One important aim of data protection laws is to prescribe minimum standards for the protection of information obtained from a person (data subject) by another (data controller). A data controller is anyone who requires and collects data to process certain sets of actions and who determines how the data is processed. Examples of data controllers include: MTN, Access Bank, Flutterwave and Jumia. Anyone whose data is collected for processing is a data subject; for example, all subscribers to MTN network are data subjects.
The increased reliance on the internet and other technologies for commerce and daily personal activities has brought with it varieties of cybersecurity risks. At the root of the hunt is data. According to the Economist, "the world's most valuable resource is no longer oil, but data''[1] and this makes protection of data a critical subject. Also, it is getting easier to hack information systems to harvest data as hacking technologies are improving rapidly. There are multiple examples of recent cyber attacks targeted at the information systems of countries and businesses, the data breach at Tuckers LLP[2] being one prime example. There is, therefore, an urgent need to ensure an across-the-board state of art security of network systems to guard against possible breach.
However, is there a legal obligation on data controllers to maintain such secure network systems to guard against both foreseeable and unforeseeable data breach or to mitigate possible loss in the event of a breach? And if such an obligation exists, what is the standard of security required?
The simple answer to the first question is Yes. Article 2.6 of the Nigeria Data Protection Regulation creates this obligation. It requires data controllers to, among other things, implement measures to protect systems from hackers; set up firewalls; store data securely with access to specific authorized individuals; employ data encryption technologies and develop organizational policy for handling Personal Data. Other laws like the Nigerian Communications Commission Act, Cybercrime Act and CBN Regulations and Guidelines equally create this obligation to varying degrees.
This legal obligation is achieved when data controllers doggedly ensure there are adequate organizational policies to anticipate and guard against possible data breach, and in the event of a data breach, the onus is on a data controller to show that there was no negligence in the handling of collected personal data.
Clearly, prevalent industry standards for network security go beyond encryption and setting up firewalls. Does the NDPR or any law in Nigeria set a higher standard for network security?
The answer to the above question is also Yes. As a general application for data controllers collecting and processing data for government use, Article 2.6 Guideline for the Implementation of the NDPR (within Public Institutions in Nigeria) provides for the implementation of "ISO 27001:2013 or any similar standard". Article 2.3 CBN's Guidelines on Operations of Electronic Payment Channels in Nigeria stipulates some standards compliant with international best practices (like the PA DSS; PCI PED; Triple DES and EMV). Other stipulations may be found in CBN's Risk-based Cybersecurity Framework and Guidelines and requisite NCC Guidelines. For Nigerian data controllers collecting and processing data of European Union data subjects, Article 32 General Data Protection Regulation, mandates the implementation of "technical and organisational measures'' to data security, considering "the state of the art, the costs of implementation and [...] the risk of varying likelihood and severity for the rights and freedoms of natural persons." (Emphasis mine).
A breach of Article 32 of GDPR cost Tuckers LLP £98,000 in fine. Tuckers LLP failed to implement certain security measures like implementing multi-factor authentication (MFA) for remote access; applying a critical vulnerability patch for a period of 4 months after being notified of a possible breach that might result therefrom and addressing issues highlighted in a failed Cyber Essentials assessment causing a cyber attack on their information systems, resulting in the encryption and permanent loss of 972,191 civil and criminal case files stored on an archive server.
Other examples of global industry standards of network security practices that Nigerian data controllers can implement include: ISO27000 series, the National Institutes of Standards and Technology ("NIST"), the National Cyber Security Centre ("NCSC"), the Solicitors Regulatory Authority ("SRA"), Lexcel and 'NCSC Cyber Essentials'.
On a final note, it is not only imperative that all data controllers in Nigeria implement data security measures to anticipate and guard against cyber attacks, it is also an obligation imposed by law, breach of which may amount to being sanctioned by the appropriate body. The law also prescribes standards for these security measures taking into account the sophistication in hacking technologies and the prevalence of it. Nigerian businesses and data controllers must therefore, ensure they implement the prescribed high network security standards, or risk an organizational failure and the wrath of the law
References
The Economist, (Article) The world’s most valuable resource is no longer oil, but data. Available at https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data accessed on March 28 2022
Data Guidance (Article) UK: ICO fines Tuckers Solicitors LLP £98,000 for data breach. Available at https://www.dataguidance.com/news/uk-ico-fines-tuckers-solicitors-llp-%C2%A398000-data-breach accessed on March 28 2022