Computer Misuse and Cybercrimes

Section 1. Short title Section This Act may be cited as the Computer Misuse and Cybercrimes Act.

Section 2. Interpretation Section alters, modifies or erases a program or data or any aspect related to the program or data in the computer system;

Section 3. Objects of the Act Section protect the confidentiality, integrity and availability of computer systems, programs and data;

Section 4. Establishment of Committee Section There is established the National Computer and Cybercrimes Co-ordination Committee.

Section 5. Composition of the Committee Section 5(1)(a) the Principal Secretary responsible for matters relating to internal security or a representative designated and who shall be the chairperson; Section 5(1)(b) the Principal Secretary responsible for matters relating to information, communication and technology or a representative designated in writing by the Principal Secretary responsible for information, communication and technology; Section 5(1)(c) the Attorney-General or a representative designated in writing by the Attorney-General; Section 5(1)(d) the Chief of the Kenya Defence Forces or a representative designated in writing by the Chief of the Kenya Defence Forces; Section 5(1)(e) the Inspector-General of the National Police Service or a representative designated in writing by the Inspector-General of the National Police Service; Section 5(1)(f) the Director-General of the National Intelligence Service or a representative designated in writing by the Director-General of the National Intelligence Service; Section 5(1)(g) the Director-General of the Communications Authority of Kenya or a representative designated in writing by the Director-General of the Communications A...

Section 6. Functions of the Committee Section 6(1)(a) advise the Government on security related aspects touching on matters relating to blockchain technology, critical infrastructure, mobile money and trust accounts; Section 6(1)(b) advise the National Security Council on computer and cybercrimes; Section 6(1)(c) co-ordinate national security organs in matters relating to computer and cybercrimes; Section 6(1)(d) receive and act on reports relating to computer and cybercrimes; Section 6(1)(e) develop a framework to facilitate the availability, integrity and confidentiality of critical national information infrastructure including telecommunications and information systems of Kenya; Section 6(1)(f) co-ordinate collection and analysis of cyber threats, and response to cyber incidents that threaten cyberspace belonging to Kenya, whether such threats or incidents of computer and cybercrime occur within or outside Kenya; Section 6(1)(g) co-operate with computer incident response teams and other relevant bodies, locally and internationally on response to threats of computer and cybercrime and incidents; Section 6(1)(h) establish codes of cyber security practice and standards of performan...

Section 7. Secretariat of the Committee Section 7(1) There shall be a Secretariat which shall comprise of the Director and such number of public officers that, subject to the approval of the Committee, the Cabinet Secretary responsible for matters relating to internal security in consultation with the Cabinet Secretary responsible for matters relating to information, communications and technology may deploy to the Secretariat. Section 7(2)(a) the head of the Secretariat; and Section 7(2)(b) responsible to the Committee for the day to day administration of the affairs of the Secretariat and implementation of the decisions arising from the Committee. Section 7(3)(a) the implementation of the decisions of the Committee; Section 7(3)(b) the efficient administration of the Secretariat; Section 7(3)(c) the management of staff of the Secretariat; Section 7(3)(d) the maintenance of accurate records on financial matters and resource use; Section 7(3)(e) the preparation and approval of the budget for the required funding of the operational expenses of the Secretariat; and Section 7(3)(f) the performance of any other duties as may be assigned to him or her by the Committee. Section 7(4) The D...

Section 8. Reports by the Committee etc Section The Committee shall submit quarterly reports to the National Security Council.

Section 9. Critical information infrastructure Section 9(1) The Director shall, by notice in the Gazette , designate certain systems as critical infrastructure. Section 9(2)(a) the interruption of a life sustaining service including the supply of water, health services and energy; Section 9(2)(b) an adverse effect on the economy of the Republic; Section 9(2)(c) an event that would result in massive casualties or fatalities; Section 9(2)(d) failure or substantial disruption of the money market of the Republic; and Section 9(2)(e) adverse and severe effect of the security of the Republic including intelligence and military services. Section 9(3) The Director shall, within a reasonable time of designating a system as critical infrastructure, inform the owner or operator of the system the reasons for the designation of the system as a critical infrastructure. Section 9(4)(a) the classification of data held by the critical information infrastructure; Section 9(4)(b) the protection of, the storing of and archiving of data held by the critical information infrastructure; Section 9(4)(c) cyber security incident management by the critical information infrastructure; Section 9(4)(d) disaster...

Section 10. Protection of critical information infrastructure Section 10(1) The Committee shall within reasonable time and in consultation with the owner or a person in control of an identified critical information infrastructure, submit to the National Security Council its recommendations of entities to be gazetted as critical information infrastructures. Section 10(2)(a) conduct an assessment of the threats, vulnerabilities, risks, and probability of a cyberattack across all critical infrastructure sectors; Section 10(2)(b) determine the harm to the economy that would result from damage or unauthorized access to critical infrastructure; Section 10(2)(c) measure the overall preparedness of each sector against damage or unauthorized access to critical infrastructure including the effectiveness of market forces driving security innovation and secure practices. Section 10(2)(d) identify any other risk-based security factors appropriate and necessary to protect public health and safety, or national socio-economic security; and Section 10(2)(e) recommend to the owners of systems designated as critical infrastructure, methods of securing their systems against cyber threats.

Section 11. Reports on critical information infrastructure Section 11(1) The owner or operator of a system designated as critical infrastructure shall report to the Committee any incidents likely to constitute a threat in the nature of an attack that amounts to a computer and cybercrime and the action the owner or operator intends to take to prevent the threat. Section 11(2) Upon receipt of a report by the Committee, under subsection (1), the National Security Council shall provide technical assistance to the owner or operator of a critical infrastructure to mitigate the threat. Section 11(3) The Director may institute an investigation of a computer and cybercrime attack on his or her own volition and may take necessary steps to secure any critical infrastructure without reference to the entity. Section 11(4) The Director shall submit a report on any threat in the nature of a computer and cybercrime reported by the owners or operators of critical infrastructure periodically to the National Security Council.

Section 12. Information sharing agreements Section 12(1) A private entity may enter into an information sharing agreement with a public entity on critical information infrastructure. Section 12(2)(a) to ensure cyber security; Section 12(2)(b) for the investigation and prosecution of crimes related to cyber security; Section 12(2)(c) for the protection of life or property of an individual; and Section 12(2)(d) to protect the national security of the country. Section 12(3) Prior to the sharing of information under subsection (1), a party to an agreement shall review the information and ascertain whether the information contains personal details that may identify a specific person not directly related to a threat that amounts to a computer and cybercrime and remove such information. Section 12(4) A person shall not, under this Part, share information relating to the health status of another person without the prior written consent of the person to whom the information relates.

Section 13. Auditing of critical information infrastructures to ensure compliance Section 13(1) The owner or person in control of a critical information infrastructure shall annually submit a compliance report on the critical information infrastructure to the Committee in line with a critical infrastructure framework in order to evaluate compliance. Section 13(2)(a) the date on which an audit is to be performed; and Section 13(2)(b) the particulars and contact details of the person who is responsible for the overall management and control of the audit. Section 13(3) The Director shall monitor, evaluate and report on the adequacy and effectiveness of any audit. Section 13(4) The Director may request the owner or person in control of a critical information infrastructure to provide such additional information as may be necessary within a specified period in order to evaluate the issues raised from the audit. Section 13(5)(a) fails to file a compliance report and fails to cooperate with an audit to be performed on a critical information infrastructure in order to evaluate compliance with the directives issued; Section 13(5)(b) fails to provide to the Director such additional informati...

Section 14. Unauthorised access Section 14(1) A person who causes, whether temporarily or permanently, a computer system to perform a function, by infringing security measures, with intent to gain access, and knowing such access is unauthorised, commits an offence and is liable on conviction, to a fine not exceeding five million shillings or to imprisonment for a term not exceeding three years, or to both. Section 14(2)(a) that person is not entitled to control access of the kind in question to the program or data; or Section 14(2)(b) that person does not have consent from any person who is entitled to access the computer system through any function to the program or data. Section 14(3)(a) any particular program or data; Section 14(3)(b) a program or data of any kind; or Section 14(3)(c) a program or data held in any particular computer system.

Section 15. Access with intent to commit further offence Section 15(1) A person who commits an offence under section 14 with intent to commit a further offence under any law, or to facilitate the commission of a further offence by that person or any other person, commits an offence and is liable, on conviction, to a fine not exceeding ten million shillings or to imprisonment for a term not exceeding ten years, or to both. Section 15(2) For the purposes of subsection (1), it is immaterial that the further offence to which this section applies is committed at the same time when the access is secured or at any other time.

Section 16. Unauthorised interference Section 16(1) A person who intentionally and without authorisation does any act which causes an unauthorised interference to a computer system, program or data, commits an offence and is liable on conviction, to a fine not exceeding ten million shillings or to imprisonment for a term not exceeding five years, or to both. Section 16(2)(a) is not entitled to cause that interference; Section 16(2)(b) does not have consent to interfere from a person who is so entitled. Section 16(3)(a) results in a significant financial loss to any person; Section 16(3)(b) threatens national security; Section 16(3)(c) causes physical injury or death to any person; or Section 16(3)(d) threatens public health or public safety, Section 16(4)(a) any particular computer system, program or data; Section 16(4)(b) a program or data of any kind; or Section 16(4)(c) a program or data held in any particular computer system. Section 16(5) For the purposes of this section, it is immaterial whether an unauthorised modification or any intended effect of it is permanent or temporary.

Section 17. Unauthorised interception Section 17(1) A person who intentionally and without authorisation does any act which intercepts or causes to be intercepted, directly or indirectly and causes the transmission of data to or from a computer system over a telecommunication system commits an offence and is liable, on conviction, to a fine not exceeding ten million shillings or to imprisonment for a term not exceeding five years, or to both. Section 17(2)(a) results in a significant financial loss; Section 17(2)(b) threatens national security; Section 17(2)(c) causes physical or psychological injury or death to any person; or Section 17(2)(d) threatens public health or public safety, is liable, on conviction to a fine not exceeding twenty million shillings or to imprisonment for a term not exceeding ten years, or to both. Section 17(3)(a) a telecommunication system; Section 17(3)(b) any particular computer system data; Section 17(3)(c) a program or data of any kind; or Section 17(3)(d) a program or data held in any particular computer system. Section 17(4) For the purposes of this section, it is immaterial whether an unauthorised interception or any intended effect of it is perman...

Section 18. Illegal devices and access codes Section 18(1) A person who knowingly manufactures, adapts, sells, procures for use, imports, offers to supply, distributes or otherwise makes available a device, program, computer password, access code or similar data designed or adapted primarily for the purpose of committing any offence under this Part, commits an offence and is liable, on conviction, to a fine not exceeding twenty million shillings or to imprisonment for a term not exceeding ten years, or to both. Section 18(2) A person who knowingly receives, or is in possession of, a program or a computer password, device, access code, or similar data from any action specified under subsection (1) and intends that it be used to commit or assist in commission of an offence under this Part commits an offence and is liable on conviction, to a fine not exceeding ten million shillings or to imprisonment for a term not exceeding five years, or to both. Section 18(3)(a) any act intended for the authorised training, testing or protection of a computer system; or Section 18(3)(b) the use of a program or a computer password, access code, or similar data Section 18(4)(a) possession of a comput...

Section 19. Unauthorised disclosure of password or access code Section 19(1) A person who knowingly and without authority discloses any password, access code or other means of gaining access to any program or data held in any computer system commits an offence and is liable, on conviction, to a fine not exceeding five million shillings or to imprisonment for a term not exceeding three years, or to both. Section 19(2)(a) for any wrongful gain; Section 19(2)(b) for any unlawful purpose; or Section 19(2)(c) to occasion any loss,

Section 20. Enhanced penalty for offences involving protected computer system Section 20(1) Where a person commits any of the offences specified under sections 14 , 15, 16 and 17 on a protected computer system, that person shall be liable, on conviction, to a fine not exceeding twenty five million shillings or imprisonment for a term not exceeding twenty years or both. Section 20(2)(a) the security, defence or international relations of Kenya; Section 20(2)(b) the existence or identity of a confidential source of information relating to the enforcement of a criminal law; Section 20(2)(c) the provision of services directly related to communications infrastructure, banking and financial services, payment and settlement systems and instruments, public utilities or public transportation, including government services delivered electronically; Section 20(2)(d) the protection of public safety including systems related to essential emergency services such as police, civil defence and medical services; Section 20(2)(e) the provision of national registration systems; or Section 20(2)(f) such other systems as may be designated relating to the security, defence or international relations of K...

Section 21. Cyber espionage Section 21(1)(a) gain access, as provided under section 14 , to critical data, a critical database or a national critical information infrastructure; or Section 21(1)(b) intercept data, as provided under section 17 , to, from or within a critical database or a national critical information infrastructure, with the intention to directly or indirectly benefit a foreign state against the Republic of Kenya, Section 21(2) A person who commits an offence under subsection (1) which causes physical injury to any person is liable, on conviction, to imprisonment for a term not exceeding twenty years. Section 21(3) A person who commits an offence under subsection (1) which causes the death of a person is liable, on conviction, to imprisonment for life. Section 21(4) A person who unlawfully and intentionally possesses, communicates, delivers or makes available or receives, data, to, from or within a critical database or a national critical information infrastructure, with the intention to directly or indirectly benefit a foreign state against the Republic of Kenya, commits an offence and is liable on conviction to imprisonment for a period not exceeding twenty years...

Section 22. False publications Section 22(1) A person who intentionally publishes false, misleading or fictitious data or misinforms with intent that the data shall be considered or acted upon as authentic, with or without any financial gain, commits an offence and shall, on conviction, be liable to a fine not exceeding five million shillings or to imprisonment for a term not exceeding two years, or to both. Section 22(2)(a) propagate war; or Section 22(2)(a)(i) propagate war; or Section 22(2)(a)(ii) incite persons to violence; Section 22(2)(b) constitutes hate speech; Section 22(2)(c) constitutes ethnic incitement, vilification of others or incitement to cause harm; or Section 22(2)(c)(i) constitutes ethnic incitement, vilification of others or incitement to cause harm; or Section 22(2)(c)(ii) is based on any ground of discrimination specified or contemplated in Article 27(4) of the Constitution; or Section 22(2)(d) negatively affects the rights or reputations of others.

Section 23. Publication of false information Section A person who knowingly publishes information that is false in print, broadcast, data or over a computer system, that is calculated or results in panic, chaos, or violence among citizens of the Republic, or which is likely to discredit the reputation of any person commits an offence and shall on conviction, be liable to a fine not exceeding five million shillings or to imprisonment for a term not exceeding ten years, or to both.

Section 24. Child pornography Section 24(1)(a) publishes child pornography through a computer system; Section 24(1)(b) produces child pornography for the purpose of its publication through a computer system; Section 24(1)(c) downloads, distributes, transmits, disseminates, circulates, delivers, exhibits, lends for gain, exchanges, barters, sells or offers for sale, lets on hire or offers to let on hire, offers in another way, or make available in any way from a telecommunications apparatus pornography; or Section 24(1)(d) possesses child pornography in a computer system or on a computer data storage medium, Section 24(2) It is a defence to a charge of an offence under subsection (1) that a publication which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper, writing, drawing, painting, art, representation or figure is in the interest of science, literature, learning or other objects of general concerns. Section 24(3)(a) a child engaged in sexually explicit conduct; Section 24(3)(b) a person who appears to be a child engaged in sexually explicit conduct; or Section 24(3)(c) realistic images representing a child engaged in sexually ex...

Section 25. Computer forgery Section 25(1) A person who intentionally inputs, alters, deletes, or suppresses computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless of whether or not the data is directly readable and intelligible commits an offence and is liable, on conviction, to fine not exceeding ten million shillings or to imprisonment for a term not exceeding five years, or to both. Section 25(2)(a) for wrongful gain; Section 25(2)(b) for wrongful loss to another person; or Section 25(2)(c) for any economic benefit for oneself or for another person,

Section 26. Computer fraud Section 26(1)(a) unlawfully gains; Section 26(1)(b) occasions unlawful loss to another person; or Section 26(1)(c) obtains an economic benefit for oneself or for another person, through any of the means described in subsection (2), Section 26(2)(a) an unauthorised access to a computer system, program or data; Section 26(2)(b) any input, alteration, modification, deletion, suppression or generation of any program or data; Section 26(2)(c) any interference, hindrance, impairment or obstruction with the functioning of a computer system; Section 26(2)(d) copying, transferring or moving any data or program to any computer system, data or computer data storage medium other than that in which it is held or to a different location in any other computer system, program, data or computer data storage medium in which it is held; or Section 26(2)(e) uses any data or program, or has any data or program output from the computer system in which it is held, by having it displayed in any manner.

Section 27. Cyber harassment Section 27(1)(a) is likely to cause those persons apprehension or fear of violence to them or damage or loss on that persons' property; or Section 27(1)(b) detrimentally affects that person; or Section 27(1)(c) is in whole or part, of an indecent or grossly offensive nature and affects the person. Section 27(2) A person who commits an offence under subsection (1) is liable, on conviction, to a fine not exceeding twenty million shillings or to imprisonment for a term not exceeding ten years, or to both. Section 27(3)(a) engaging or attempting to engage in; or Section 27(3)(b) enlisting the help of another person to engage in, any communication complained of under subsection (1). Section 27(4)(a) may grant an interim order; and Section 27(4)(b) shall hear and determine an application under subsection (4) within fourteen days. Section 27(5) An intermediary may apply for the order under subsection (4) on behalf of a complainant under this section. Section 27(6) A person may apply for an order under his section outside court working hours. Section 27(7) The Court may order a service provider to provide any subscriber information in its possession for the pur...

Section 28. Cybersquatting Section A person who, intentionally takes or makes use of a name, business name, trademark, domain name or other word or phrase registered, owned or in use by another person on the internet or any other computer network, without authority or right, commits an offence and is liable on conviction to a fine not exceeding two hundred thousand shillings or imprisonment for a term not exceeding two years or both.

Section 29. Identity theft and impersonation Section A person who fraudulently or dishonestly makes use of the electronic signature, password or any other unique identification feature of any other person commits an offence and is liable, on conviction, to a fine not exceeding two hundred thousand shillings or to imprisonment for a term not exceeding three years or both.

Section 30. Phishing Section A person who creates or operates a website or sends a message through a computer system with the intention to induce the user of a website or the recipient of the message to disclose personal information for an unlawful purpose or to gain unauthorized access to a computer system, commits an offence and is liable upon conviction to a fine not exceeding three hundred thousand shillings or to imprisonment for a term not exceeding three years or both.

Section 31. Interception of electronic messages or money transfers Section A person who unlawfully destroys or aborts any electronic mail or processes through which money or information is being conveyed commits an offence and is liable on conviction to a fine not exceeding two hundred thousand shillings or to a term of imprisonment not exceeding seven years or to both.

Section 32. Willful misdirection of electronic messages Section A person who willfully misdirects electronic messages commits an offence and is liable on conviction to a fine not exceeding one hundred thousand shillings or to imprisonment for a term not exceeding two years or to both.

Section 33. Cyber terrorism Section 33(1) A person who accesses or causes to be accessed a computer or computer system or network for purposes of carrying out a terrorist act, commits an offence and shall on conviction, be liable to a fine not exceeding five million shillings or to imprisonment for a term not exceeding ten years, or to both. Section 33(2) For the purpose of this section, "terrorist act" shall have the same meaning as assigned under the Prevention of Terrorism Act (Cap. 59B).

Section 34. Inducement to deliver electronic message Section A person who induces any person in charge of electronic devices to deliver any electronic messages not specifically meant for him commits an offence and is liable on conviction to a fine not exceeding two hundred thousand shillings or imprisonment for a term not exceeding two years or to both.

Section 35. Intentionally withholding message delivered erroneously Section A person who intentionally hides or detains any electronic mail, message, electronic payment, credit and debit card which was found by the person or delivered to the person in error and which ought to be delivered to another person, commits an offence and is liable on conviction a fine not exceeding two hundred thousand shillings or imprisonment for a term not exceeding two years or to both.

Section 36. Unlawful destruction of electronic messages Section A person who unlawfully destroys or aborts any electronic mail or processes through which money or information is being conveyed commits an offence and is liable on conviction to a fine not exceeding two hundred thousand shillings or imprisonment for a term not exceeding two years, or to both.

Section 37. Wrongful distribution of obscene or intimate images Section A person who transfers, publishes, or disseminates, including making a digital depiction available for distribution or downloading through a telecommunications network or though any other means of transferring data to a computer, the intimate or obscene image of another person commits an offence and is liable, on conviction to a fine not exceeding two hundred thousand shillings or imprisonment for a term not exceeding two years, or to both.

Section 38. Fraudulent use of electronic data Section 38(1) A person who knowingly and without authority causes any loss of property to another by altering, erasing, inputting or suppressing any data stored in a computer, commits an offence and is liable on conviction to a fine not exceeding two hundred thousand shillings or imprisonment for a term not exceeding two years, or to both. Section 38(2) A person who sends an electronic message which materially misrepresents any fact upon which reliance by another person is caused to suffer any damage or loss commits an offence and is liable on conviction to imprisonment for a fine not exceeding two hundred thousand shillings or imprisonment for a term not exceeding two years, or to both. Section 38(3) A person who with intent to defraud, franks electronic messages, instructions, subscribes any electronic messages or instructions, commits an offence and is liable on conviction a fine not exceeding two hundred thousand shillings or imprisonment for a term not exceeding two years, or to both. Section 38(4) A person who manipulates a computer or other electronic payment device with the intent to short pay or overpay commits an offence and i...

Section 39. Issuance of false e-instructions Section A person authorized to use a computer or other electronic devices for financial transactions including posting of debit and credit transactions, issuance of electronic instructions as they relate to sending of electronic debit and credit messages or confirmation of electronic fund transfer, issues false electronic instructions, commits an offence and is liable, on conviction, a fine not exceeding two hundred thousand shillings or imprisonment for a term not exceeding two years, or to both.

Section 40. Reporting of cyber threat Section 40(1) A person who operates a computer system or a computer network, whether public or private, shall immediately inform the Committee of any attacks, intrusions and other disruptions to the functioning of another computer system or network within twenty four hours of such attack, intrusion or disruption. Section 40(2)(a) information about the breach, including a summary of any information that the agency knows on how the breach occurred; Section 40(2)(b) an estimate of the number of people affected by the breach; Section 40(2)(c) an assessment of the risk of harm to the affected individuals; and Section 40(2)(d) an explanation of any circumstances that would delay or prevent the affected persons from being informed of the breach. Section 40(3) The Committee may propose the isolation of any computer systems or network suspected to have been attacked or disrupted pending the resolution of the issues. Section 40(4) A person who contravenes the provisions of subsection (1) commits an offence and is liable upon conviction a fine not exceeding two hundred thousand shillings or imprisonment for a term not exceeding two years, or to both.

Section 41. Employee responsibility to relinquish access codes Section 41(1) An employee shall, subject to any contractual agreement between the employer and the employee, relinquish all codes and access rights to their employer's computer network or system immediately upon termination of employment. Section 41(2) person who contravenes the provision of this subsection (1) commits an offence and shall be, liable on conviction, to a fine not exceeding two hundred thousand shillings or imprisonment for a term not exceeding two years, or to both.

Section 42. Aiding or abetting in the commission of an offence Section 42(1) A person who knowingly and willfully aids or abets the commission of any offence under this Act commits an offence and is liable, on conviction, to a fine not exceeding seven million shillings or to imprisonment for a term not exceeding four years, or to both. Section 42(2) A person who knowingly and willfully attempts to commit an offence or does any act preparatory to or in furtherance of the commission of any offence under this Act, commits an offence and is liable, on conviction, to a fine not exceeding seven million shillings or to imprisonment for a term not exceeding four years, or to both.

Section 43. Offences by a body corporate and limitation of liability Section 43(1)(a) the body corporate is liable, on conviction, to a fine not exceeding fifty million shillings; and Section 43(1)(b) every person who at the time of the commission of the offence was a principal officer of the body corporate, or anyone acting in a similar capacity, is also deemed to have committed the offence, unless they prove that the offence was committed without their consent or knowledge and that they exercised such diligence to prevent the commission of the offence as they ought to have exercised having regard to the nature of their functions and to prevailing circumstances, and is liable, on conviction, to a fine not exceeding five million shillings or imprisonment for a term not exceeding three years, or to both. Section 43(2) If the affairs of the body corporate are managed by its members, subsection (1)(b) applies in relation to the acts or defaults of a member in connection with their management functions, as if the member was a principal officer of the body corporate or was acting in a similar capacity.

Section 44. Confiscation or forfeiture of assets Section 44(1) A court may order the confiscation or forfeiture of monies, proceeds, properties and assets purchased or obtained by a person with proceeds derived from or in the commission of an offence under this Act. Section 44(2) The court may, on conviction of a person for any offence under this Act make an order of restitution of any asset gained from the commission of the offence, in accordance with the provisions and procedures of the Proceeds of Crime and Anti-Money Laundering Act (Cap. 59A).

Section 45. Compensation order Section 45(1) Where the court convicts a person for any offence under this Part, or for an offence under any other law committed through the use of a computer system, the court may make an order for the payment by that person of a sum to be fixed by the court as compensation to any person for any resultant loss caused by the commission of the offence for which the sentence is passed. Section 45(2) Any claim by a person for damages sustained by reason of any offence committed under this Part is deemed to have been satisfied to the extent of any amount which they have been paid under an order for compensation, but the order shall not prejudice any right to a civil remedy for the recovery of damages beyond the amount of compensation paid under the order. Section 45(3) An order of compensation under this section is recoverable as a civil debt.

Section 46. Additional penalty for other offences committed through use of a computer system Section 46(1) A person who commits an offence under any other law through the use of a computer system commits an offence and shall be liable on conviction to a penalty similar to the penalty provided under that law. Section 46(2)(a) the manner in which the use of a computer system enhanced the impact of the offence; Section 46(2)(b) whether the offence resulted in a commercial advantage or financial gain; Section 46(2)(c) the value involved, whether of the consequential loss or damage caused, or the profit gained from commission of the offence through the use of a computer system; Section 46(2)(d) whether there was a breach of trust or responsibility; Section 46(2)(e) the number of victims or persons affected by the offence; Section 46(2)(f) the conduct of the accused; and Section 46(2)(g) any other matter that the court deems fit to consider.

Section 47. Scope of procedural provisions Section 47(1)(a) criminal offences provided under this Act; Section 47(1)(b) other criminal offences committed by means of a computer system established under any other law; and Section 47(1)(c) the collection of evidence in electronic form of a criminal offence under this Act or any other law. Section 47(2) In any proceedings related to any offence, under any law of Kenya, the fact that evidence has been generated, transmitted or seized from, or identified in a search of a computer system, shall not of itself prevent that evidence from being presented, relied upon or admitted. Section 47(3)(a) the National Intelligence Service Act (Cap. 206); Section 47(3)(b) the National Police Service Act (Cap. 84); Section 47(3)(c) the Kenya Defence Forces Act (Cap. 199); and Section 47(3)(d) any other relevant law.

Section 48. Search and seizure of stored computer data Section 48(1)(a) is reasonably required for the purpose of a criminal investigation or criminal proceedings which may be material as evidence; or Section 48(1)(b) has been acquired by a person as a result of the commission of an offence, the police officer or the authorised person may apply to the court for issue of a warrant to enter any premises to access, search and similarly seize such data. Section 48(2)(a) identify the police officer or authorised person; Section 48(2)(b) direct the police officer or authorised person under paragraph (a) to seize the data in question; or Section 48(2)(c) search any person identified in the warrant; Section 48(2)(c)(i) search any person identified in the warrant; Section 48(2)(c)(ii) enter and search any premises identified in the warrant; or Section 48(2)(c)(iii) search any person found on or at such premises. Section 48(3) A search warrant may be issued on any day and shall be of force until it is executed or is cancelled by the issuing court. Section 48(4) A police officer or an authorised person shall present a copy of the warrant to a person against whom it is issued. Section 48(5)(a)...

Section 49. Record of and access to seized data Section 49(1)(a) make a list of what has been seized or rendered inaccessible, and shall specify the date and time of seizure; and Section 49(1)(b) provide a copy of the list to the occupier of the premises or the person in control of the computer system referred to under paragraph (a). Section 49(2)(a) had the custody or control of the computer system; Section 49(2)(b) has a right to any data or information seized or secured; or Section 49(2)(c) has been acting on behalf of a person under subsection (1)(a) or (b), Section 49(3)(a) constitute a criminal offence; or Section 49(3)(b) the investigation in connection with the search that was carried out; Section 49(3)(b)(i) the investigation in connection with the search that was carried out; Section 49(3)(b)(ii) an ongoing investigation; or Section 49(3)(b)(iii) any criminal proceeding that is pending or that may be brought in relation to any of those investigations. Section 49(4)(a) access and copy computer data on the system; or Section 49(4)(b) obtain a copy of the computer data.

Section 50. Production order Section 50(1)(a) specified data stored in a computer system or a computer data storage medium is in the possession or control of a person in its territory; and Section 50(1)(b) specified subscriber information relating to services offered by a service provider in Kenya are in that service provider's possession or control and is necessary or desirable for the purposes of the investigation, the police officer or the authorised person may apply to court for an order. Section 50(2)(a) a specified person to submit specified computer data that is in that person's possession or control, and is stored in a computer system or a computer data storage medium; or Section 50(2)(b) a specified service provider offering its services in Kenya to submit subscriber information relating to such services in that service provider's possession or control.