By: Harmony Eghwubare, Esq.
It is no longer news that with the advent of the internet, the world has become a global village; and it has been observed that many organisations now additionally operate as digital businesses. The internet has undeniably transformed the way organizations conduct their businesses and other transactional activities, which has equally ushered in legal implications and consequences for possible breach of contract or data privacy.
It is undoubtedly correct that every evolution attracts its own risks, which is equally applicable to internet usage. This article looks into some of the risks of having commercial transactions, businesses or contracts via the internet and how the liabilities can be reduced. For example, some of the risks involved in transacting business online are hackers, the duplicity of transactions, breach of data privacy, epileptic internet supply, fraudulent/scam e-mails, etc.
WHAT IS AN ONLINE BUSINESS?
The term “online business” can be used interchangeably with “digital business”. An online business is a business or commercial transaction that involves sharing information via the internet; it focuses on the use of information and communication technology to enable the activities and relationships of the business with its customers, suppliers and partners, e.g, Amazon, Jumia, Konga, Alibaba, etc.
A digital business is one that uses the technology primarily as an advantage in its internal and external operations. For example, a look at the retail banking industry will reveal the fact that digital technologies are increasingly utilized across their several business functions and also in the physical branches to meet the needs of customers.
CATEGORIES OF DIGITAL BUSINESSES
There are two categories of digital business, to wit; the purely digital business and the semi-digital business. Some examples of purely digital businesses are Online taxi (e.g. Uber, Bolt), Online stores (e.g. Amazon, Jumia, Konga), Online Cinemas (e.g. Netflix, Youtube), Online Gaming (e.g. Betway, BetKing), Online Payment (e.g. Paypal, Flutterwave, Paystack) etc. While on the other hand, examples of “semi-digital” internet-dependent businesses are Point of Sale (POS) & Automated Teller Machine (ATM) for banks, Online learning for schools, Online ordering and reservations for restaurants & food vendors etc.
RISKS INVOLVED IN DOING DIGITAL BUSINESS
There are some general risks that cut across all types of digital/online business, and some of these are briefly discussed below:
A computer hacker is a computer expert who uses his technical knowledge to gain unauthorized access to data within a computerized system. Hackers may work individually or as a group, and they usually attempt to gain access to a computer system in order to carry out a criminal/unauthorized activity. Some of the criminal activities hackers engage in are as follows:
(a) Stealing of information, either confidential or otherwise (i.e. online espionage)
(b) Stealing of funds/online fraud
(c) Identity theft
- Breach of Privacy:
A data breach can have grave consequences for a digital business. It can disrupt its daily operations as the business tries to recover from the impact of the data breach and make every necessary system update in order to prevent future occurrences of same.
A data breach can give an online business bad publicity/reputation and this can negatively affect the business, as customers whose private information have been compromised may stop patronizing the business and/or switch to a competitor, and may institute a civil action against the business; also, potential customers may become discouraged for fear of their private information getting into the wrong hands.
- Duplicity of Transactions:
The duplicity of transactions refers to a situation where a particular transaction is processed twice or more times; usually due to network disruptions or system error. This risk is very common with financial transactions that take place online, especially in retail banking.
- System Downtimes/Internet Glitches:
System downtime refers to periods when an online network is unavailable and/or inaccessible and this is usually due to unstable and erratic internet supply. During a system downtime, the online network cannot perform its primary functions. There are several possible causes of system downtimes, to wit: Software/hardware failures; power failure, wrong configurations, old equipment, human error, etc.
HOW LIABILITIES CAN BE REDUCED IN DIGITAL BUSINESSES
The consequences of the risks discussed above are far-reaching and indeed very severe; however, there are ways of mitigating/reducing these risks and some of them are discussed below, to wit:
- Security Software:
It is of absolute importance that digital businesses be fully protected against security breaches by putting in place proper security systems to adequately protect the data from hackers. Some of the methods of protection of digital businesses include:
(b) Personal identification numbers (PIN)
(c) Two-factor authentication(2-FA)
(d) Digital signatures
(e) One-time passwords(OTP)
(f) Security Questions/Codes
(g) Digital certificates
(h) Intrusion detection systems etc
(k) Anti-virus software installations
(l) Secure software development mechanisms that would make it extremely difficult for hackers to gain access.
Also, it is necessary for digital businesses to take appropriate steps to sensitize and educate its customers/users on the potential risk of hackers, online thieves and fraudsters; and educate them on taking personal security measures so as not to divulge their personal/private information indiscriminately.
- Digital/Electronic Signatures:
Digital businesses must give the assurance that the parties involved in any given transaction cannot deny that transaction took place. This means that there must be adequate proof that the transaction occurred. The use of digital signatures is one way to address this. A digital signature ensures that a document or message is electronically signed by a person; and therefore, the person cannot deny afterwards that he provided the signatures. Section 17 of the Cybercrimes (Prohibition, Prevention, Etc) Act, 2015 provides for the use of electronic signatures thus:
“Section 17 (1):
(a) Electronic signature in respect of purchased goods and any other electronic transactions shall be binding.
(b) Whenever the genuineness or otherwise of such signatures is in question, the burden of proof, that the signature does not belong to the purported originator of such electronic signatures shall be on the contender.
(c) Any person who with the intent to defraud or misrepresent, forges through electronic devices another person’s signature or company mandate, commits an offence and shall be liable on conviction to imprisonment for a term of not more than 7 years or a fine of not more than N10,000,000.00 or to both fine and imprisonment”
However, Section 17 (2)(a)-(h) of the Cybercrimes (Prohibition, Prevention, Etc) Act, 2015 provides for documents that are excluded from the valid use of electronic signatures. Some of these documents are listed below:
(a) Wills, codicils and or other testamentary documents;
(b) Death certificate;
(c) Birth certificate;
(d) Family law documents such as marriage, divorce and adoption certificate;
(e) Court orders, notices, official court documents such as an affidavit, pleadings, motions, and other related judicial documents and instruments; etc
Disclaimers provide users with constructive notice of the necessary precautions the user ought to take and the limit of the business’s liability. The purpose of a disclaimer is to mitigate a specified risk(s) and it protects the online business from legal action, however, it might not necessarily cover and/or limit every liability.
An ideal disclaimer ought to cover all foreseeable liabilities for the product or service being provided by an online business. The users/customers of the business must be warned of possible hazards and/or dangers associated with using the digital platform (website, phone application etc.)
- The Use of Terms and Conditions:
Terms and Conditions, also known as Terms of service, is a legally binding agreement/contract between a service provider/online platform and a person who intends to use that online platform/service. It is the agreement that regulates the use of an online platform; it sets the conditions that users must agree to and abide by, in order to access a digital platform. The use of terms and conditions also protects an online business from unnecessary litigation.
There are some important clauses that should be included in the terms and conditions such as:
(a) Legal age requirement
(b) Identity verification
(c) Intellectual property
(d) Disclaimers & limitation of liability
(e) Grounds for termination of a customer’s account
(f) Anti-money laundering
(g) Force majeure
This is a statement issued usually in online/digital communication between a business and its user/customer (e.g. electronic mails). The statement basically informs the recipient of the confidential nature of the message being received and where the recipient believes that the message was erroneously sent, same should be deleted.
The confidentiality statement is aimed at protecting the privacy of information/data being shared with authorized persons.
- Laws and Regulations:
There are laws that have been put in place to regulate transactions that take place online include the following:
i. The Nigerian Data Protection Regulation, 2019 (NDPR): This is a legal framework that sets guidelines for the collection and processing of personal information from persons in Nigeria. Section 1.1 spells out the purpose of this Regulation thus:
“(a) to safeguard the rights of natural persons to data privacy;
(b) to foster safe-conduct for transactions involving the exchange of personal data;
(c) to prevent manipulation of personal data; and
(d) to ensure that Nigerian businesses remain competitive in international trade through the safe-guards afforded by a just and equitable legal regulatory framework on data protection which is in tune with best practice.”
ii. The Cybercrimes (Prohibition, Prevention, Etc) Act, 2015: This Act provides primarily for offences that are committed online and the attendant consequences. Sections 6 – 36 of the Act provides for some of these offences are stated below:
(a) Unlawful access to a computer (hacking), unauthorized modification of computer systems network data and system interference
(b) Unlawful destruction and abortion of electronic mails or processes through which money and or valuable information is being conveyed
(c) Willful misdirection of electronic messages
(d) Computer-related forgery
(e) Computer-related fraud and fraudulent issuance of electronic instructions
(f) Electronic cards-related fraud, dealing in the card of another and purchasing or sale of the card of another
(g) Identity theft and impersonation
(h) Breach of confidence by Service Providers
(i) Manipulation of ATM/POS terminals
(j) Phishing, spamming and spreading of computer viruses
(k) Use of fraudulent device or attached e-mails and websites
iii. The ISO/IEC 27001 2013 Standard: This is also known as ISO27001 and it is the international standard that sets out the specification for an information security management system (ISMS). It creates a framework that helps organizations establish, implement, operate, monitor, review, maintain and continually improve their information security management system. Complying with the ISO27001 provisions/standard is information security best practice and is essential to demonstrating data protection compliance.
iv. The Economic and Financial Crimes Commission Establishment Act, 2015: This provides for fraudulent offences that may or may not be committed with the use of the internet.
v. The Criminal Code Act, Cap. C38 LFN, 2004.
- Cyber and Privacy Insurance:
Insurance, as defined by Black’s Law Dictionary, is an agreement by which one party (the insurer) commits to doing something of value for another party (the insured) upon the occurrence of some specified contingency; especially in an agreement by which one party assumes a risk faced by another party in return for a premium payment. In essence, insurance is an arrangement by which a company undertakes to provide a guarantee of compensation for a person’s specified contingent loss, damage, illness, or death in return for the payment of a specified premium.
In the same vein, cyber and privacy insurance coverage policy provides digital businesses with protection from losses resulting from a possible data breach or the loss of electronically-stored confidential information. The cyber and privacy insurance policies are designed to protect online/digital businesses from the activities of hackers and other criminal-minded individuals or entities who may gain unauthorized access to stored personal information. Thus, purchasing a cyber and privacy insurance policy can greatly assist a digital business in recovering from unforeseen regulatory and/or financial obligations that security breaches may create.
It is pertinent to state that as the internet space evolves, the risks associated with online transactions also evolve; thus there should be proactive methods of curbing these risks and liabilities. The following are some recommendations for improved security and reduced liabilities for online transactions, to wit:
(a) Online businesses should take out an insurance policy for their customers and themselves against internet risks.
(b) There should be more judicial activism in the area of cyber law and cybercrimes in order to create a buoyant reservoir of legal precedent for cases that arise from online transactions.
(c) Online businesses should establish systems for managing risk by developing relevant tools for such monitoring, review and management of online risks and hazards.
(d) Online businesses should regularly update themselves on the new and evolving risks in the cyberspace monitor and take appropriate steps to avoid them.
(e) Regularly organize risk awareness trainings and seminars to update the whole organization on new risks and modes of tackling them.
The widespread acceptance of digital businesses has made online marketing an absolute necessity for organizations to thrive in the competitive global market. Thus, almost every business is scampering to go digital in order to have some competitive advantage.
It is therefore pertinent for every online business to ensure adequate security measures are put in place to protect their customers and at the same time, reduce their own liabilities.