, . ,i:], ,- ,rlA,

SPECIAL ISSUE .,,

,.,,.i,,O,^.,rtjr,._.,

.,:.,. -( h ,,"tt r t , ,"'t,'.'. ^,_

4:*i ,

Kenya Gazette Supplement No. 110 (Senate Bills No. 12) ! -r

REPUBLIC OF KEI{YA

KENYA GAZETTE SUPPLEMENT

SENATE BILLS, 2016

NNROBI,5th July,2016

CONTENT

Bill for Inffoduction into the Senate-PAGE

The Cyber Security and Protection Bill, 2016 ............... 133

PRINIED AND PI,'BLISHED BY TI{EGOVERNMENT PRINTER,

I

I

I

t33

CYBER SECURITY AND PROTECTION BILL,2O76

ARRANGEMENT OF CLAUSES

Clause

PART I - PRELIMINARY

l. Short title.

2. Interpretation.

PART II - CYBER SECURITY AND PROTECTION

3. National Cyber Threat Response Unit.

4. Functions of the Unit.

5. Cooperation.

6. Critical infrastructure.

7. Duties of owners or operators.

8. Information sharing agreements.

9. Review of information.

10. Protection of certain infonnation.

PART III - OFFENCES AND PENALTIES

11. Unlawful access to a computer system"

I 2. System interference.

1 3. Unlawful interceptions.

14. Interception of electronic messages or moneytransfers.

15. Wilful misdirection of electronic messages.

16. Forgery.

17. Fraud.

18. Unauthoized modification of data.

19. Cyber terrorism.

20. Issuance of false e-instructions.

21. Reporting of cyber threat.

22. Phishing

134 The Cyber Security and Protection Bill,2016

23. Identity theft and impersonation.

24. Electronic distribution of pornography.

25. Cyber-bullying.

26. Child exploitation

27. Wrongful distribution of intimate images.

28. Cyber squatting.

29.lmportation and fabrication of e-tools.

30. Employee responsibility.

3 l. Employee responsibility.

PART IV - MISCELLANEOUS PROVISIONS

32. Report.

33. Regulations.

34. Report.

35. Amendment to Cap. 411A.

36. Repeals.

The Cyber Security and Protection Bill,2016 135

CYBER SECURTTY AND PROTECTION BILL,20L6

A BilI for

AN ACT of Parliament to provide for the enhancementof security in cyberspace; to provide for theprohibition, prevention, detection, response,investigation and prosecution of cybercrimesl toestablish the national cyber security response unitland for connected purposes.

ENACTED by the Parliament of Kenya, as follows-

PART I - PRELIMINARY

1. This Act may be cited as the Cyber Security andProtection Act,20l6.

2.In this Act-

"Cabinet Secretary" means the Cabinet Secretaryresponsible for matters relating to security;

"child" means an individual who has not attained theage ofeighteen years;

"computer" means any electronic, magnetic, optical orother high-speed data processing device or system whichperforms logical, arithmetic and memory functions bymanipulations of electronic, magnetic or optical impulses,and includes all input, output, processing, storage, softwareand communication facilities which are connected orrelated as a system or network;

"critical infrastructure" means vital virtual systemsand assets whose incapacity or destruction would have adebilitating impact on the security, economy, public healthand safety of the country;

"cybersecurity threat" means an unauthorized effortto adversely impact the security, availability,confidentiality, or integrity of an information system orinformation that is stored on, processed by, or transiting aninformation system;

"Directo/'means a person appointed under section 3;

"intimate image" means any photograph, motionpicture film, videotape, digital image, or any otherrecording or transmission of another person who isidentifiable from the image itself or from information

Short title.

lnterpretation.

136 The Cyber Securitv and Protection Bill,2016

displayed with or otherwise connected to the inrage, andthat was taken in a private setting, is not a matter of publicconcern, and depicts sexual activity, including sexualintercourse or a person's intimate bcldy parts, whether nudeor visible through less than opaque clothing, including thegenitals; and

"LJnit" means the National Cyber fhreat ResponseUnit established under section 3.

PART II - CYBER SECURITY AND PROTECTION

3. (l) There is established the National Cyber ThreatResponse Unit.

(2) The unit shall be a department within the Ministryresponsible for matters relating to information andtechnology and shall comprise-

(a) a Director appointed by the cabinet secretary;

(b) a representative of the National IntelligenceService designated by the Director-General of'theService;

(c) a representative of the ComrnunicationsAuthority of Kenya designated by the chairpersonof the Board of the Authority;

(d) a representative of the Office of the Director ofPublic Prosecutions designated by the Director ofPublic Prosecutions; and

(e) such other officers as the cabinet secretary mayappoint to the unit.

(3) A person is qualified for appointment undersubsection (2) (a) if that person-

(a) holds at least a degree in information,communication and technology security or a

related field from a university recognized inKenya;

(b) has at least ten-year's experience in the detection,investigation or prosecution of crimes related tocyber security; and

(c) meet the requirements of Chapter six of theConstitution.

NationalComputer ThrealResptxss Ltrtit.

The Cyber Seuri4, and Protection Bill,20l6 r37

4.'Ihe fuirctions of the Unit shall be to-(a) receive reports of intemrptions, disruptions or

interference with computer systems or networks;

(b) investigate the intemrption, disruption or anyother unlawful interference with a computersystem or network;

(c) advise on measures to prevent and combatcomputer related offences, cybercrimes, threats tonational cyberspace and other cyber securityrelated matters;

(d) establish and maintain a national computerforensic laboratory and coordinate utilization ofthe facility by all law enforcement, security andintelligence agencies;

(e) coordinate the country's involvement ininternational cyber security cooperation to ensurethe integration of the country's into the globalframeworks on cyber security;

establish a program to award grants to institutionsof higher learning that establish cyber securityresearch centers;

coordinate the sharing of information related tocybersecurity risks and incidents between thepublic and private sector;

conduct analysis of cybersecurity risks andincidents;

provide timely technical assistance, riskmanagement support, and incident responsemeasures to public and private entities withrespect to cybersecurity risks and incidents;

develop procedures for the sharing of-

(D cyber threat indicators with public andprivate entities; and

(ii) cyber security best practices that aredeveloped based on ongoing analysis ofcyber threat indicators and informationincluding the challenges faced by small

Functions of theunit.

(f)

(e)

(h)

(i)

0)

businesses in accessibility and

r38 The Cyber Security and Protection Bill,2016

implementation of measures to combatcyber crimes.

5. The Director shall ensure that the Unit cooperatesand liaises with other government entities involved incybersecurity matters including the ministry responsible formatters relating to hformation, communication andtechnology.

6. (1) The Cabinet Secretary shall, by notice in theGazette, designate certain systems as critical infrastructure.

(2) The Cabinet Secretary shall designate a system as

a critical infrastructure if a disruption of the system wouldresult in-

(a) the intemrption of a life sustaining serviceincluding the supply of water, health services andenergy;

(b) an adverse effect on the economy of the country;

(c) an event that would result in massive casualtiesor fatal.ities;

(d) failure or substantial disruption of the country'smoney market; and

(e) adverse and severe effect of the country'ssecurity including intelligence and militaryservices.

(3) The Cabinet Secretary shall, within seven days ofdesignating a system as critical infrastructure, inform theowner or operator of the system designated as criticalinfrastructure of the reasons why the system has beendesignated as critical infrastructure.

7. The Cabinet Secretary shall, in consultation withentities that own or operate critical infrastructure-

(a) conduct an assessment of the cybersecuritythreats, vulnerabilities, risks, and probability of acyberattack across all critical infrastructuresectors;

(b) determine the harm to the economy that wouldresult from damage or unauthorized access tocritical infrastructure ;

(c) measure the overall preparedness of each sectoragainst damage or unauthorized access to critical

Cooperation.

Criticalirfrastructure.

Duties of theCabinet Secretary

The Cyber Securiry and Protection Bill,2016 139

infrastructure, including the effectiveness ofmarket forces at driving security innovation andsecure practices;

(d) identiff any other risk-based security factorsappropriate and necessary to protect public healthand safety, critical infrastructure, or national andeconomic security; and

(e) recommend to the ownefti of systems designatedas critical infrastructure, methods of securingtheir systems against cyber threats.

8. (l) The owner or operator of a system designated as

critical infrastructure shall report to the Cabinet Secretaryany incidents likely to constitute a cyber threat and theaction the owner or operator intends to take to prevent thethreat.

(2) Upon receipt of a report under subsection (l) theCabinet Secretary shall provide the necessary assistance,including financial and technical assistance, to the owner oroperator of a critical infrastructure.

(3) Notwithstanding the provisions of subsection (2)the Cabinet Secretary may institute an investigation of acyber threat and may take necessary steps to secure anycritical infr astructure.

(a) The Cabinet Secretary shall submit to Parliament areport of the cyber threats reported by the owners oroperators of critical infrastructure and the action taken todeal with the threat.

9. (l) Private entities may enter into informationsharing agreements with public entities or with each other.

(2) An agreement under subsection (1) shall only beentered into for the following purposes-

(a) to ensure cybersecurity;

(b) for the investigation and prosecution of crimesrelated to cybersecurity;

(c) for the protection of life or property of anindividual; and

(d) to protect the national security of the country.

10. Prior to the sharing of information under section9, apafi to an agreement shall review the information andascertain whether the information contains personal details

Duties of ownersor operators.

lnformationsharingagreements.

Review ofinformation.

140 The Cyber Security and Protection Bill,20l6

that may identifii a specific person not directly related to acyber security threat, and if so, remove such information.

11. A person shall not, pursuant to an informationsharing agreement under this Part, share informationrelating to the health status of another person without theprior written consent of the person to whom theinformation relates.

PART IV - OFFENCES AND PENALTIES

12. (l) A person who, without authorizationintentionally accesses in whole or in part, a computersystem or network, commits an offence and is liable onconviction to a term of imprisonment not exceeding fiveyears or to a fine not exceeding one hundred thousandshillings or both.

(2) A person who knowingly and intentionally trafficsin any password or similar information through which acomputer may be accessed without lawful authority,commits an offence and is liable on conviction to a finenot exceeding one hundred thousand shillings or to a termof imprisonment not exceeding three years or both.

(3) A person who, with the intent to commit anoffence under this section, uses any device to avoiddetection or otherwise prevent identification or attributionwith the act or omission, commits an offence and is liableon conviction to a fine not exceeding two hundred thousandshillings or to a term of imprisonment not exceeding threeyears or both.

13. A person who without lawful authority,intentionally causes the hindering of the functioning of a

computer system by inputting, transmitting, damaging,deleting, deteriorating, altering or suppressing computerdata or any other form of interference with the computersystem, which prevents the computer system or any part ofthe computer from frrnctioning in accordance with itsintended pu{pose, commits an offence and is liable onconviction to imprisonment for a term not exceeding threeyears or to a fine not exceeding two hundred thousandshillings or both.

14. (1) A person, who intentionally and withoutauthorization, intercepts by technical means, non-public

transmissions of computer data, content, or trafftc data,

Protection ofcertaininformation.

Unlawful accessto a computersystem.

Systeminterference.

Unlawtulinterceptions.

The Cyber Security and Protecfion Bill,2016 _ t4t

including electromagnetic emissions or signals from acomputer, computer system or network carrying or emittingsignals, to or from a computer, computer system orconnected system or network, commits an offence and isliable on conviction to imprisonment for a term of not morethan five years or to a fine of not more than one hundredthousand shillings or both.

(2) A person who induces any person in charge ofelectronic devices to deliver any electronic messages notspecifically meant for him commits an offence and

is liable on conviction to imprisonment for a term notexceeding two years or to a fine not exceeding onehundred thousand shillings or both.

(3) A person who intentionally hides or detainsany electronic mail, message, electronic payment, creditand debit card which was found by the person ordelivered to the person in error and which ought tobe delivered to another person, commits an offence andis liable on conviction to imprisonment for one year ora fine not exceeding one hundred thousand shillings or

both.

15. A person who unlawfully destroys oraborts any electronic mail or processes through whichmoney or information is being conveyed commits

an offence and is liable on conviction to a term ofimprisonment not exceeding seven years or to a finenot exceeding two hundred thousand shillings or both.

16. A person who wilfully misdirects electronicmessages commits an offence and is liable on conviction beliable for a term of imprisonment not exceeding two yearsor to a fine not exceeding one hundred thousand shillings orboth.

Interception ofelectronrcmessages ormoney transf'ers.

Wilfulmisdirection ofelectronrcmessages.

17. A person who inputs, alters, deletes or Forgery

suppresses any data in a computer or computer networkresulting in inauthentic data with the intention thatsuch inauthentic data will be considered or acted

upon as if it were authentic or genuine, commits anoffence and is liable on conviction to imprisonmentfor a term of not less than three years or to a finenot exceeding three hundred thousand shillings or both.

18. (1) A person who knowingly and without Fraud'

authority causes any loss of property to another by

t42 The Cyber Security and Protection Bill,2016

altering, erasing, inputting or suppressing any datastored in a computer, commits an offence and isliable on conviction to imprisonment for a term notexceeding five years or to a fine not exceeding fivehundred thousand shillings or both.

(2) A person who sends an electronic message whichmaterially misrepresents any fact upon whichreliance another person is caused to suffer any damageor loss, commits an offence and is liable onconviction to imprisonment for a term of not less thanfive years or to a fine not exceeding two hundred

thousand shillings or both.

(3) A person who with intent to defraud, frankselectronic messages, instructions, super scribes anyelectronic message or instruction, commits anoffence and is liable on conviction to imprisonment fora term of not exceeding five years or to a fine notexceeding two hundred thousand shillings or both.

(4) A person who manipulates a computer or otherelectronic payment device with the intent to short payor overpay commits an offence and is liable onconviction to imprisonment for a term of notexceeding seven years or to a fine not exceeding two

hundred thousand shillings.

(5) A person convicted under subsection (3) shallforfeit the proprietary interest in the stolen money orproperty to the bank, financial institution or thecustomer.

19. A person who with intent and withoutlawful authority directly or indirectly modifies orcauses modification of any data held in any computersystem or network, commits an offence and is liableon conviction to imprisonment for a term of not morethan three years or to a fine not exceeding two hundredthousand shillings or both.

20. (1) A person who accesses or causes to beaccessed a computer or computer system or networkfor purposes of terrorism, commits an offence and isliable upon conviction to life imprisonment.

(2) For the purpose of this section, "terrorism"shall have the same meaning under the Prevention of

Terrorism Act.

Unauthorizedmodification ofdata.

Cyber terrorism.

No. 30 of2012

The Cyber Security and Protection Bill,2016 143

21. A person authorized to use a computer orother electronic devices for financial transactionsincluding posting of debit and credit, issuance ofelectronic instructions as they relate to sending ofelectronic debit and credit messages or confirmationof electronic fund ffansfer, issues false electronicinstructions, commits an offence and is liable, onconviction, to a fine not exceeding one hundred thousandshillings or to a term of imprisonment not exceeding fiveyears or both.

22. A person who creates or operates a website orsends a message through a computer system with theintention to induce the user of a website or the recipient ofthe message to disclose personal information for afiunlawful purpose or to gain unauthorized access to a

computer system, commits an offence and is liable uponconviction to a fine not exceeding three hundred thousandshillings or to a term of imprisonment for a term notexceeding three years or both.

23. (l) A person who operates a computer lr?J,'lil:"11system or a computer network, whether public orprivate, shall immediately inform the Unit of anyattacks, intrusions and other disruptions to thefunctioning of another computer system or networkwithin seven days of such attack, intrusion or disruption.

(2) A report made under subsection(l) shall include-

(a) information about the breach, including asummary of any information that the agencyknows on the date on which notification isprovided about how the breach occurred;

(b) an estimate of the number of people affected bythe breach and an assessment of the risk of harmto the affected individuals; and

(c) an explanation of any circumstances that woulddelay or prevent the affected persons from beinginformed of the breach.

(3) The unit may propose the isolation ofany computer systems or network suspected to have beenattacked or disrupted pending the resolution of the issues.

(4) A person who contravenes the provisions ofsubsection (l) commits an offence.

lssuance of falsee-instructions.

t44 The Cyber Security and Protection Bill,2016

24. A person who fraudulently or dishonestlymakes use of the electronic signature, password orany other unique identification feature of any other

person commits an offence and is liable, on conviction, to afine not exceeding two hundred thousand shillings or to aterm of imprisonment not exceeding three years or both.

25. (l) A person rvho intentionally uses a

computer system or network for producing, off,ering ormaking available,distributing or transmitting, storing,procuring or possessing pornography commits an

offence and shall be liable, upon conviction to a term ofimprisonment not exceeding twenty years or a fine notexceeding two hundred thousand shillings or both fine andimprisonment.

26. A person who, through any computer systemor network, proposes, grooms or solicits to meet a

child for the purpose of engaging in sexual activitieswith the child, commits an offence and shall be liable uponconviction to a term of imprisonment not exceeding twentyfive years or to a fine not exceeding two hundred and fiftythousand shillings or both.

27. A person who intentionally transmits or causesthe transmission of any communication through a

computer system or network to bully, threaten orharass another person, where such communicationplaces another person in fear of death, violence otbodily harm, commits an offence and is liable on

conviction to a term of imprisonment not exceeding fiveyears or a fine not exceeding two hundred thousandshillings or both.

28. A person who transfers, publishes, ord,isseminates, including making a digital depiction availablefor distribution or downloading through a

'telecommunications network or through any other means oftransferring data to a computer, the intimate image ofarnother person commits an offence and is liable, onc'onviction to a term of imprisonment not exceeding thirfyy'ears or fine not exceeding three hundred thousandshillings or both.

29. A person who, intentionally takes ormakes use of a name, business name, trademark,domain name or other word or phrase registered,

Identity theft arrilimpersonation.

Electronicdistribution ot'pomography.

Chrld explottatron.

Cyber-bullyurg

Wrongfuldistribution ofintimate images

Cyber squatlitg

The Cyber Security and Protection Bi.ll,2016 L45

owned or in use by another person on the internetor any other computer network, without authority orright, commits an offence and is liable on convictionto imprisonment for a term not exceeding tw-o years ora fine of not exceeding two hundred thousand shillingsor both.

30. A person who unlawfully produces, supplies,adapts, manipulates or procures for use, impofts,exports, distributes, offers for sale or otherwise makesavailable any device, including a computer program, a

computer password, access code or similar data bywhich the whole or any part of a computer system

may be accessed without authorization, commits an offenceand shall be liable, on conviction, to a fine not exceedingone hundred thousand shillings or to a term ofimprisonment not exceeding two years or both.

31. (1) Without prejudice to any contractualagreernent between the employer and the employee, anemployee shall relinquish all codes and access rightsto their employer's computer network or systemimmediately upon termination of employment.

(2) A person who contravenes the provision of thissection commits an offence and shall be liable, onconviction, to a fine not exceeding fifty thousand shillingsor to a term of imprisonrnent not exceeding one year orboth.

PART III - MISCELLANEOUS PROVISIONS

Importation andfabrication ofe-tools.

Employceresponsibrlity.

32. The Cabinet Secretary shall submit an Report

annual report to the National Assembly and the Senate ot--

(a) measures put in place to enhance cyber security;

(b) the cyber threat incidents reported within therelevant period to which the report relates;

(c) an assessment of the information sharingrelationship between Kenya and other countriesrelating to cyber threats;

(d) an assessment of technologies or capabilities thatwould enhance the country's abilit-v to preventand respond to cybersecurity threats;

(e) an assessment of any technologies or practicesused by the private sector that could be employed

a)

146 The Cyber Security and Protection Bill,2016

to assist the govemment in preventing andresponding to cybersecurity threats; and

(0 any other information requested by either houseof Parliament.

33. The Cabinet Secretary shall make regulations forthe better carrying out of the provisions of this Act.

34. (1) Section 83C of the Kenya Infbrmation andCommunication Act is amended by-

(a) in subsection (1) by deleting paragraph (g) and(h);

(b) repealing subsection (2) and substituting thereforthe following new subsection-

(2) The Cabinet Secretary may, in consultation withthe Authority, make Regulations with respect to thefunctions of the Authority relating to cyber security underthis Act.

35. The Kenya Information and Communication Actis amended by-

(a) repealing section 83W;

(b) repealing section 83X;

(c) repealing section 83Y;

(d) repealing section 832;

(e) repealing section 84A;

(D repealing section 84B;

(g) repealing section 84C

(h) repealing section 84D;

(D repealing section 84E;

() repealing section 84F; and

(k) repealing section 84G.

Regulations.

Amendments toCap.41lA.

Repeals.Cap. 411A.

The Cyber Security and Protection Bill,2016 t47

MEMORANDUM OF OBJECTS AND REASONS

Statement of the Objects and Reasons for the Bill

The principal object of this Bill is to provide increased security incyberspace and to provide for the prohibition of certain acts in the use ofcomputers. The world is increasingly run through the use of computertechnology. Through this virtual system, people are able to send money,store large amount of data, communicate across continents at the touch ofa button, control security infrastructure, run businesses and enhancehuman connectivity.

However while computers have increased human connectivity andhave a direct impact on development, they also pose a risk to the users. Atalarger scale they may be used to disrupt the delivery of essential servicesand in effect cause irreparable harm to the economy and lives of people.At a small scale they may be used as a means to harass and intimidateindividuals. Therefore, while computers have increased humanconnectivity, played a major role in development and ensured the effectivedelivery of certain services, they have also exposed society to certainvulnerabilities. This Bill therefore seeks to address and prohibit anyactivity the proper functioning of computer systems or the improper use ofcomputer systems in order to protect life and property.

The Bill proposes to establish a national cyber security response unitin the Ministry responsible for matters relating to security. The unit will beresponsible for receiving and investigating reports on cyber threatincidences, running a national computer forensic lab for the benefit of lawenforcement agencies, advising on measures to combat cyber threats andsupporting research into cyber security. The Bill also proposes a

mechanism to enable the sharing of information between private entitieson cyber threats under certain circumstances. This is intended to enhanceawareness and preparedness in combating cyber threats.

The Bill further proposes the identification and designation of certainsystems as critical infrastructure. This is in appreciation of the vital rolesuch systems play in the security and economic well-being of the countryand is intended to ensure that the owners of such systems receive thenecessary support from the State.

The Bill also proposes to proscribe certain conduct in order to enstrethe safety of computer systems and that such systems are not used forunlawful purposes.

The Cyber Security and Protection Bill,20l6

Statement on the delegation of legislative powers and limitation offundamental rights and freedoms

Clause 31 of the Bill provides for the power of the Cabinet Secretaryto make Regulations for the better carrying out of the provisions of thelegislative proposal.

The Bill provides for the sharing of data by private entities, betweenthemselves or with the government, but only for the purpose of ensuringcyber security. The Bill however prohibits the sharing of certain types ofinformation for instance information relating to the health status of anotherperson without the prior consent of that person.

Statement on how the Bill concerns county governments

Computer systems and the internet are increasingly being relied uponfor the delivery of certain services such as commerce, communication,data storage and social activities. County goverxrnents are not exemptfrom this virtual revolution. County governments rely on the properfunctioning of computer systems to deliver services in the areas assignedto them under Part 2 of the Fourth Solredtile tr-r 11'," Constil.ution.

This Bill therefore concerns county governments in terms of ArticlesI l0(l)(a) of the Constitution in thaf it contains provisi.-rns that aflbct thefunctions and powers of the cotmty govelnments as set out in the FourthSchedule to the Constitution.

Statement that the Bill is not a money Rill rvithin the meaning ofArticle ll4 of the Constitution

This Bill proposes to establish a national cybercrime response unitwhich will be an office in the Ministry responsible for malters relating tosecurity. The Bill seeks to lake advantage of existing administrative andfinancial structures and any monies required fbr the running of the unitshall be met by the funds appropriated by the National Assembly to theparent Ministry.

This Bill is therefbre not a moneyI 14 o{'the Constitution.

Dated the 4th July, 2016.

Bill within the meaning of Article

MUTAHI KAGWE,Chairperson, Committee on Information and Technologt.

148

tI

!iI

:

i

i

'\