The Computer Misuse and Cybercrimes Act No. 5 of 2018 (CMCA) introduced a comprehensive framework for cybercrime offences in Kenya. Several of its provisions have direct implications for technology companies and digital platforms.

Key Offences

Unauthorised access to computer systems (Section 3) is a primary offence. Unauthorised interference with computer data or systems (Sections 5 and 6) criminalises denial of service attacks and malware deployment. Publication of false information (Section 23) criminalises the intentional publication of false, misleading, or fictitious data that causes harm. This provision has been the subject of constitutional challenge.

Data Security Obligations

The CMCA, read with the DPA 2019, creates layered obligations for technology companies to implement appropriate cybersecurity measures. A data breach resulting from inadequate security can give rise to liability under both statutes. Technology companies must implement access controls, encryption, vulnerability management, and incident response procedures.

Law Enforcement Cooperation

Investigating agencies have the power to require production of data and to search computer systems with appropriate warrants. Technology companies and service providers may receive production orders. Establishing a process for reviewing and responding to production orders is part of responsible compliance.

Corporate Liability

Companies can be liable under the CMCA for offences committed by employees acting in the course of employment. A company that fails to implement reasonable cybersecurity measures and suffers a breach causing harm to users faces potential criminal liability in addition to regulatory and civil exposure.

Need advice on cybersecurity compliance or a CMCA-related matter? Contact Clay & Associates Advocates. Book a Consultation