The Computer Misuse and Cybercrimes Act 2018 (CMCA), formally Act No. 5 of 2018, introduced a comprehensive framework for cybercrime offences in Kenya. Several of its provisions have direct implications for technology companies and digital platforms, and getting the section numbers right matters in practice, since a compliance memo or a contract indemnity clause that cites the wrong provision can leave a genuine risk unaddressed while appearing to cover it.
Key Offences Under the Computer Misuse and Cybercrimes Act 2018
The Act’s offence provisions sit in Part III, beginning at Section 14, not in the early single-digit sections that are sometimes cited; those earlier sections deal with definitions and the establishment of the National Computer and Cybercrimes Co-ordination Committee under Section 4, not offences. Unauthorised access, a person causing a computer system to perform a function by infringing security measures, with intent to gain access and knowing that access is unauthorised, is the offence created by Section 14, carrying a fine of up to five million shillings or imprisonment of up to three years, or both. Unauthorised interference, a single offence covering any intentional, unauthorised act causing interference to a computer system, program, or data, which in practice covers conduct like denial-of-service attacks and the deployment of malware, is created by Section 16, carrying a fine of up to ten million shillings or imprisonment of up to five years, or both; this is one section, not two separate provisions, and the heavier penalty band compared to Section 14 reflects the more serious harm that interference, as opposed to mere unauthorised access, is treated as causing.
Kenya’s framework also separates two distinct false-publication offences that are easy to conflate. Section 22, “False publications”, criminalises intentionally publishing false, misleading, or fictitious data with intent that it be considered or acted upon as authentic, carrying a fine of up to five million shillings or imprisonment of up to two years. Section 23, “Publication of false information”, is a separate and more serious offence: knowingly publishing information that is false and that is calculated to or results in panic, chaos, or violence, or that is likely to discredit a person’s reputation, carrying a considerably higher penalty band of a fine of up to five million shillings or imprisonment of up to ten years. A technology company moderating user-generated content should understand both provisions exist side by side with materially different elements and penalties, rather than treating “false publication” as a single undifferentiated offence; this distinction has also been the subject of constitutional challenge given how subjective concepts like intent and likely effect operate within a criminal statute, and that scrutiny should be expected to continue.
Platform-Relevant Offences: Harassment, Identity Theft, and Phishing
A handful of further offences in Part III are particularly relevant to a platform hosting user-generated content or user accounts. Section 27 creates the offence of cyber harassment, covering wilful communication, directly or indirectly, that the person knows or ought to know is likely to cause the recipient apprehension or fear of violence, loss of or damage to property, or that detrimentally affects them in other specified ways; a platform’s harassment reporting and takedown process should be designed with this provision’s actual elements in mind, since “harassment” as understood colloquially by users reporting content does not map exactly onto the statutory definition. Section 29 creates the offence of identity theft and impersonation, covering fraudulent or dishonest use of another person’s electronic signature, password, or other unique identification feature, carrying a fine of up to two hundred thousand shillings or imprisonment of up to three years. Section 30 creates the offence of phishing, covering the creation or operation of a website, or the sending of a message or email, designed to deceive a person into disclosing personal or financial information. A platform that allows account creation, messaging, or any feature that could be used to impersonate another user or to deceive users into disclosing credentials should map its abuse-reporting and account-verification features against these specific provisions, since a platform’s own terms of service enforcement is a separate matter from whether it has built reporting pathways that actually correspond to what the criminal law treats as reportable conduct.
Data Security Obligations
The CMCA, read together with the Data Protection Act, 2019, creates layered obligations for technology companies to implement appropriate cybersecurity measures. A data breach resulting from inadequate security can give rise to liability under both statutes simultaneously, rather than one displacing the other; a company that has notified the Data Commissioner of a breach under the DPA has not thereby resolved any separate CMCA exposure arising from the same underlying security failure. Technology companies should maintain access controls, encryption appropriate to the sensitivity of the data held, a documented vulnerability management programme, and a tested incident response procedure, since each of these is the kind of evidence that demonstrates “appropriate” security measures were in place if either statute’s obligations are ever tested by a regulator or in litigation following a breach.
Law Enforcement Cooperation
Part IV of the Act sets out investigation procedures, including search and seizure of stored computer data under Section 48 and, of particular relevance to technology companies and service providers, production orders under Section 50, which compel the production of specified data held by a service provider. Investigating agencies exercising these powers must do so within the procedural framework the Act itself sets, including the requirement for appropriate judicial authorisation in the relevant circumstances, rather than on an open-ended request basis. A technology company or service provider that receives a production order should have an internal process for verifying the order’s validity and scope before complying, since a company that hands over more data than a validly issued order actually requires may create its own separate data protection exposure under the DPA for the excess disclosure.
Corporate Liability
Section 43 establishes corporate liability directly: where an offence under the Act is committed by a body corporate, the body corporate itself is liable on conviction to a fine of up to fifty million shillings, and every person who was a principal officer of the body corporate at the time of the offence, or anyone acting in a similar capacity, is also deemed to have committed the offence, subject to the defences the section provides. This is a considerably more significant corporate exposure figure than is sometimes assumed, and the personal liability extension to principal officers means a company’s compliance programme needs buy-in at the leadership level rather than being treated purely as an IT or legal department responsibility. A company that fails to implement reasonable cybersecurity measures and suffers a breach causing harm to users faces this criminal exposure under the CMCA in addition to whatever regulatory and civil exposure arises separately under the Data Protection Act.
Clay & Associates Advocates advises technology companies on CMCA compliance, content moderation policies addressing the Section 22 and Section 23 false-publication offences, platform abuse-reporting design against the harassment, identity theft, and phishing provisions, responding to production orders, and corporate cybersecurity governance under Section 43. If your company needs its compliance documentation checked against the Act’s actual section numbers and penalty structure, or needs a process for handling law enforcement data requests, we can help you build that before an incident forces the question.
Need advice on cybersecurity compliance or a CMCA-related matter? Contact Clay & Associates Advocates. Book a Consultation
Related reading: Data Protection for Media and Technology Companies | Media and Broadcasting Law in Kenya
For tailored legal advice on this matter, speak with our technology and startups legal services team at Clay & Associates Advocates. We advise businesses and individuals across Kenya on Technology and Startups matters from our offices at Nextgen Mall, Nairobi.






