News
Analysis of how Tanzania's Cybercrimes Act No. 14 of 2015 safeguards business digital asset.
Cyber security in business cannot be downplayed as advancement in Information and Communications Technologies ("ICT") has given cyber attackers/criminals no option but to become alert to adopt and outsmart novel technology for purposes of commission of crimes. Fueled by the rapid evolution of ICT, cyber attacks like watering hole attacks, phishing e-mails, psychological manipulation, hacking, malware attacks and identity theft have prompted businesses to not only remain vigilant but acquaint themselves with cyber security, attacks and threats.
The digital world has not only called for businesses to brace themselves for cyber attacks but has also compelled governments around the world to enact stringent laws and regulations aimed at deterring and punishing perpetrators of cybercrime.
In Tanzania, the government has put in place laws and regulations designed to protect businesses from the diverse effects of cybercrime and all forms of online threats. The Cybercrimes Act, No. 14 of 2015 (the "Act") is the principal law that provides for criminalization of offences related to computer systems and ICT, investigation of cybercrimes as well as collection and use of electronic evidence whilst dealing with such crimes. Other laws to mention a few that relate to protection of cybercrimes are:
(a) the Constitution of the United Republic of Tanzania of 1977 (as amended);
(b) the Electronic and Postal Communications Act CAP 306 of 2010;
(c) the Electronic and Postal Communications (Online Content) Regulations of 2020;
(d) the Electronic and Postal Communications (Online Content) (Amendment) Regulations, of 2022;
(e) the Data Personal Protection Act No. 11 of 2022;
(f) the Electronic Transactions Act No. 13 of 2015;
(g) the Access to Information Act No. 6 of 2016; and
(h) the Penal Code CAP 16 R.E. 2022.
The aforesaid laws and regulations criminalize offences related to computer systems, ICT and encourage businesses to protect their clientele's data. The analysis of the Act shall herein be provided in conjunction with its role of protection of businesses against cyber attacks.
Analysis of the Cyber-crimes Act, No. 14 of 2015
The Act in one way or another guides businesses on how to address cyber threats, protect business operations, data and customers from cyber attacks, threats and data breach. The Act makes provision for amongst others the following:
- It imposes penalties (fines or/and imprisonment) for illegal access or causing a computer system to be unlawfully accessed.
- Prohibits continued use of a computer system after expiry of the time one is allowed to access the system, illegal interception, damaging, deletion and alteration of computer data as well as rendering the same meaningless, useless or ineffective, obstruction, interruption or interference with the lawful use of computer data and denial of access to computer data to any person who is authorized to have access thereto.
- Criminalizes the possession of a device or computer program that is designed to commit an offence and prohibits the possession of a computer password, access code or data where the intention is to use the same to commit a crime.
- Protects intellectual property through imposition of a fine or imprisonment in case of violation.
- Imposes a duty on businesses to take appropriate measures to protect their clientele's personal information, networks, systems and data through guidelines or procedures that may be issued by the Minister for ICT.
- Prohibits computer related forgery which includes intentional and unlawful input, alteration, delayed transmission, or deletion of computer data with the intention of making the same appear authentic. The Act further prohibits any input, alteration, deletion, delay of transmission or suppression of computer data or any interference with the functioning of the computer system if the intention is fraudulent or dishonest.
- Imposes penalties due to impersonation by using a computer system, publication of any information or data in any form which is false, deceptive, misleading or inaccurate with intent to defame, threaten, abuse, insult, deceive or mislead the public or conceal commission of an offence.
- Exempts a service provider from liability stemming from disclosure of data lawfully made available by a third party to another if the third party acted without knowledge of the service provider or if the service provider exercised due care and skill to prevent the disclosure of such data.
- Liability to access providers: these are exempted from liability for providing access and transmitting or operating a computer system in respect of a third-party material provided that they neither initiate the transmission, select the receiver of the transmission nor select or modify the information contained in the transmission.
- Protects hosting providers: these are protected from liability for information stored at the request of the user of the service if the hosting provider immediately removes or disables access to the information after receiving an order from any competent authority or court.
- Hyperlink providers are exempted from liability for the information linked if they immediately remove or disable the hyperlink on receipt of an order to do so from the relevant authority and upon becoming aware of the illegal information through other means other than from the public authority.
- Search engine providers are also not held liable for results whose transmission they do not initiate. Additionally, where search engine providers do not select the receiver of transmission and select or modify the information contained in the transmission, they are exempted from liability for the search results thereof.
As technology evolves, so are cyber attacks/ threats which have often at times rendered cyber laws outdated hence one can assert that cyberlaws alone cannot protect businesses from cyber attacks and threats. This therefore calls upon businesses to not only implement security measures but exercise vigilance, conduct numerous security audits, ensure a high investment in cyber security coupled with conducting periodic staff trainings and keeping abreast with new laws, advancement in technology and latest threats.