attracts a penalty of a fine not exceeding two hundred thousand shillings or imprisonment for a term not exceeding two years or both.[7]
    Space
  6. Another cybercrime provided in the Computer Misuse and Cybercrimes Act is cyber espionage under Section 21.This is an offence where a person unlawfully and intentionally performs or allows another person to perform a prohibited act of gaining access to critical data or intercept data from within a critical database or a national critical information infrastructure with intention to directly or indirectly benefit a foreign state against Kenya. This attracts a penalty of twenty years imprisonment upon conviction or a fine not exceeding ten million shillings or both.[8]
    Space
  7. Others include phishing,[9] where a person creates or operates a website or sends a message through a computer system with the intention to induce the user to disclose personal information for unlawful purpose or to gain unauthorised access to a computer system. Phishing attracts a penalty of imprisonment of a term not exceeding three years upon conviction or a fine not exceeding three hundred thousand shillings.
    Space
  8. However, the most prominent cybercrimes in Kenya now are: false publications where false news is publicised and upon conviction a fine not exceeding five million shillings or to imprisonment not exceeding ten years or both, computer fraud, computer hacking, money transfer fraud, credit card fraud, cyber terrorism whose penalty upon conviction is a fine not exceeding five million shillings or imprisonment not exceeding ten years or both and computer harassment that attracts a twenty million shillings fine and a term not exceeding ten years or both.[10]
    Space
  9. Recent cyber threats include threats on Non-governmental organisations, government agencies and e-commerce platforms. Indonesian hacker group, Kurd Electronic Team hacked into a host of websites for the National Youth Service and Integrated Financial Management System portals in June 2019.
    Space
  10. E-commerce platforms like Jumia Technologies AG, Jumia Kenya have not been spared either with the platform reporting to have lost Sh. 118 million in the past two years due to cyber fraud.[11]Additionally Jumia Kenya reports to have lost the millions of shillings due to consumer cyber fraud and robbery.[12]
    Space
  11. Cyber threats have also led to loss of millions of shillings from banks such as the Barclays Bank ATMs within the country that lost Ksh. 11 million in April 2019.[13]Due to such trends in the banking sector the Central Bank of Kenya issued guidelines referred to as Cybersecurity Guideline for Payment Service Providers.[14]The Guidelines were in line with the CBK’s mandate under Section 31(2) (b) of the National Payment Systems Act, 2011. The guidelines main objectives are to promote stability to the Kenyan system subsector and to create a safer and secure cyberspace that underpins information systems security priorities.[15]
    Space
  12. World Economic Forum in its executive opinion in September 2019 reported that cyber-attacks were among the biggest risks for businesses in Kenya.[16]Despite all this there has not been an increase in the prosecution of cyber culprits.
    Space
  13. Given the nature of cybercrimes, there is scanty local judicial pronouncements on the various breaches but there is likelihood of there being many in the near future.
    Space
  14. Another challenge posed is the foreign element in the case of Over the Top providers. The OTTs have their headquarters based abroad but provide services worldwide. For instance, WhatsApp is based in, Mountain View, California, United States and Facebook in Menlo Park, California, United States.
    Space
  15. OTTs are registered and run from different parts of the world. The usage of internet is universal and used globally and does not fall in any particular jurisdiction. However, the OTTs have a substantial contact with the Kenyan market where they do their businesses and this has resulted in conflict between them and local telecommunication companies that argue that the applications are usurping their revenues and pose as security threat since the calls are encrypted.
    Space
  16. Under the current system, in order to decide what state’s or nation’s laws govern disputes that arise over Internet issues, a court must first decide “where” Internet conduct takes place, and what it means for Internet activity to have an “effect” within a state or nation.
    Space
  17. Cyber security is therefore a key concern for many companies in Kenya and around the world. The key takeaway for the companies embarking on digital transformation is that they should never undervalue the importance of good cyber security practices.[17]Additionally with the ongoing digitalization changing the society people are more aware and concerned of their rights to privacy and protection of their data and technologies.
    Space
  18. To help curb the issue of cyber security the new Data Protection Act 2019 has incorporated measures and procedures to be followed to ensure protection of personal data.[18]The Computer Misuse and Cybercrimes Act was enacted for this reason but it has since not been as effective as it was hoped for. Other attempts to curb cybercrimes has been the provision of guidelines such as the Sacco Societies Regulatory Authority (SASRA) and the CBK guidelines.

If you have any query regarding the same, please do not hesitate to contact Melanie Munyori or  Judy Mumbi at melanie@wamaeallen.com or mumbi@wamaeallen.com. Note that this alert is meant for general information only and should not be relied upon without seeking specific subject matter legal advice.

[1]Africa Cyber Security Report-Kenya, Serianu (2018) <https://www.serianu.com/downloads/KenyaCyberSecurityReport2018.pdf> accessed 7 December 2019.

[2] Wainaina Wambu , ‘Surge in cyber attacks presents new opportunities for insurers’ Standard media (Nairobi, 10 September 2019) <https://www.standardmedia.co.ke/business/article/2001341416/surge-in-cyber-attacks-presents-new-opportunities-for-insurers> accessed 7 December 2019.

[3] Adonijah Ochieng, ‘Focus on awareness as Kenya’s cyber threats jump to 135pc’  Business Daily(Nairobi, 30 September 2019)< https://www.businessdailyafrica.com/datahub/Focus-on-awareness–as-Kenya–threats-jump/3815418-5292602-4n0mhb/index.html> accessed 8 December 2019.

[4] Adonijah Ochieng, ‘Focus on awareness as Kenya’s cyber threats jump to 135pc’  Business Daily(Nairobi, 30 September 2019)< https://www.businessdailyafrica.com/datahub/Focus-on-awareness–as-Kenya–threats-jump/3815418-5292602-4n0mhb/index.html> accessed 8 December 2019.

[5] Kenya Information Communications Act No. 2 of 1998, Laws of Kenya Section 2.

[6] NOLO, ‘Cybersquatting : What It Is and What Can Be Done About It’<https://www.nolo.com/legal-encyclopedia/cybersquatting-what-what-can-be-29778.html> accessed 7 December 2019.

[7] The Computer Misuse and Cyber Crimes Act No. 5 of 2018 , Section 28.

[8]  Computer Misuse and Cyber Crimes Act No. 5 of 2018 , Section 21(1).

[9] Computer Misuse and Cybercrimes Act No.5 of 2018, Section 30.

[10]  Computer Misuse and Cyber Crimes Act No. 5 of 2018, Section 27.

[11] Adonijah Ochieng, ‘Focus on awareness as Kenya’s cyber threats jump to 135pc’ Business Daily (Nairobi, 30 September 2019)< https://www.businessdailyafrica.com/datahub/Focus-on-awareness–as-Kenya–threats-jump/3815418-5292602-4n0mhb/index.html> accessed 8 December 2019.

[12] Annie Njanja, ‘How Jumia Lost Millions in Cyber fraud and robbery’ Business Daily (Nairobi 13 March 2019)https://www.businessdailyafrica.com/corporate/companies/Jumia-lost-millions-in-cyber-fraud/4003102-5023944-89xnyoz/index.html

[13]Adonijah Ochieng, ‘Focus on awareness as Kenya’s cyber threats jump to 135pc’  Business Daily(Nairobi, 30 September 2019) <https://www.businessdailyafrica.com/datahub/Focus-on-awareness–as-Kenya–threats-jump/3815418-5292602-4n0mhb/index.html>

[14]  Central Bank of Kenya, ‘Cybersecurity Guidelines for Payment Service Providers.’ https://www.centralbank.go.ke/2019/07/05/cybersecurity-guideline-for-payment-service-providers/

[15] Central Bank of Kenya, ‘Cybersecurity Guidelines for Payment Service Providers.’ https://www.centralbank.go.ke/2019/07/05/cybersecurity-guideline-for-payment-service-providers

[16]  Adonijah Ochieng, ‘Focus on awareness as Kenya’s cyber threats jump to 135pc’  Business Daily(Nairobi, 30 September 2019) https://www.businessdailyafrica.com/datahub/Focus-on-awareness–as-Kenya–threats-jump/3815418-5292602-4n0mhb/index.html

[17]  Amer Owaida, ‘Cybersecurity Trends 2020 : Technology is getting Smarter are we?’ (welive security 10 December 2019) <https://www.welivesecurity.com/2019/12/10/cybersecurity-trends-2020-technology-is-getting-smarter-are-we/>

[18] The Data Protection Act No.24 of 2019 ,Part IV.

About the author

Melanie is a transactional advocate specializing in real estate, securitization, banking and finance

Advocate Trainee, 2020
Share this

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and legal updates from our team.

You have successfully subscribed to Wamae & Allen Quarterly.