Cybersecurity 2021

Last Updated March 16, 2021

Kenya

Law and Practice

Authors



Gikera & Vadgama Advocates (GVA) was established in 2010, and is one of Kenya’s leading law firms. The firm has a growing presence in East Africa and continues to expand through its established strategic partners. GVA comprises of a team of 14 advocates uniquely positioned in three strategic locations across the country (Nairobi, Nanyuki and Mombasa) to assist its clients in achieving their goals in an increasingly competitive economy. Its head office is located in Nairobi, and through its strategic partners GVA has a presence in South Africa, the Democratic Republic of the Congo, Nigeria, Ghana, Zimbabwe, Rwanda, Tanzania, Uganda, Ethiopia, Mauritius, Republic of Chad, Sri Lanka, UAE and the UK, amongst other countries. The growth of Kenyan cyberspace over the past five years has led to a parallel growth in the country's regulatory framework; GVA has had an opportunity to issue advisory opinions on data protection and cybersecurity against this backdrop and has further engaged stakeholders and relevant regulators with a bid to offer high-quality legal solutions to its clients.

The Constitution of Kenya, 2010

The regulatory framework governing cybersecurity in Kenya has its foundation in the Bill of Rights of the Constitution of Kenya, 2010 that sets out every citizen’s right to not have the privacy of their communication infringed. The constitutional principles of individual privacy protection are further reiterated in statutes and subsidiary legislation that protect the privacy of citizen’s information.

The Kenya Information and Communications Act, 1998 (KICA) and Regulations

The Act has established the Communications Authority of Kenya which is mandated to develop a national cybersecurity management framework. It was in this regard and in order to minimise fraud incidences and cyberthreats in Kenyan cyberspace that the National Kenya Computer Incident Response Team – Co-ordination Centre (National KE-CIRT/CC) (the “Co-ordination Centre”) was established.

The National KE-CIRT/CC is responsible for the national co-ordination of cybersecurity and serves as Kenya’s national point of contact on cybersecurity matters. It co-ordinates responses to cybersecurity issues at the national level and engages in collaborative efforts with cybersecurity experts and industry actors both locally and internationally by detecting, preventing, and responding to various cyberthreats targeted at the country.

The collaborative effort with international cybersecurity service providers enables the National KE-CIRT/CC to mitigate and address cross-jurisdictional cybercrimes in addition to working together with local law enforcement and judicial forums to investigate and prosecute cybercrimes.

From its inception in 2017, the Co-ordination Centre has published advisory opinions on notable breaches of cybersecurity within the Kenyan cyberspace as well as providing daily cybersecurity updates on the Co-ordination Centre’s website, https://ke-cirt.go.ke/.

The Co-ordination Center through the Communications Authority has further published a General Information Security Best Practice Guidelines, targeted towards small and medium-size enterprises (SMEs) for the protection of their information and that of their clients in the course of their operations.

The use of electronic contracts and electronic signatures as a valid way of contracting and carrying on business in Kenya has been acknowledged in the KICA. In this regard, the communication’s authority has been mandated to license electronic certification service providers who are required by the authority to provide a reasonable level of reliability in their services and adhere to procedures that ensure that the secrecy and privacy of the electronic signatures are assured.

Data breach notification to the National KE-CIRT/CC

The Co-ordination Center has provided for a procedure of incident reporting of cybercrimes on its website (https://ke-cirt.go.ke/). Through this platform, incidents of breach and cybersecurity vulnerabilities – whether individual or institutional – are brought to the attention of the Co-ordination Center. The said incidents include abusive content, malicious code, information gathering, intrusion attempts and fraud.

Incident response procedure under National KE-CIRT/CC

Issuance of a tracking number

Once the incident or the vulnerability has been reported, the reporting party will be issued with a tracking number for purposes of tracking their complaint with the Co-ordination Center.

Triage process and response

The Co-ordination Center will then submit the complaint through a “triage” process of analysing the nature of the complaint to determine whether it falls within the Center’s capacity and ability to resolve. The incidents that fall within the Center’s capacity are then addressed and those that exceed the capacity are referred to other government agencies, private institutions with the ability to resolve the complaint and to the police where it is established that a criminal offence has been committed; the Co-ordination Center further works closely with the police in offering technical advice and providing forensic evidence in the prosecution of a cybersecurity crime.

Incident response under KICA

The KICA has also provided the following incident response mechanisms where there has been a breach of the protection of information.

Entry and search of premises

If a court is satisfied that there is reasonable ground for suspecting that an offence has been or is being committed, and that the evidence of the commission of the offence is to be found on any premises specified in the information, it may grant a search warrant, authorising any person or persons authorised on behalf of the Authority, together with any police officer, to enter the premises at any time within one month from the date of the warrant to examine and test any apparatus or obtain any article or item found in such premises.

Seizure of apparatus, article or other property

A search warrant granted above may authorise the person or persons named in it to seize and detain, for the purposes of any relevant proceedings, any apparatus, article or other thing found in the course of the search carried out in pursuance of the warrant which appears to have been used in connection with or to be evidence of the commission of any offence under the Act. If a police officer or any person authorised by a warrant has reasonable grounds to suspect that an offence under the Act has been committed, he or she may seize and detain, for the purposes of any relevant proceedings, any apparatus, article or other thing which appears to have been used in connection with or to be evidence of the commission of any such offence.

Forfeiture of property and disposal

Where a person is convicted of an offence under the Act for the contravening of any of the provisions relating to any telecommunication system, or in the use of any apparatus for the purpose of interfering with any telecommunication, the court may, in addition to any other penalty, order all or any of the apparatus with which the offence was committed to be forfeited to the commission, of which the Commission may dispose of it in such manner as it thinks fit.

The Data Protection Act, 2019

Data breach notification and incident response requirements

The issue of data breach and incident response is comprehensively addressed in the Data Protection Act, 2019. 

Where personal data has been accessed or acquired by an unauthorised person, and there is a real risk of harm to the data, a data controller (a natural or legal person mandated with processing personal data) shall notify the Data Commissioner (the Regulator) within 72 hours of becoming aware of such breach, and shall also notify the person whose data was accessed (the data subject) in writing within a reasonably practical period, unless the identity of the person cannot be established.

The notification to the Data Commissioner and the data subject should provide sufficient information to allow the data subject to take protective measures against the potential consequences of the data breach, including:

  • description of the nature of the data breach;
  • description of the measures that the data controller or data processor intends to take or has taken to address the data breach;
  • recommendation on the measures to be taken by the data subject to mitigate the adverse effects of the security compromise;
  • where applicable, the identity of the unauthorised person who may have accessed or acquired the personal data; and
  • the name and contact details of the data protection officer where applicable or other contact point from whom more information could be obtained.

It is important to note that the communication of a breach to the data subject shall not be required where the data controller or data processor has implemented appropriate security safeguards, which may include encryption of affected personal data.

After receipt of the notification of breach of personal data, the data controller must keep the following information relating to the personal data breach:

  • the facts relating to the breach;
  • the effects of the breach; and
  • the remedial actions taken.

Principles of data protection

Every data processor (a natural or legal person who processes personal data on behalf of a data controller) or data controller in Kenya shall ensure that personal data is:

  • processed in accordance with the right to privacy of the data subject;
  • processed lawfully, fairly and in a transparent manner in relation to any data subject;
  • collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;
  • adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed;
  • collected only where a valid explanation is provided whenever information relating to family or private affairs is required;
  • accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
  • kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected; and
  • not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.

The governing statutes provide for different regulators.

Under the Kenya Information and communication Act, 1998, the Communications Authority of Kenya is mandated with the licensing of all the telecommunication service providers. The Authority has been mandated with the responsibility of developing sound frameworks to minimise the incidence of forged electronic records and fraud in electronic commerce and other electronic transactions.

Under the Computer Misuse and Cybercrimes Act, 2018, there is established the National Computer and Cybercrimes Co-ordination Committee which is the body mandated to deal with security-related aspects of cybercrimes and matters connected thereto.

Under the Data Protection Act, 2019, there is an established office of the Data Protection Commissioner headed by the Data Commissioner. Under this Act, the Data Commissioner is authorised to carry out periodic audits of the processes and systems of the data controllers or data processors to ensure compliance with this Act.

Investigations

Investigation of cybercrimes is governed by the Computer Misuse and Cybercrimes Act, 2018.

Search and seizure of stored computer data

Where a police officer has reasonable grounds to believe that a computer contains data that is reasonably required for the purposes of an investigation or that the data was acquired as a result of the commission of an offence, such a police officer may apply to court for a warrant to search the premises where such computers are stored and seize the data.

Any person who obstructs the police in conducting the search/seizure or who interferes with the integrity of the computer commits an offence and is liable on conviction to a fine not exceeding KES5 million or to a term of imprisonment not exceeding three years or to both.

Production Order

Similarly, when a police officer has reasonable grounds to believe that specified data stored in a computer system is in the possession or control of a person, such a police officer may apply to the court for a Production Order.

The Production Order shall direct the person named therein to submit the computer data that is in their possession. 

Real-time collection of traffic data

Police officers are also allowed to collect or record through the application of technical means traffic data, in real-time, where they have reasonable grounds to believe that the data is associated with a person under investigation or that it relates to commission of a crime.

The police officer must, however, obtain a Court Order prior to effecting search and seizure or collecting the real-time traffic data.

Interception of content data

Subject to obtaining a Court Order, police officers are also allowed to intercept electronic communications if such communication is required for the purposes of a specific investigation in respect of an offence.

Appeals

A person aggrieved by the decision of the police officer or by the Court Order can appeal such a decision to the High Court or the Court of Appeal within 30 days from the date of the decision or Order.

Penalties

In order to prevent abuse of powers by the police officers while conducting investigations, the Act provides that any police officer who is convicted of abuse of power is liable to a fine not exceeding KES5 million or to imprisonment for a term not exceeding three years, or to both.

Additionally, it is also an offence for any person to obstruct the investigations being conducted by the police and upon conviction such a person is liable to a fine not exceeding KES5 million or to imprisonment for a term not exceeding three years, or to both.

The East African Community, of which Kenya is a member, is yet to come up with a regional cybersecurity law.

It is, however, worth noting that the Computer Misuse and Cybercrimes Act, 2018 provides for a mechanism for its implementation beyond the territory of Kenya. This is mainly through international co-operation where the Kenyan agencies are allowed to enter into reciprocal arrangements for mutual legal assistance in any criminal matter for purposes of:

  • undertaking investigations or proceedings concerning offences related to computer systems, electronic communications or data;
  • collecting evidence of an offence in electronic form; or
  • obtaining expeditious preservation and disclosure of traffic data, real-time collection of traffic data associated with specified communications or interception of content data.

At the continental level, there is the African Union Convention on Cybersecurity and Personal Data Protection. The Convention applies to collection, processing, transmission, storage or use of personal data by a natural person, the state, local communities and public or private corporate bodies. However, at the moment Kenya has not yet ratified the Convention.

In 2014, the Kenyan Ministry of Information Communications and Technology published the National Cybersecurity Strategy. One of the key areas that is addressed in the Strategy is fostering information sharing and collaboration. In this regard, the government aims to cultivate a culture of information sharing that facilitates the real-time exchange of cybersecurity information between the government and the private sector.

The government has further entered into public-private partnerships such as the establishment of the Kenya Network Information Center (KENIC), endeavouring to facilitate the growth and uptake of the ICT subsector in Kenya. The public-private partnership was established following comprehensive consultation with the local internet community. Such collaborations entail the movement of information between private entities and government agencies with a bid to enhance the growth and security of Kenyan cyberspace.

There are a lot of similarities between the Kenyan laws on data protection and cybersecurity and those of other countries. Two principal similarities are: 

  • the recognition that cybersecurity is a shared responsibility and that it will require the input of all stakeholders, including the private sector, to ensure effective and efficient implementation of national and international cybersecurity strategies; and
  • the recognition of the fact that personal data should be handled carefully to ensure that such handling is in tandem with the right to privacy.

The Kenyan laws on cybersecurity and data protection are relatively new and as such we have not experienced any significant changes in these areas of law.

The only recent development in this area is the decision of the High Court in Senate of the Republic of Kenya & 4 others v Speaker of the National Assembly & another; also, Attorney General & 7 others (Interested Parties) [2020] eKLR where the court declared several Acts of Parliament to be unconstitutional because they were passed without the input of the Senate. One of the laws that was declared unconstitutional was the Computer Misuse and Cybercrimes Act, 2018. It is, however, important to note that the court suspended the implementation of its decision to allow Parliament time to regularise the laws. This means that, as at the time of writing this article, the Computer Misuse and Cybercrimes Act, 2018 is still in force.

Significant Pending Changes

Authentication of electronic signatures

The COVID-19 pandemic has led to the evolution of digital operations and transactions worldwide. In Kenya, the Business Laws Amendment Act was enacted to ensure the continued efficiency of transactions, one of which was the introduction of electronic signatures in transactions that had been previously restricted to wet ink signatures.

However, there exists a gap in the provision of electronic signature authentication services. The Communications Authority has not published any entities that are licensed to provide authentication services. The Authority, in response to the increased use of electronic signatures, published an invitation to foreign digital authentication service providers to apply for recognition by the Authority to enable them to provide such services in Kenya. From our research, we have noted that the Authority has not yet published a list of the licensed and recognised authentication service providers.

Pursuant to the KICA, a digital signature has to be authenticated by a licensed electronic certification services provider (E-CSP) through the issuance of a digital certificate. Since the authority has not confirmed to the public that it has licensed any E-CSPs for the provision of authentication services, the electronic signatures being used are therefore not valid under the provisions of authentication in the KICA.

The licensing and recognition of local and foreign E-CSPs is, therefore, a pending issue that has to be addressed by the Communication Authority. Once resolved, this will ensure that the digital signatures which are now increasingly been used are authenticated, eliminating forgery/fraud in this form of transaction that is now increasing in popularity.

Investigation and prosecution of cybersecurity crimes

There is a need to build the capacity of Kenya’s Police Force to investigate and prosecute cybercrimes. There have been joint collaborative efforts between the police force and the National KE-CIRT/CC in obtaining forensic evidence to prosecute cybercrimes. The police force, however, needs to be comprehensively trained on the legal framework addressing cybersecurity in Kenya and how best to handle reported issues of criminal offences as forwarded by the National KE-CIRT/CC or any other source.

Maturity of the country’s cybersecurity approach

While the Communications Authority, the National KE-CIRT/CC the National Computer and Cybercrimes Co-ordination Committee and the office of the Data Commissioner have helped evolve the country’s cybersecurity bearing, it is still relatively immature in the face of the growing complexity and sophistication of cyberthreats. The Ministry of Information, Communications and Technology developed the National Cybersecurity Strategy which seeks to help mature the country’s cybersecurity approach by providing a strategic cybersecurity direction, with accompanying implementation actions to secure the nation’s critical cyber-infrastructure against existing and emerging threats.

In Kenya, the main law that deals with data protection is the Data Protection Act, 2019. The Act applies to the processing of personal data by a data controller, data processor, data protection officer or by automated or non-automated means. 

Where personal data is processed by non-automated means, the Act will only be applicable where the data forms whole or part of a filing system by a data controller or data processor who:

  • is established or ordinarily resident in Kenya and processes personal data while in Kenya; or
  • is not established or ordinarily resident in Kenya but processes personal data of data subjects located in Kenya.

National Computer and Cybercrimes Co-ordination Committee

This Committee is established under the Computer Misuse and Cybercrimes Act, 2018 and is responsible for:

  • advising the government on security-related aspects touching on matters relating to blockchain technology, critical infrastructure, mobile money and trust accounts;
  • advising the National Security Council on computer and cybercrimes;
  • co-ordinating national security organs in matters relating to computer and cybercrimes;
  • receiving and acting on reports relating to computer and cybercrimes;
  • developing a framework to facilitate the availability, integrity and confidentiality of critical national information infrastructure, including telecommunications and information systems of Kenya;
  • co-ordinating collecting and analysis of cyberthreats, and response to cyber-incidents that threaten cyberspace belonging to Kenya;
  • co-operating with computer incident response teams and other relevant bodies, locally and internationally, on response to threats of computer and cybercrime and incidents;
  • establishing codes of cybersecurity practice and standards of performance for implementation by owners of critical national information infrastructure;
  • developing and managing a national public key infrastructure framework; and
  • developing a framework for training on prevention, detection and mitigation of computer and cybercrimes.

The Communication Authority of Kenya

The Kenya Information and Communications Act, 1998, mandates the Communications Authority of Kenya (CA) to develop a national cybersecurity management framework. To this end, the CA has established the National Kenya Computer Incident Response Team – Co-ordination Centre (National KE-CIRT/CC) which is responsible for:

  • implementation of national cybersecurity policies, laws and regulations;
  • cybersecurity awareness and capacity building;
  • early warning and technical advisories on cyberthreats on a 24/7 basis;
  • technical co-ordination and response to cyber-incidents on a 24/7 basis in collaboration with various actors locally and internationally;
  • development and implementation of a National Public Key Infrastructure (NPKI);
  • research and development in cybersecurity;
  • promoting and facilitating the efficient management of critical internet resources.

As indicated above, Kenya does not have one over-arching cybersecurity agency. Each Act of Parliament touching on cybersecurity has an agency that deals with specific aspects of cybersecurity. Be that as it may, it can be argued that, since the Computer Misuse and Cybercrimes Act, 2018 is the main law that deals with the issues of cybersecurity, then the National Computer and Cybercrimes Co-ordination Committee (which is the agency established therein) is effectively the over-arching cybersecurity agency.

The main Data Protection Authority is the Office of the Data Protection Commissioner established under the Data Protection Act, 2019.

The functions of this Office are to: 

  • establish and maintain a register of data controllers and data processors;
  • exercise oversight on data processing operations,
  • promote self-regulation among data controllers and data processors;
  • conduct an assessment to ascertain whether information is processed according to the provisions of this Act or any other relevant law;
  • receive and investigate any complaint on infringements of data rights;
  • carry out inspections of public and private entities with a view to evaluating the processing of personal data;
  • promote international co-operation in matters relating to data protection and ensure the country's compliance on data protection obligations under international conventions; and
  • undertake research on developments in data processing of personal data.

The main financial regulator in Kenya is the Central Bank of Kenya (CBK) established under the Central Bank of Kenya Act. The CBK is empowered to issue directives and guidelines to be adhered to by payment service providers in order to maintain a sound, secure and efficient national payment system.

In this regard, the CBK issued its Guideline on Cybersecurity for Payment Service Providers (PSPs), 2019. This Guideline sets the minimum standards that PSPs should adopt to develop effective cybersecurity governance and risk-management frameworks.

Other key relevant agencies include the following.

The Kenya Network Information Center (KENIC) was established through the facilitation of the Communications Authority of Kenya (CAK) in a public-private partnership and was issued with a licence by the authority to manage and administer the dot ke country code top-level domain (.ke ccTLD) name to facilitate the growth and uptake of the ICT subsector in Kenya. The Center maintains a register of the domain name holders and this provides a repository that can be used to track sources of cybersecurity threats.

The National Kenya Computer Incident Response Team – Co-ordination Centre (National KE-CIRT/CC) – the functions of which have already been discussed in 2.2 Regulators.

The Data Protection Act provides for the acceptable standards while dealing with personal data.

To begin with, there is the requirement that any person processing personal data must first seek the express consent of the data subject.

Secondly, there is also a clear definition of what constitutes “sensitive data”. Sensitive data now includes property details, marital status and family details, including names of the person’s children, parents, spouse or spouses. The law requires that such data be handled with utmost care.

Thirdly, the Act prohibits processing of personal data belonging to children.

Personal data should also be processed in accordance with the right of privacy of the data subject.

The Act also explicitly provides that the data subjects have several rights that must be observed by any person involved in processing of personal data. They include the right to correction of false or misleading data; the right to be informed of the use to which their personal data is to be put; the right to access their personal data which is in the custody of data controllers and data processors among others.

Legal jurisprudence on cybersecurity in Kenya is still in its early stages of development and therefore a standard of “reasonable security” is yet to be established. We can, however, infer “reasonableness” from already established principles of common law in tort as the care or degree of caution that a prudent and rational person would take to guard against probable danger.

Written Information Security Plans or Programmes

While there are no mandatory statutory provisions requiring an institution to have a written information security plans or programme, such plans or programmes can be drafted in accordance with the general data protection principles set out in the Data Protection Act.

These include ensuring that an individual’s privacy rights are protected when processing information, ensuring that information is collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes and that personal information is not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.

Incident Response Plans

There are no statutory requirements or national standards guiding the formulation of incident response plans. The National Cybersecurity Strategy (the “Strategy”) in its action plan indicates that the Ministry will formulate a national-level cyber-incident response plan. However, this is yet to be formulated.

Appointment of Chief Information Security Officer

The Central Bank of Kenya in its Guidance Note on Cybersecurity has recommended the appointment of a chief information security officer who will oversee the implementation of the institution’s cybersecurity programme and the enforcement of its cybersecurity policy.

The Data Protection Act has also established the office of a Data Commissioner who heads the office of the Data Protection Commissioner. The principal responsibility of the Data Commissioner is to exercise oversight on data processing operations, either of their own volition or at the request of a data subject, and verify whether the processing of data is done in accordance with the Data Protection Act.

Involvement of Board of Directors or the Equivalent

The Data Commissioner has not yet prescribed the threshold required for mandatory registration of data controllers and processors. Once the threshold has been prescribed by the Data Commissioner, directors of a company may be required to be registered as data controllers if they fall within the prescribed threshold. The Companies Act, however, provides for the general duties and responsibilities (fiduciary duties) of directors, which include exercising reasonable care and skill in the operation of a company. This would then include ensuring that the company is not engaged in cybersecurity infringement and that the company’s data is adequately protected.

Conducting Internal Risk Assessments, Vulnerability Scanning, Penetration Tests

The Computer Misuse and Cybercrimes Act provides that the owner or person in control of a critical information infrastructure – a vital virtual asset, facility, system, network or process whose incapacity, destruction or modification would have a debilitating impact on the availability, integrity or delivery of essential services including those services, whose integrity, if compromised, could result in significant loss of life or casualties – shall annually submit a compliance report on the critical information infrastructure to the Committee in line with a critical infrastructure framework in order to evaluate compliance.

The director of the National Computer and Cybercrimes Co-ordination Committee may also notify the owner or person in control of a critical information infrastructure in writing to carry out an audit where there is imminent threat of an attack that will amount to a computer and cybercrime.

Multi-factor Authentication, Anti-phishing Measures, Protection Against Business Email Compromise, Ransomware, Threat Intelligence, Insider Threat Programmes

While the KE-CIRT/CC is yet to publish legal requirements and standards on these issues, it has published brief reader-friendly "best practice guidelines" on cat-phishing, email-phishing, drop-box phishing, two-step authentication, ransomware and insider threat programmes.

Vendor and Service Provider Due Diligence, Oversight and Monitoring

The Central Bank of Kenya’s Guidance Note on Cybersecurity encourages banking institutions to undertake due diligence on prospective service providers and select their vendors based on compliance and risk assessments. Banks have further been urged to oversee the evaluation and management of risks introduced by third-party service providers by requiring attestation/assurance reports provided by reputable independent auditors for service providers.

Use of Cloud, Outsourcing, Offshoring and Training

The KE-CIRT/CC has published best public practice guidelines for cloud computing.

The Central Bank of Kenya’s Guidance Note on Cybersecurity has directed banking institutions to undertake the following measures in respect to outsourcing of cybersecurity services:

  • have in place adequate governance of outsourcing agreements including due diligence on prospective service providers, documented outsourcing agreements and adequate monitoring of service delivery;
  • consider all outsourcing agreements as critical infrastructure for regulation and protection for purposes of security of the banking sector and the economy at large; 
  • select their vendors based on compliance and risk assessments, ensuring all computing resources are secured including registrations, licensing, compliance and verification; 
  • ensure all outsourcing contracts require service providers to comply with applicable legal and regulatory frameworks;
  • understand the inherent risk arising from each third party;
  • perform analytics on an institution’s outsourcing portfolio to understand which pose the most relative risk to an institution;
  • work collaboratively with third parties to mitigate risks that pose the most risk to an institution;
  • monitor contracted third parties for changes in their business and cyber bearing including expansions, divestitures, breaches and new attacks that may alter the third parties’ exposure;
  • service level agreements should have robust provisions in relation to security, service availability, performance metrics or penalties;
  • develop exit management strategies and contingency plans.

Training

The CBK guidance note sets out that:

  • institutions should implement IT security awareness training programmes to provide information on good IT security practices, common threat types and the institution’s policies and procedures;
  • the training should be provided to all employees including senior management and the board;
  • a formalised plan should be put in place to provide ongoing technical training to cybersecurity specialists within the institution;
  • cybersecurity awareness and information should be provided to the institution’s customers, clients, suppliers, partners, outsourced service providers and other third parties who have links to the bank’s IT infrastructure.

The Computer Misuse and Cybercrime Act, 2018 provides for international co-operation between the Kenyan Cybercrime agencies and foreign agencies. The co-operation takes the form of mutual legal assistance in criminal prosecution for the purposes of:

  • undertaking investigations or proceedings concerning offences related to computer systems, electronic communications or data;       
  • collecting evidence of an offence in electronic form; and         
  • obtaining expeditious preservation and disclosure of traffic data, real-time collection of traffic data associated with specified communications or interception of content data.

Data Breach Notification and Incident Response Requirements

As indicated in 1.1 Laws, the issue of data breach and incident reporting is comprehensively dealt with in the Data Protection Act, 2019. 

Where personal data has been accessed or acquired by an unauthorised person, and there is a real risk of harm to the data, a data controller shall (i) notify the Data Commissioner within 72 hours of becoming aware of such breach, and (ii) notify the person whose data has been accessed (the data subject) in writing within a reasonably practical period, unless the identity of the person cannot be established.

The notification to the Data Commissioner and the data subject should provide sufficient information to allow the data subject to take protective measures against the potential consequences of the data breach.

After receipt of the notification of breach of personal data, the data controller must keep the following information relating to the personal data:

  • the facts relating to the breach;
  • the effects of the breach; and
  • the remedial actions taken.

See 4.1 Personal Data.

Under Kenyan law, critical infrastructure includes the processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Kenyans and the effective functioning of government.

Once a system has been designated as a critical infrastructure, the National Computer and Cybercrimes Co-ordination Committee is required to conduct an assessment of the threats, vulnerabilities, risks, and probability of a cyber-attack on such critical infrastructure sectors and determine the harm to the economy that would result from damage or unauthorised access to the critical infrastructure.

Additionally, in the event of attack or breach to a critical infrastructure, the operator of such infrastructure is required to immediately notify the Committee of such a breach and the remedial measure that he or she intends to take. Upon receipt of such a notification, the committee shall provide technical assistance to the operator of a critical infrastructure to mitigate the threat.

See 4.1 Personal Data.

See 4.1 Personal Data.

The Data Protection Act does not define what constitutes data breach. However, it defines "personal data breach" as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

The Data Protection Act exclusively deals with personal data. The Act further defines "personal data" to mean any information relating to an identified or identifiable natural person.

Data breach reporting and notification covers the following systems:

  • systems used for storage of personal data;
  • systems used in processing of personal data; and
  • systems used in transmission of personal data.

The Kenya Pharmacy and Poisons Board (PPB) is the body mandated with the regulation of medical devices. Generally, medical devices are required to meet certain safety and performance thresholds depending on the intended use of the concerned device.

The obligation to ensure that medical devices are secure and safe chiefly lies with the manufacturer of such devices. Medical devices should be designed and manufactured in such a way that, when used for the intended purpose, by a person who has the required technical knowledge, experience, or training, they will not compromise the clinical condition or the safety of patients.

There are currently no specific regulatory cybersecurity requirements for industrial control systems in Kenya; however, general data protection regulations and individual data privacy rights are applicable in the operation of industrial control systems.

There are currently no specific regulatory cybersecurity requirements for IoTs in Kenya; however, general data protection regulations and individual data privacy rights are applicable in the movement of data in the use of IoT.

Notification and communication of breach happens where personal data has been accessed or acquired by an unauthorised person, and there is a real risk of harm to the data subject whose personal data has been subjected to the unauthorised access.

As indicated above, a data controller is allowed to report an incident of breach or authorised access of personal data when there is “real risk of harm”. It follows that a data controller must first satisfy himself or herself that the risk of harm to the personal data is real and not merely illusory. Unfortunately, the Act does not define what amounts to “real risk of harm”. Therefore, this gives the data controller a very wide discretion of determining what amounts to real risk of harm that warrant making a notification. 

There are several cybersecurity defensive measures permitted in Kenya. These include the following.

Use of Strong Passwords and Changing Default Passwords

Strong passwords, which constitute a combination of characters, are usually encouraged to ensure that there is reduced risk of targeted attacks. It is also important to always use different passwords for different accounts. 

Use of Secure Remote Access Methods Such as a Virtual Private Network (VPN)

This is a very important defensive measure for organisations that allow employees to work remotely. It reduces the chances of unauthorised access into the organisation’s systems and data.

Cybersecurity Training

This is one of the most important defensive mechanisms that can be implemented by any organisation. Proper training of staff in aspects of cybersecurity reduces their vulnerability to cyber-attacks.

Development and Enforcement of Cybersecurity Policies

In this age of technology, it has become very important for organisations to develop comprehensive cybersecurity policies. Such policies should cover the following elements:

  • there should be a restriction of use of personal devices to perform office or work-related tasks – equally, work computers and devices should not be used to access personal accounts;
  • the policies should provide incident-reporting procedures in the event of unauthorised access;
  • the policies should provide for a remedial procedure to be undertaken in case of unauthorised access. 

Cybersecurity and data protection are opposite sides of the same coin. A violation of data protection laws would invariably amount to violation of cybersecurity laws and vice versa.

The law places a responsibility on the data controller and processors to ensure that personal data in their possession is safe. If someone gains unauthorised access to this personal data, there will definitely be a violation of privacy and data rights of the data subject.

The data that has been illegally accessed can also be used to access the personal accounts (if the data included passwords/access codes) or in commission of an offense in cyberspace.

Due to this interplay between data protection and cybersecurity, it is important for there to be proper co-ordination between the agencies dealing with data protection and those dealing with cybersecurity.

The Computer Misuse and Cybercrime Act provides for an avenue of information sharing with respect to critical information infrastructure. In this regard, a private entity may enter into an information-sharing agreement with a public entity for:

  • the purpose of ensuring cybersecurity;
  • investigation and prosecution of crimes related to cybersecurity;
  • protection of life or property of an individual; and
  • protection of the national security of the country.

See 7.1 Required or Authorised Sharing of Cybersecurity Information.

It is important to note that for a long time Kenya did not have a legal framework that dealt with the protection of personal data until the coming into force of the Data Protection Act in November 2019. Therefore, most of the cases dealt with the issue of data protection as a component of the right to privacy.

For instance, in Okiya Omtatah Okoiti v Communication Authority of Kenya & 8 others [2018] eKLR and Kenya Human Rights Commission v Communications Authority of Kenya & 4 others [2018] eKLR, the petitioners in the two petitions challenged the introduction of a device management system (DMS) device which had the capacity to access customers’ information illegally into the networks of the interested parties and respondents who are providers of telecommunication services.

The court held that the plan seeking to integrate the DMS to the parties’ networks to inter alia create connectivity between the DMS and the parties’ system to access information on the IMEI, IMSI, MSISDN and CDRs of their subscribers on their network was a threat to the subscribers’ privacy, hence a breach of the subscribers’ constitutionally guaranteed rights to privacy, and therefore unconstitutional.

The second case is the case of Nubian Rights Forum & 2 others v Attorney-General & 6 others; Child Welfare Society & 8 others (Interested Parties); Centre for Intellectual Property & Information Technology (Proposed Amicus Curiae) [2019] eKLR, where the petitioners challenged the constitutionality of the national integrated information management system (NIIMS) that was intended to be a single repository of personal information of all Kenyans, as well as foreigners resident in Kenya. The petitioners averred that NIIMS violated the right to privacy considering the nature of personal information that would be collected in the NIIMS and the lack of any security in the manner of storage of and access to the collected data.

In its decision, the court was alive to the reality that, at the time, there was no specific legislation that provided for the collection, storage, protection and use of data collected by or held by government or other entities. It went on to state that it was in the public interest to have an efficient and organised system of registration of persons and storage of personal data so collected.

What is common in the above cases is that protection of personal data is heavily guarded by the law and any contravention of data protection rights ought to be remedied. Therefore, with the enactment of the Data Protection Act, 2019, we are of the view that there will be a significant development of jurisprudence in this area of law.

Given that the Kenyan Cybersecurity laws are still relatively new, there are no reported decisions on cybersecurity violations and data security breaches by the High Court, Court of Appeal or Supreme Court. 

However, we anticipate that due to the growth of e-commerce and the technological advancements in the country, there is bound to be reported decisions on lawsuits arising from cybersecurity violations and data security breaches.

The Computer Misuse and Cybercrime Act provides for a number of legal standards that are applicable in investigation and prosecution of cybercrimes.

First, the Act provides for several criminal offences such as:

  • unauthorised disclosure of access codes or passwords;
  • child pornography;
  • cyberbullying and stalking;
  • unauthorised interference, access or interception;
  • cyber-espionage, among others

Secondly, the Act provides for comprehensive investigative procedures that are necessary for prosecution. These include criteria for search and seizure of computer equipment and data, production orders, real-time collection of traffic data, interception of content data and international co-operation. (See 1.3 Administration and Enforcement Process and 3.4 Key Multinational Relationships for comprehensive details.) 

The Act further provides for safeguards against abuse of the investigative powers by providing that search and seizures, production orders, interception of data and collection of real-time data can only be affected through an order of the court.

Finally, the Act also guarantees the right of appeal from the decisions of the investigators or the court that gave the order pursuant to which the investigation was conducted.

See 8.1 Regulatory Enforcement or Litigation.

Class action suits are permitted in Kenya, but they are referred to as "representative suits".

Order 1 rule 8 of the Civil Procedure Rules 2010 provides that a person can institute or defend a suit on behalf of others if they have the same interest. Therefore, the test for representative suits is that the person instituting or defending the suit must demonstrate to the satisfaction of the court that they have the same interest as the persons on whose behalf they are instituting or defending the suit.

The following issues are critical when conducting due diligence:

  • compliance and risk assessments;
  • evaluation and management of risk;
  • attestation and assurance reports; and
  • engaging an independent advisor on cybersecurity risks.

The CBK, through its guidance note on cybersecurity, requires banking institutions to maintain and file cybersecurity reports on a quarterly basis.

Challenges Ahead

The Computer Misuse and Cybercrime Act has a few deficiencies which need to be improved on, going forward. For instance:

  • there is no clear distinction between civil and criminal cyber-offences;
  • there are certain crimes, such as cyberbullying, that are difficult to prove since the Act does not provide clear standards of determining whether such an offence has been committed;
  • the Act does not address the issue of capacity building of the investigative agencies to equip them with the necessary competencies to deal with the nature and extent of ever-evolving cybercrimes.
Gikera & Vadgama Advocates (GVA)

56 Muthithi Road
Behind TRV Office Plaza
Westlands
PO Box 720-00621
Nairobi
Kenya

+254 203740262/3

info@gvalawfirm.com https://gvalawfirm.com/
Author Business Card

Trends and Developments


Authors



Gikera & Vadgama Advocates (GVA) was established in 2010, and is one of Kenya’s leading law firms. The firm has a growing presence in East Africa and continues to expand through its established strategic partners. GVA comprises a team of 14 advocates uniquely positioned in three strategic locations across the country (Nairobi, Nanyuki and Mombasa) to assist its clients in achieving their goals in an increasingly competitive economy. Its head office is located in Nairobi, and through its strategic partners GVA has a presence in South Africa, Congo, Nigeria, Ghana, Zimbabwe, Rwanda, Tanzania, Uganda, Ethiopia, Mauritius, Republic of Chad, Sri Lanka, UAE and the UK, amongst other countries. The growth of Kenyan cyberspace over the past five years has led to a parallel growth in the country's regulatory framework; GVA has had an opportunity to issue advisory opinions on data protection and cybersecurity against this backdrop and has further engaged stakeholders and relevant regulators with a bid to offer high-quality legal solutions to its clients.

Introduction

According to the Quarterly Statistic Report (July–September 2020) published by the Communications Authority of Kenya (CA), Kenya experienced a 152.9% increase in cyberthreats between July and September 2020. This was mainly attributed to the increase in e-commerce, cashless payments through mobile money platforms and the shift towards remote working, among other factors.

In addition to this, the report indicates that there has been significant increase in cases of online child abuse, cyberbullying, internet trolling and internet fraud. Against this backdrop, cybersecurity has become a key priority area in the wake of the spread of COVID-19 and the resultant economic and social changes that have been brought about.

This article explores the current trends in the regulatory framework governing cybersecurity in Kenya.

The Legal Framework

Before 30 May 2018, Kenya did not have an overarching law comprehensively addressing different aspects of cybersecurity. The Kenya Information and Communications Act (KICA) was the only statute that had limited provisions on cybersecurity, together with prescribed penalties.

In order to develop a national cybersecurity management framework and to ensure the safety of Kenyan cyberspace, the Communication Authority of Kenya (CA), which is the regulatory body established under the KICA, established the National Kenya Computer Incident Response Team – Coordination Centre (National KE-CIRT/CC), a multi-agency association framework responsible for the national harmonisation of cybersecurity reporting and incident responses.

Despite the provisions of the KICA and the establishment of the National KE-CIRT/CC, cybersecurity remained an emotive issue in Kenya that required a comprehensive policy and legal framework; it is for this reason that the Computer Misuse and Cybercrimes Act 2018 was enacted.

Computer Misuse and Cybercrimes Act 2018

This Act of Parliament came into force on 30 May 2018. The Act aims is to protect the confidentiality, integrity and availability of computer systems, programs and data as well as facilitate the prevention, detection, investigation, prosecution and punishment of cybercrimes.

However, since its enactment, there has been significant litigation surrounding the constitutionality of some of its provisions, with the latest being the decision of the High Court in Senate of the Republic of Kenya & 4 others v Speaker of the National Assembly & another and in the case of Attorney General & 7 others (Interested Parties) [2020] eKLR, where the Court declared several Acts of Parliament to be unconstitutional because they were passed without the input of the Senate. One of the laws that was declared unconstitutional was the Computer Misuse and Cybercrimes Act, 2018. It is, however, important to note that the Court suspended the implementation of its decision to allow Parliament time to regularise the procedure in which the laws were passed. This means that, as at the date of publication of this article, the Computer Misuse and Cybercrimes Act, 2018 was and is in force.

The following are some of the key provisions of the Act:

  • various offences have been established such as the unauthorised disclosure of access codes or passwords, child pornography, cyberbullying and stalking, unauthorised interference, access, or interception, cyber-espionage, false publication of data and fraudulent use of electronic data;
  • comprehensive investigative procedures that are necessary for prosecution of offences committed in cyberspace have been set out – these include criteria for search and seizure of computer equipment and data, production orders, real-time collection of traffic data, interception of content data and international co-operation;
  • safeguards against abuse of the investigative powers by providing that search and seizures, production orders, interception of data and collection of real-time data can only be affected through an order of the Court;
  • the right of appeal from the decisions of the investigators or the court that gave the order pursuant to which the investigation was conducted.

The Act also provides for an avenue of international co-operation between Kenyan and foreign agencies. In this regard, the Communications Authority may make a request: for mutual legal assistance in any criminal matter to a requested state for purposes of undertaking investigations or proceedings concerning offences related to computer systems, electronic communications or data; for collecting evidence of an offence in electronic form; or for obtaining expeditious preservation and disclosure of traffic data, real-time collection of traffic data associated with specified communications or interception of content data.

Business Laws (Amendment) Act 2020

The Act that was recently enacted came in force to improve the ease of doing business in Kenya. The following are some of the changes the Act brought in line with the cybersecurity regulations:

  • the Act amends the Law of Contract Act to provide for use of advanced electronic signatures – contracts that required wet ink signatures to be valid can now be signed by way of an advanced electronic signature;
  • the Registration of Documents Act (the RDA) may now be kept in electronic form;
  • the Survey Act has been amended to enable the use of electronic signatures and advanced electronic signatures;
  • the Kenya Information and Communication Act (KICA) has been amended to permit the use of electronic signatures in executing title documents.

In response to this, The Communication Authority invited electronic certification service providers to apply for licensing and recognition from the Authority to provide electronic signature authentication services to electronic signature users.

Civil Procedure Amendment Rules 2020

The notable change in line with cybersecurity regulations is that the Service of Court summons can now be effected through email and/or mobile messaging applications. The Amendment Rules are an attempt to reform civil procedure in the Magistrates Court and High Court and align it to technological advancement by providing alternative modes of service of Court summons, including by email and mobile-enabled messaging applications.

Data Protection Act 2019

The Act brings into play comprehensive laws that protect the personal information of individuals. It establishes the Office of the Data Protection Commissioner and makes provisions for the regulation of the processing of personal data. The Act further provides for the rights of data subjects and the responsibilities of data controllers and processors who are required to be registered by the Data Protection Commissioner. The Act provides an investigation procedure that will be undertaken by the Commissioner, including powers of entry and search and issuing administrative fines. Any persons contravening the provisions of the Act, will be liable to pay a fine of KES5 million.

The data controller and data processor are required to notify the Commissioner without delay and within 72 hours of becoming aware of a breach of any of the provisions of the Act. Nonetheless, a gap exists in the Act when it comes to prosecution of multinational companies. This will potentially be addressed in any subsequent amendments to the Act or by legal jurisprudence from Kenyan courts.

Central Bank of Kenya (CBK) guidelines

In order to reduce cyberthreats within the banking sector in Kenya, the CBK pursuant to the provisions of the National Payment Systems Act, 2011 implemented guidelines for payment service providers (PSPs). The guidelines promote the stability of the Kenyan payment system sub-sector and require PSPs to maintain a cybersecurity programme with specified minimum standards designed to mitigate cyber-risk. These guidelines set minimum standard that the board of directors and senior management dealing with PSPs are expected to adopt, develop and implement to ensure compliance.

The guideline states that each PSP must maintain a clearly defined written policy that addresses key cybersecurity issues and the protection of its data and confidential information stored on those data systems.

Conclusion

With the recent high uptake of fibre connectivity in Kenya, internet access has become a perceived “need” rather than a “want”. Further, with the COVID-19 pandemic and the resultant socio-economic changes that have been brought about, cybersecurity has become a key priority area in the country’s legislative framework.

Gikera & Vadgama Advocates (GVA)

56 Muthithi Road
Behind TRV Office Plaza
Westlands
PO Box 720-00621
Nairobi
Kenya


+254 203740262/3

info@gvalawfirm.com gvalawfirm.com
Author Business Card

Law and Practice

Authors



Gikera & Vadgama Advocates (GVA) was established in 2010, and is one of Kenya’s leading law firms. The firm has a growing presence in East Africa and continues to expand through its established strategic partners. GVA comprises of a team of 14 advocates uniquely positioned in three strategic locations across the country (Nairobi, Nanyuki and Mombasa) to assist its clients in achieving their goals in an increasingly competitive economy. Its head office is located in Nairobi, and through its strategic partners GVA has a presence in South Africa, the Democratic Republic of the Congo, Nigeria, Ghana, Zimbabwe, Rwanda, Tanzania, Uganda, Ethiopia, Mauritius, Republic of Chad, Sri Lanka, UAE and the UK, amongst other countries. The growth of Kenyan cyberspace over the past five years has led to a parallel growth in the country's regulatory framework; GVA has had an opportunity to issue advisory opinions on data protection and cybersecurity against this backdrop and has further engaged stakeholders and relevant regulators with a bid to offer high-quality legal solutions to its clients.

Trends and Development

Authors



Gikera & Vadgama Advocates (GVA) was established in 2010, and is one of Kenya’s leading law firms. The firm has a growing presence in East Africa and continues to expand through its established strategic partners. GVA comprises a team of 14 advocates uniquely positioned in three strategic locations across the country (Nairobi, Nanyuki and Mombasa) to assist its clients in achieving their goals in an increasingly competitive economy. Its head office is located in Nairobi, and through its strategic partners GVA has a presence in South Africa, Congo, Nigeria, Ghana, Zimbabwe, Rwanda, Tanzania, Uganda, Ethiopia, Mauritius, Republic of Chad, Sri Lanka, UAE and the UK, amongst other countries. The growth of Kenyan cyberspace over the past five years has led to a parallel growth in the country's regulatory framework; GVA has had an opportunity to issue advisory opinions on data protection and cybersecurity against this backdrop and has further engaged stakeholders and relevant regulators with a bid to offer high-quality legal solutions to its clients.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.