PRIVACY CONSIDERATIONS FOR ORGANISATION IN MANAGING DATA BREACH UNDER THE NIGERIAN DATA PROTECTION ACT

By: Olayinka Aileru

Introduction

One of the means through which data protection legislations protect the confidentiality and integrity of personal information of data subjects, is by imposing security compliance standards on organisations in respect of their information management system. The Nigerian Data Protection Act 2023 (NDPA) is no exception. Section 39 of the Act provides that organisations processing personal information, shall implement appropriate technical and organisational measures to ensure the security, integrity and confidentiality of personal data in their possession or under their control. This includes protections against accidental or unlawful destruction, loss, misuse, alteration, unauthorised disclosure, or access. Typically a data breach occurs whenever the integrity, security or confidentiality of the information system is compromised resulting in unauthorised access or interference with the personal information 1. It is generally accepted that there is no data security system that is absolutely impervious to breach 2. Breach of information management system may occur either internally through accidental snooping, or intentional acts of employees, as well as through external intrusions in the form of cyberattacks. Nevertheless, organisations are expected to adopt security systems that conform to industry standards, and that are fit for purpose relative to the nature and sensitivity of the personal information processed by the organisation.

One of the ways regulations ensure compliance of organisations with security compliance requirements is through breach reporting obligations. The notification subsequent to a breach incident invariably presents an opportunity for industry regulators to assess the strength and resilience of the organisations security system relative to the nature and sensitivity of the information being processed. Additionally breach reporting represents a veritable tool in holding organisations accountable to their obligations of protecting personal information from misuse. An effective data breach response thus forms part of an organisation’s sound information management system. The scope of this article is essentially to analyse the compliance requirements for organisation that experienced a breach in its information management system. It is hoped that organisations would be encouraged to voluntary adopt these measures as part of their information management and security policy.

Essential Elements of Breach Incident Response

Breach Incident Response Team – crucial to any breach reporting compliance is the Incident response team (IRT) within the organisation. Typically, the IRT will be members of the Information security/Cybersecurity department where one exists within the organisation. For small scale organisations that cannot afford a dedicated information security team, the IRT obligations can be outsourced to cybersecurity firms, or organisations with expertise in offering Data Protection Compliances Services such as a registered DPCOs in Nigeria. Standard practice requires that the scope of operations of the IRT is contained in the organisations’ data protection and security policy. Additionally, in order to successfully navigate the complexities of compliance requirements for a breach incident, the IRT would of necessity work collaboratively with the Privacy compliance officer/DPO within the organisation, and/or with external solicitors providing legal advisory services on privacy compliance matters.

Breach Investigation and Containment– the most important obligation of the Incident response team is investigation of the breach incident to determine its nature, scope and the categories of personal information affected by the intrusion after becoming aware of its occurrence. One of the objectives of the investigation is to quickly contain the breach and limit the further exposure of the personal information processed by the organisation. Although the Act suggests that the obligation to investigate is activated after becoming aware of the breach, this obligation carries with it an inherent duty to implement measures in the security system that detects the occurrence of security breaches in the first place. It would amount to a dereliction of compliance obligation for a data processing organisation not to have in place a robust system for detecting intrusions into their data security systems. Section 39(2) of the NDPA 2023 imposes on data processing organisations the implementation of security measures which among others include

• Periodic assessments of risks to processing systems and services, including where the processing involves the transmission of data over an electronic communications network.
• regular testing, assessing, and evaluation of the effectiveness of the measures implemented against current and evolving risks identified 3

The foregoing provisions of the Act which originated from the General Data Protection Regulations (GDPR) applicable to the entire EU, has been interpreted by the UK Information Commissioner Office (ICO) in a data breach investigation involving Marriot Hotel International 4. The ICO in the case held that the data security systems of organisations processing personal information must be robust enough to incorporate periodic testing, monitoring and analysis of the system in ways that intrusions through well know cyberattack vectors would be detected whenever they occur or within a reasonable period of time thereafter. It is essential that the investigation reveal the types of personal data affected, the numbers of data subjects involved in addition to any other technical information that are necessary to understand the scope and nature of the breach.

Notification to the Regulator – subsequent to the detection and investigation of a breach incident, the organisation that suffered the data breach is required to report to the industry regulator within 72 hours of the breach occurring. It is instructive to point out that the obligation to report is only activated where the security breach and compromise of personal information is such that is likely to result in a risk to the rights and freedoms of data subjects. For instance the use of Hashing, Pseudonymization and strong encryption might render exfiltrated data meaningless to a cyber-attacker in the absence of compromise of the decryption keys. The determination of breaches likely to result in risks to data subjects is fact-specific based on nature of personal information involved in terms of its sensitivity, the identity, as well as status of data subjects concerned. The compromise of sensitive personal information such as medical, biometric, sexual and political information is usually presumed to create risks to the rights and freedom of individuals in the event that they fall into wrong hands.

By the combined reading of the Data Protection Act and the ancillary Data Protection Regulation (Implementation Framework) 2020, the following information are to be included in the report to the industry regulator;

1. The nature of the personal data breach including the categories and approximate numbers of data subjects and description of the personal data records concerned.
2. the date or time period during which the loss or unauthorised access or disclosure occurred
3. The name and contact details of a point of contact of the data controller, where more information can be obtained.
4. Description of the assessed likely consequences of the personal data breach to individuals, the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
5. An estimate of the number of individuals to whom there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure;
6. A description of any steps the organisation has taken to notify individuals of the loss or unauthorized access or disclosure.

Duty of the Data processor – The obligation to report to the industry regulators is only imposed on the Data Controller which is the organisation that uses the personal information for its business purposes 5. There are instances where Data Controllers outsource all or parts of their information management operations to a third party (data processor). Examples of data processors falling into these categories would be cloud based platforms providing software as a service (SAAS).  Where this is the case, the data processor is required to promptly notify the Data controller of the breach, including using its best endeavour to aid the data controller in investigating the breach, and in making the report to the regulator.

Notification to Data Subjects – In addition to the report to the industry regulator, the Data Controller is expected to notify the data subject where the breach of their personal information will likely result in high risk to their rights and freedoms. The notification to the Data Subject requires some sort of risk analysis and assessment, relative to the nature of the compromised personal information and the status of the data subject. Unlike the 72 hours notification period in respect of the report to the regulator, this notification to the data subject where the data controller assesses the breach to constitute high risk must be immediate. This requirement of immediate notification is to enable the data subject to take measures that are necessary to safeguard its interest pending the time that the data controller effectively manages the breach situation. Where the number of data subject affected is such that it is not feasible to contact all of them immediately, the Data controller is enjoined to make a public notification through an easily accessible media outlet.

Post Incident Management – This relates to measures to handle the fallout from the breach, particularly in relation to addressing the concerns of data subjects. Measures the organisation can take in this regard include

1. Publishing information on a dedicated website to sensitise data subjects on measures taken to address the breach incident and prevent re-occurrence.
2. Creating an information help-desk to handle enquiries and complaints from data subjects seeking additional information from the ones published. The information help-desk may be part of the incident response team.
3. Reporting the breach to the law enforcement authorities for possible investigation and prosecution of offenders in respect of criminal acts.
4. Support systems to provide counselling and advisory services in respect of likely injury to commercial interest or emotional feelings of data subject.

Although not expressly prescribed by regulation, initiating post-incident action-plan goes a long way in convincing industry regulators that the organisation is accountable for its information management systems. Equally, taking the foregoing measures would show that the organisation is accountable for its data protecting activities, and that it appreciates the importance of protecting data subject rights. More importantly the measures taken to mitigate the damage of a data breach on data subjects is one of the factors the industry regulators would take into consideration if or when it decides to impose administrative monetary penalties for breach of data security systems 6. The NDPA expressly provides that the regulator shall in imposing sanctions for breach of the Act take into consideration the level of damage and the damage mitigation measures implemented by the organisation. It is thus cost-effective for data processing entities to have a post-incident action plan in place.

Record Keeping – It is an essential element of the investigation process that records of every breach incident be accurately kept. The record must accurately contain details of the breach incident, the personal information involved as well as details of remedial actions taken by the organisation upon detecting the breach. The record must be available for the inspection of the Regulator as a way of ensuring compliance with the requirements of the Act 7.

Conclusion

While there might be no fool-proof measure to prevent breach of an information management system, an effective incident response plan go a long way in ensuring compliance with the provisions of the law, as well as protecting the rights of the Data subject. Ultimately, adoption of sound information management system including effective data security policies, as well as training of relevant stakeholders and employees on their obligations go a long way in mitigating the impact of a breach. In addition, the adoption of a transparent and cooperative attitude both with the industry regulators and data subjects affected by the breach are essential to minimizing the impact of a breach. It is only through the adoption of sound practices focused on protecting data subject rights and complying with the law that the culture of data protection be deepened, and the objectives of the Act achieved for the benefits of all.

References

1. Section 65 NDPA 2023
2. Sheldon H. Jacobson, “No company is immune from cyberattacks” The Hill (2023). https://thehill.com/opinion/cybersecurity/4212739-no-company-is-immune-from-cyberattacks/
3. Also Paragraph 6.2(C) Nigerian Data Protection Regulation 2019; Implementation Framework 2020.
4. Information Commissioner Office, ‘Penalty Notice – Marriot Hotel International’ (October 2020) https://ico.org.uk/media/action-weve-taken/mpns/2618524/marriott-international-inc-mpn-20201030.pdf
5. Section 40(2) NDPA
6. Section 48(6) NDPA
7. Section 40(8)