Data breaches are now a regular occurrence in the modern data-driven and digital global
economy that the world has now become. A number of organisations have suffered data
breaches in the course of their operations with differing degrees of seriousness. These breaches
have resulted in the personal information under the custody of these organisations becoming
compromised and unduly exposed to third parties with malicious motives, thereby creating
potential risks for the affected individuals. Nigeria, a country with an estimated population of
over 200 million people making it a fertile ground for data breaches, has also experienced cyber incidences that have affected both government institutions and corporate entities. Such cyber-attacks have led to the unauthorised exposure of personal data under the control of such
institutions or corporate organisations. Surfshark, a cybersecurity firm, reported that data
breach incidences in Nigeria increased by 64% in Q1 of 2023, recording 82,000 cases of data
breaches in Q1 2023, up from 50,000 recorded in Q4 2022.1
A data breach occurs when the data under an organisation's control suffers a security incident
that results in a breach of the confidentiality, availability, or integrity of such data- including
personal data.
In this article, we will examine the legal framework governing personal data breaches under the
data protection laws in Nigeria.
What is a Data Breach?
In Nigeria, data protection and privacy are governed by the Nigerian Data Protection Act 2023
("NDPA” or “Act”), which was signed into law on 12th June 2023.
The NDPA contains provisions that govern data breach events and stipulates the steps
organisations are required to take when they suffer data breaches.
Personal data breach under the NDPA is defined to mean a breach of security of a data
controller or data processor leading to or reasonably likely to lead to the accidental or unlawful
destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted,
stored, or otherwise processed.
This infers a situation where, due to a breach in security, an organisation (either as a controller
or processor) suffers some form of unlawful destruction, loss, alteration or disclosure of the
personal data under its control. Where an organisation suffers a data breach, the NDPA
stipulates certain obligatory steps such organisations must take. We will closely examine the
various steps as we go further in this article.
How do organisations suffer data breaches?
Organisations can suffer data breaches directly, that is, where the data breach occurs on
personal data in the organisation’s possession whilst it is undergoing processing, storage or in
transit. Organisations can also suffer data breaches indirectly, where, though the data is not in
the organisation’s possession, such data is breached in the course of being processed by a third
party acting on the controller's instruction. In this instance, while the data processing or storage
infrastructure of the controller has not in itself been compromised, the personal data that is
under the control of the data controller has been impacted by a breach since the data processor processed the personal data on the controller’s instruction. The two scenarios mentioned above
are envisaged under the NDPA, and the NDPA has provisions stipulating what organisations
should do in such circumstances.
What are the obligations of the data processor in the event of a data breach?
In relation to the instances where a data controller suffers a data breach indirectly, that is, where
the breach is suffered by a data processor who processed the personal data on the controller’s
instruction, the data processor is required to assess the situation and provide adequate
information to the controller. Section 40 (1) (a) and (b) of the NDPA provides that where a
personal data breach has occurred concerning personal data being stored or processed by a
data processor, the data processor shall, on becoming aware of the breach-
(a) notify the data controller or data processor that engaged it, describing the nature of the
personal data breach, including, where possible, the categories and approximate
numbers of data subjects and personal data records concerned; and
(b) respond to all information requests from the data controller or processor that
engaged it, as they may require such information to comply with their obligations under
the NDPA.
What steps should organisations that have suffered a data breach take?
Where an organisation suffers a data breach, it is expected that, as a first step, the organisation
will take all steps necessary to stop the breach where possible. This means that the organisation
must first take steps to address the personal data breach and mitigate the adverse effects of the personal data breach to reduce the likelihood of harm to individuals or data subjects whose
personal data has been breached. The appropriate remedial action would depend on the nature
of the breach. For instance, the controller could typically try to make the data inaccessible or
unintelligible for third parties where they have accessed such data unauthorisedly. Where the
data has been altered or compromised, the controller would typically take steps to restore the
availability and accuracy of the data.
Is there any reporting obligation to a data protection authority?
Where a data controller suffers a data breach, there are specific reporting obligations that such
data controller must carry out depending on the perceived impact of the personal data breach.
Where the data breach is such that is required to be reported, such notification is to be made by the data controller to the Nigeria Data Protection Commission (“NDPC”). The NDPC, which was
established under the NDPA, is now the data protection authority for Nigeria and has taken over the function of the Nigeria Data Protection Bureau (as it was formerly known).
What types of personal data breach should be reported?
Under the Nigeria Data Protection Regulation 2019 (“NDPR”), there was an obligation on data
controllers to report all types of personal data breaches to the data protection authority. The
NDPA has moved away from this position. Under the NDPA, data controllers are now only
required to report data breaches where such data breaches will result in a risk to the rights and
freedoms of the data subjects. There is no obligation to report a data breach that will not result
in a risk to the rights and freedoms of the data subjects.
What can be considered to be a risk to the rights and freedoms of data subjects?
There are three factors that data controllers and processors are required to consider in
determining whether a data breach will result in a risk to the rights and freedoms of data
subjects. These are (a) the likely effectiveness of the measures (technical and administrative) that are implemented to mitigate the likely harm or adverse effect of the personal data breach; (b) any subsequent measures taken by the data controller to mitigate such risk; and (c) the nature, scope, and sensitivity of the personal data that was involved in the breach.
Where, based on these considerations, the data controller is of the view that the personal data
breach will result in a risk to the individuals whose data have been disclosed, the controller is
required to report to the NDPC.
Is there a timeline for reporting a data breach?
Under Section 40 (2) of the NDPA, data controllers are required to notify the NDPC within 72
hours after they become aware that they have suffered a breach that is required to be reported
under the Act. Where it is impossible for the data controller to provide all the required
information regarding the data breach to the NDPC within the said timeline, the data controller
may provide the information to the NDPC in phases.
Is there an obligation to communicate with the affected data subjects?
Based on the provisions of section 40 (3) of the NDPA, where a personal data breach is likely to
result in a high risk to the rights and freedoms of a data subject, the data controller is required
to communicate the personal data breach to the data subjects immediately. The communication should also include the measures the data subject could take to mitigate the possible adverse effects of the data breach. Where direct communication to the data subject would involve
disproportionate effort or expense, the data controller may make public communication using
one or more widely used media channels.
The NDPC also has the power to make public communication about a personal data breach that
has been brought to its notice, where it considers the steps the data controller has taken to
inform data subjects of the breach are inadequate.
Is there an obligation to keep records of data breach incidents?
To demonstrate compliance with their obligations under the NDPA, data controllers must keep a record of all personal data breach incidents. The record should include the facts relating to the
personal data breach, its effects, and the remedial action taken by the controller after the
occurrence of the breach. The record will enable the NDPC to confirm whether the controller
complied with its obligations under the Act. 2.
Failure to comply with the NDPA, where an organisation suffers a data breach, can expose the
organisation to regulatory sanctions such as monetary fines and criminal prosecution of its
senior officers.3. There is also a risk of reputational damage to the organisation.
Recommended actions that organisations that have suffered data breaches can take include:
1. Locate and secure the source of the breach to prevent further unauthorised access or
disclosure of personal data.
2. Determine the extent of the breach and confirm the obligations of the organisation
under the Act.
3. Engage a licensed Data Protection Compliance Organisation (DPCO) to advise your
organisation and assist it in complying with its obligations under the NDPA.
4. Engage data security experts/professionals to evaluate your organisation’s architecture
and advise on improving data security.
Penalties for non-compliance with obligations in the event of a data breach
Non-compliance by data controllers and processors with the obligations stipulated in the NDPA
in the event of a data breach is an infraction of the provisions of the NDPA, which attracts fines
and possible criminal action against the defaulting data controller or processor. Under the
NDPA, Data Controllers or Processors of Major Importance (“DCPMI”) that are found to have
breached the provisions of the Act may be subject to the payment of a fine of whichever is
greater between the sum of N10,000,000 or 2% of its annual gross revenue from the preceding
financial year. Similarly, other data controllers or processors may be liable to pay a fine of
whichever is greater between the sum of N2,000,000 or 2% of their annual gross revenue from
the preceding financial year.
Conclusion:
The NDPA imposes specific obligations on data controllers and processors where they suffer
data breaches. This article has summarised these obligations to enable organisations, at a
glance, to be guided on how to respond and ensure they are compliant with applicable laws
where they suffer data breaches
1 Adeyemi Adepetun, 24 May 2023, “Nigeria suffers 64% data breach in Q1, ranks 32 globally”, The Guardian,
https://guardian.ng/business-services/nigeria-suffers-64-data-breach-in-q1-ranks-32-globally/
2 Section 40 (8) of the NDPA.
3 Regulation 10 of the NDPR Implementation Framework
---
Read the original publication at UUBO.