Legal Implications of Ransomware in Nigeria: Assessing Legal Risks, Regulatory Responsibilities, and Cybersecurity Compliance

INTRODUCTION

Ransomware has emerged as a critical threat, not just globally, but particularly in Nigeria. As Nigeria’s digital economy flourishes, the rise in cybercrime is alarming, correlating with an increase in digital transactions, internet usage, and dependency on online services. The Nigerian Communications Commission (NCC) reports that the country has incurred losses of $500 million due to cybercrime attacks. Deloitte emphasizes that the year 2024 saw an unparalleled escalation in cyber threats, affecting all sectors without exception. INTERPOL ranks Nigeria third in Africa, after Egypt and South Africa, for ransomware detections in 2024.

The repercussions of ransomware extend beyond mere technical and financial issues; they also seep into the legal and regulatory frameworks. Given the urgent need for organizations to safeguard data, networks, and report breaches, understanding Nigeria’s legal landscape surrounding ransomware is imperative.

This article delves into the legal risks, regulatory responsibilities, and compliance requirements Nigerian businesses face when dealing with ransomware attacks.

UNDERSTANDING RANSOMWARE IN THE NIGERIAN CONTEXT

Ransomware is a type of malicious software that either encrypts an organization’s data or locks users out of their systems, subsequently demanding payment for access restoration. While the mechanics are universally similar, the unique characteristics of Nigeria’s environment influence how these attacks manifest.

Attackers often exploit vulnerabilities through human errors or unpatched technical flaws, such as phishing emails, weak passwords, or systems lacking security updates. Increasingly popular among cybercriminals, ransomware-as-a-service allows groups to lease ready-made ransomware toolkits to affiliates, lowering the entry barriers for potential attackers.

Beyond the technical implications, ransomware presents complex legal and regulatory challenges for victims. Data breaches can trigger mandatory reporting duties, contractual liabilities, and scrutiny from regulatory bodies like the Nigeria Data Protection Commission (NDPC/NITDA) and the Central Bank of Nigeria (CBN). For instance, banks under CBN supervision are required to report cybersecurity incidents, including ransomware, within 24 hours.

LEGAL RISKS ASSOCIATED WITH RANSOMWARE

The legal ramifications of ransomware attacks in Nigeria go far beyond immediate operational disruption, exposing organizations, their executives, and third-party service providers to various liabilities.

1. Criminal Liability:

The Cybercrimes (Prohibition, Prevention, etc.) Act 2015 (as amended) serves as a comprehensive legal framework criminalizing numerous actions associated with ransomware, from its creation and dissemination to its use in extortion. This law dictates that knowingly developing or distributing malicious software like ransomware is a criminal offense, carrying steep penalties that reflect the seriousness of cyber threats.

In addition to spreading ransomware, related offenses such as unauthorized access to computer systems and data manipulation are punishable under this Act. For example, activities like data encryption to deny access are explicitly outlawed, and extortionate communications demanding ransoms via computer systems fall under criminal scrutiny.

2. Civil Liability:

Organizations may also bear civil liabilities as a consequence of ransomware breaches. Under tort law, there exists a general duty of care requiring organizations to protect the personal and financial data of clients, employees, and partners. If a ransomware attack occurs due to insufficient cybersecurity measures, affected parties may pursue legal action based on claims of negligence, breach of contract, or breach of privacy.

The Nigerian judiciary appears to be increasingly receptive to such plaintiffs, particularly where failures lead to identity theft or financial loss. For example, financial institutions that neglect to implement adequate cybersecurity could be liable for negligence or breach of confidentiality obligations. Despite the still-developing case law regarding ransomware, established principles of tort law mean that organizations may face consequences for foreseeable harm stemming from insufficient security.

3. Regulatory Liability and Fines:

On top of civil lawsuits, businesses in Nigeria confront statutory penalties for data security failures. The Nigeria Data Protection Act 2023 (NDPA) mandates that data controllers and processors adopt technical and organizational measures to protect personal data. Noncompliance can result in severe fines.

In addition to the Cybercrimes Act, sector-specific regulations impose sanctions for failing to meet prescribed cybersecurity standards and reporting protocols.

4. Corporate / Reputational Risk:

Ransomware can yield severe business consequences beyond legal repercussions. Publicly revealing a data breach may erode customer trust and damage a brand’s reputation. In regulated industries, heightened scrutiny from regulators could necessitate compliance audits or corrective actions, sometimes leading to the suspension of operating licenses if security issues persist.

REGULATORY DUTIES IMPOSED ON ORGANIZATIONS

• Data Protection Obligation:

The Nigeria Data Protection Act 2023 (NDPA) and its implementing guidelines from the Nigeria Data Protection Regulation 2019 (NDPR) impose stringent obligations on all entities processing personal data. Under this regime, data controllers and processors must put in place robust measures to ensure data confidentiality, integrity, and availability.

In the event of unauthorized access or data loss due to ransomware, data controllers must inform the NDPC within 72 hours of becoming aware of a breach, especially if it poses risks to individuals’ rights. If the breach is deemed high-risk, those affected must be notified without undue delay.

Failing to adhere to these reporting and security mandates can lead to penalties, including fines up to 2% of annual gross revenue or ₦10 million. Organizations collecting or processing personal data must comply with the NDPA and NDPR obligations, even if the breaches arise from cybercriminal activity.

Additionally, the Cybercrimes Act requires immediate reporting of cyber incidents to the National Computer Emergency Response Team (ngCERT) within 72 hours after detection.

• Sector-Specific Cybersecurity Obligations:

In addition to general data protection requirements, specific industries face tailored cybersecurity obligations. For instance, the CBN’s Risk-Based Cybersecurity Framework and Guidelines (2024) mandates that banks establish comprehensive cybersecurity structures, perform regular risk assessments, and notify the CBN of any cyber incidents within 24 hours of detection. Banks must also appoint qualified Chief Information Security Officers to oversee cybersecurity risk management.

Telecommunications operators are similarly bound by NCC regulations, necessitating the publication of acceptable-use policies and cybercrime awareness notices to subscribers, noncompliance with which could lead to penalties.

PRACTICAL CHALLENGES IN ENFORCEMENT AND COMPLIANCE

Nigeria grapples with various challenges in enforcing cybersecurity laws:

• Limited enforcement capacity: Regulatory and law enforcement agencies in Nigeria are still developing their expertise. The cross-border and anonymous nature of ransomware makes prosecution difficult, often resulting in few successful convictions.
• Regulatory overlap and uncertainty: Multiple agencies often have overlapping mandates, complicating compliance. Streamlining regulatory functions could alleviate this confusion.
• Economic constraints: Budget limitations hinder businesses from investing in advanced cybersecurity solutions, leading to untested local alternatives and potentially introducing new vulnerabilities.
• Rapidly evolving threats: Cybercriminals continuously refine their methods, often outpacing regulatory responses and leaving organizations unprepared.
• Awareness and culture: A significant number of Nigerian businesses, particularly smaller firms, may not fully grasp the legal implications of ransomware, highlighting the need for educational initiatives focused on cyber-risk awareness.

RECOMMENDATIONS FOR NIGERIAN BUSINESSES AND INSTITUTIONS

To effectively tackle ransomware risk and adhere to Nigeria’s legal stipulations, organizations should follow a comprehensive strategy:

• Strengthen technical defenses: Keep systems up-to-date with security patches, utilize certified software, and adopt anti-malware tools. Multi-factor authentication and strict access controls should be implemented alongside encrypted backups to ensure data recoverability.
• Implement data protection practices: Organize and encrypt sensitive data while ensuring compliance with data laws. Preparing for potential breaches involves designating a data protection officer and adhering to mandated notification timelines post-incident.
• Governance and culture: Integrate cybersecurity into corporate governance, ensuring that management is actively engaged and employees receive training on operational security, incident response, and phishing awareness.
• Incident preparedness and response: Establish a formal incident response framework in collaboration with sectoral response teams, and consider cyber-insurance to cover potential losses triggered by attacks.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.