The Cyber-Attack at Bet9ja: The Importance of Data Security and Why Data Subjects Should Always be Notified of Personal Data Breaches
By : Chukwuyere Ebere Izuogu
On 6 April 2022, Bet9ja a sports-betting platform suffered a cyber-attack that rendered the platform inaccessible to users. As a result of this, users were unable to access their accounts and/or place bets on the platform. The inability of users to access their personal account makes the cyber-attack also a data breach that requires notification to the National Information Technology Development Agency (NITDA) in accordance with the Nigeria Data Protection Regulations 2019: Implementation Framework (Implementation Framework) issued by NITDA.
Although Bet9ja took prompt remedial actions to address this cyber-attack and restore users’ access to the platform, the Nigeria Data Protection Bureau (NDPB), a newly created data protection authority (DPA) in Nigeria, released a statement on 9 June 2022 that it had commenced investigation into reports of a data breach resulting from this cyber-attack. As at the time of this writing it is not clear what the status of this investigation is.
In this article, I explain the importance of data security measures and why a data subject should always be notified of personal data breaches.
What is a data personal data breach?
A personal data breach is defined in art. 1.3 xxii of the Nigerian Data Protection Regulations 2019 (NDPR) issued by NITDA, to be ‘breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’. In the case of Bet9ja, the inability of users to access their accounts as a result of a cyber-attack, specifically a denial-of-service attack. This denial-of-service attack rendered the personal data contained in users’ accounts unavailable to them. This is an availability breach as it resulted in the unauthorized loss of access to personal data that are contained in users’ account and processed through the platform. According to several cybersecurity frameworks, availability of data means that the data is accessible to only authorized users, thus access is considered to be fundamentally part of availability. It is therefore irrelevant that this availability breach lasted for only a temporary period of time as was the case here.
According to the NDPR, Bet9ja is a data controller, which is an organization that ‘determines the purposes for and the manner in which personal data is processed or is to be processed’. Data controllers are obligated by the NDPR (art. 2.6) to apply data security measures that guarantee the protection of the personal data they process or intend to process. Article 2.6 of the NDPR lists such measures as including (but not limited to) protecting data processing systems from hackers, setting up firewalls, storing data securely with access to specific authorized individuals, employing data encryption technologies, developing organizational policy for handling personal data (and other sensitive or confidential data), protection of emailing systems and continuous capacity building for staff. Clearly from this provision, data controllers are to consider both technical measures and organizational measures in order to comply with their data security obligation. Although it is not clear from this provision what level of data security measures should be applied to ensure that this obligation is met, but considerations should be given to measures that preserves on an ongoing basis the confidentiality, integrity and availability of personal data and has the ability to take remedial action in the event of a cyber-attack or any cyber security incident.
In terms of an appropriate level of data security measures, it is pertinent to note that the Nigerian National Cybersecurity Framework (the Cybersecurity Framework), a non-binding outline of best practices issued by NITDA recommends that it is dependent on the risk assessment conducted by the organization. A pertinent feature of this risk assessment is identifying potential threats and vulnerabilities, and implementing the applicable controls to mitigate information and cyber security risks. The Cybersecurity Framework even recommends standards such as ISO/IEC 27002:2013 and COBIT® Management Objectives as providing the appropriate security controls. This recommended practice seems to be same as the risk-based approach to assessing cybersecurity risks under the General Data Protection Regulations (GDPR) applicable in the European Union. In the context of data processing, this risk assessment would consider the nature of the data to be processed and the foreseeable threat to these data and/or the data processing operation as a result of organization and technical system vulnerabilities. The higher the threat rating would mean that a more sophisticated control should apply to the processing operation. Conversely, less sensitive personal data would require less sophisticated controls.
Why data breaches should always be notified to the data subject
A data subject according to art. 1.3 xiv of the NDPR is ‘an identifiable person; one who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity’, thus the identification number or factor(s) that enable a person to be identifiable or identified constitute personal data. Although the NDPR does not expressly provide that a breach should be notified to the data subject, however under the Implementation Framework notification should happen only ‘where the personal data breach will likely result in high risks to the freedoms and rights of the data subject’. No doubt, a determination in this regard would depend on an objective assessment of the consequences of the data breach done on a case-by-case basis. Nonetheless, this article argues that because the obligation to notify can be said to flow directly from the duty of care a data controller owes to the data subject pursuant to art. 2.1 (2) of the NDPR, notification should be made in every circumstance where a data breach occurs irrespective of whether it poses a high risk to the freedoms and rights of the data subject.
Under Nigerian tort law, a duty of care is a cardinal element that must be established to sustain an action for negligence. According to the court in in PW (Nig.) Ltd. v. Mansel Motors Ltd & Anor. (2017) LPELR-43390 (CA), a duty of care arises
whenever a person is by circumstances placed in such a position with regard to another that everyone of ordinary sense who did think would at once recognize that if he did not use ordinary care and skill in his own conduct with regard to those circumstances he would cause danger or injury to the person or property of the other, a duty arises to use ordinary care and skill to avoid such danger…
This duty of ordinary care and skill in the context of ensuring that personal data is processed in a secure manner requires the data controller to apply the appropriate data security measure after taking into consideration the outcome of the risk assessment conducted. Bearing in mind that a failure to take reasonable steps to ensure that the appropriate level of data security measure is applied is a vulnerability that can be exploited to carry out a cyber-attack. If a personal data breach results from the cyber-attack, it can be argued to be a breach of this duty of care and potentially creates liability for the data controller suffering this breach under tort law. Although this duty of care read in conjunction with data security measures is not absolute obligation as a data controller can still suffer a data breach even without being in violation of the NDPR. This implies that the use of the appropriate level of data security measure cannot provide total protection against personal data breaches.
Bearing in mind that notification to data subjects under the GDPR is based on a consideration that the breach has a negative impact on the rights and freedoms of the affected individuals, otherwise the need to notify in this circumstance does not arise. This is also the same position under the NDPR, but having regards to the duty of care imposed on the data controller by the NDPR, a data breach can also be considered to be a case of negligence in circumstances where it is established that the data controller has failed to comply with its data security obligation under art. 2.6 of the NDPR. In this regard, notifying data subjects in every case where a data breach occurs serves two benefits. Firstly, data subjects in responding to a data breach notification can quickly initiate steps to mitigate any adverse effect arising from the notified breach on them.
secondly, the liability of the data controller for negligence if proven to be as a result of an inadequate data security measure can be minimised in the event that the regulator is considering imposing a fine for this failure.
The foregoing highlights the importance of applying the appropriate data security measures in order to avoid liabilities under the NDPR. The importance of security measures in data processing operations can be seen in Marlene Saemann, et al in ‘Investigating GDPR Fines in the Light of Data Flows, a study investigating GDPR fines since 2018 where it was noted that data breaches were the most common cause for an investigation that led to a fine by the DPA. Without a doubt, data security programmes are an important part of the regulatory compliance strategy for data controllers and processors and responsibility for this should cascade down from the management to all staff of the organisation including both data protection practitioners, lawyers and cybersecurity professionals. Thus, a successful data security programme should protect all facets of organizational management that includes financial, operational, reputational and legal aspects. Lastly, data security is a consideration of all the foreseeable risks that can possibly arise from a data processing operation and for it to be successful must be preventive/proactive, have proper incident and detection response plan and must be remedial in nature. The combination of these elements implies the importance of notification to data subjects in every circumstance of a data breach irrespective of the risk threshold.
Chukwuyere LL.M (Hannover) CIPP/E, is the head of the Telecoms, Media and Technology (TMT) practice at Streamsowers & Köhn and a Senior Research Fellow at the African Academic Network on Internet Policy