Cyber Security bill missed consumers view

For a country to develop a relatively successful ICT industry, effective light-touch regulation, more so, demand side policy issues of the internet dominated by issues around cyber security and data protection have to be put in place.

For example in the US, millions of people abandon shopping baskets at websites as they’re about to cash out because the websites ask them more questions that they are not comfortable with.

This alone costs over ten billion dollars in lost sales every year and also imposes huge costs on shops and banks who have to hire staff to do transactions that could be easily done online.

Cyber crime tends to be industrial scale petty crime and according to auditing firm PricewaterhouseCooper’s latest Global Economic Crimes Report, it’s the sixth highest economic crimes in Kenya with phishing and malware as the most common tools through which cyber attacks were perpetrated.

A number of companies have already faced attacks that have seen them lose millions. Most recent is National Bank of Kenya a few week ago confirming that fraudsters got away with Sh29 million in what was suspected to be a hacking incident.

Last year, Kenya Revenue Authority also lost about Sh4 billion through hacking.

Kenya’s commercial online community from banking to e-commerce is growing fast and lawmakers are trying to put a cyber security law in place to establish a better enabling online environment.

But apart from unconstitutional provision curtailing individual rights and freedoms in the bill, it also misses one fundamental information regulation angle, which is the self-regulation through the customer’s point of view.

Security economics, a growing research field, identifies cyber crime as a market failure where online platforms become insecure as a result of poor incentives. There is less security investment from the good people and more harm emanating from the bad guys that would not be socially optimal.

The most referenced story is that of UK in the 1990s when regulations favoured UK banks and they in turn behaved more recklessly by not taking fraud as serious as they should have.

Cyber crime, therefore, is simply a policy failure to ensure the best outcome for society when it comes to internet privacy.

So how does a consumer-centric policy fix this privacy failure?

When you have a world where it is really hard to distinguish good actors from bad, the scenario for the online community, information sharing on security breaches is the incentive that helps in getting people to overcome their online risk aversion.

Carl Shapiro and current Google Chief Economist Hal Varian in the book ‘‘Information Rules: A Strategic Guide to the Network Economy’’ were the first to break the ice on understanding the regulation of the information industry.

They came up with an interesting finding that the net present value of a firm’s customer base is the total cost of switching, so a firm’s net worth is the total switching cost of all its customers.

Therefore, a company will always try and cause the client not to leave if the customer threatens to switch loyalty. With this understanding, California introduced the first security breach reporting law that became successful and most US states and other countries replicated.

The law required that if your information is stolen, the person from whom it was stolen has to tell you about it so you can do something about it.

This has thus far been able to fix the market because people start ranking firms that are good or not so good at keeping hold of personal information and firms equally start raking in returns on security investment.

This consumer point of view - the security breach reporting provision, a fundamental jurisprudence in cyber security lawmaking is what drafters of the Cyber Security Bill 2017 utterly missed.

The bill only mandates reporting of breaches to government, who are much more slower in taking action.