CLAIMING FINANCIAL COMPENSATION FOR DATA BREACH IN NIGERIA

Executive Summary:

The protection of personal data is one of the guarantees of a progressive and potentially successful digital economy. This is because data is the fuel that powers the digital economy. Organisations and governments collect and process data to create value, improve efficiency, and solve problems in various sectors of the economy. In the wrong hands, however, data can be weaponised and used for malicious and illegal purposes. The Nigeria Data Protection Act, 2023 (the “Act”) aims to safeguard the privacy and rights of individuals resident in Nigeria, whose data is collected, processed, or stored by various entities. The Act also provides remedies for data breaches, which are incidents where personal data is compromised, exposed, or stolen. One of the remedies available under the Act is financial compensation though it is a discretionary power of the Nigeria Data Protection Commission (the “Commission”).[1] This means that individuals who suffer losses, harm, or injuries due to data breaches can claim money from the responsible parties. However, this is not an automatic right. The Commission has the power to decide whether to award you compensation or not. This article explains how the Commission makes this decision and what factors it considers. This article also references the Nigeria Data Protection Regulation 2019 (“NDPR”) and the NDPR Implementation Framework (“Implementation Framework”). The NDPR, along with other related rules, guidelines, and frameworks made by the National Information Technology Development Agency (NITDA), is still valid and effective pursuant to Section 64 of the Act. The Article finally makes policy recommendations to the Commission.  

Understanding Personal Data Breach

Under the Act personal data breach occurs when there is a breach of security by a data controller or data processor that leads to or is likely to lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored, or otherwise processed. According to an entry[2] in the US National Vulnerability Database, in 2021, a researcher discovered and disclosed an 8.8-severity data breach involving the personal information of Konga customers in Nigeria. Another outlet[3] reported in 2022 that over 500 e-commerce platforms in Nigeria have been targeted by malicious actors using Magecart, a general term given to crime syndicates that contaminate e-commerce sites with skimmers.[4] These are all examples of a data breach.

Seeking Financial Redress for Data Breaches

With data breaches comes the possibility that accessed data can be used for nefarious activities, not limited to identity theft,[5] spamming,[6] doxing,[7] phishing[8] and blackmailing,[9] all of which can cause actual and legal damage. If you are a victim of a data breach, you may be entitled to financial compensation from the responsible parties. The combined  reading of the Act, the NDPR, and other subsidiary legislation provides relief to affected persons in the following ways:

  1. The affected person should file a complaint against the data controller or processor with the Nigerian Data Protection Commission (“Commission”).  See Section 46 of the Act. The person can also bypass the Commission and file a civil action in the High Court. See Section 51 of the Act.

  2. The complaint to the Commission should cite in what ways the data controller or processor has violated the Act or any subsidiary legislation to the Act. Because there has been a breach, the net should be cast wide. For example, consider:

    1. Whether the data controller or processor has the basis for collecting or carrying out specific processing activities which might have caused the breach, See Section 25 of the Act;

    2. Whether the data controller or processor has appropriate technical measures to ensure the security, integrity, and confidentiality of personal data; See Section 29 of the Act;

    3. Whether the data controller or processor files its data protection audit as and when due. Such audit must also comply with the NDPR and the Implementation Framework;

    4. Whether the organisational policies and procedures of the organisation for monitoring and reporting violations of privacy are compatible with industry standards;

    5. Whether the data controller or processor complies with the Act on procedures for cross-border data transfer. See Sections 41, 42 and 43 of the Act; and

    6. Whether a Data Privacy Impact Assessment (“DPIA”) was conducted before the processing of data that resulted in a breach. See Section 28 of the Act. When an organisation plans to undertake a project that requires extensive use of personal data, a DPIA should be carried out to find potential breach points and develop a plan for mitigating those risks. Section 3.2 (viii) of the Implementation Framework also requires organisations to conduct a DPIA on their processes, services, and technology periodically to ensure continuous compliance.

  3. The complaint should detail the emotional and financial costs suffered as a result of the data breach.

  4. The Commission may initiate an investigation if it satisfies itself that the complaint has merit. See Section 46 of the Act.

  5. If the investigation reveals that the data controller or processor violated the Act or any subsidiary legislation, the Commission may, among other things, order the erring data controller or processor to pay compensation to the data subject who has suffered loss, injury, or harm as a result of the violation. This is without prejudice to the power of the Commission to prosecute such data controllers or processors. See Section 48 of the Act.

Conclusion

Given the persistent increase in data breaches and the sophistication of the technology used by these bad-faith actors, there is a need to highlight the potential harm caused by data breaches to individuals. Granted, the Commission is commendably going after errant data controllers or processors.  According to Dr. Vincent Olatunji, the National Commissioner of the Commission, in 2023, an undisclosed number of banks and institutions in Nigeria paid over N200 million to the Federal Government as penalties for violating the data privacy of Nigerian citizens. While this is commendable, Nigerians need to know that beyond the fines, the Act entitles them to financial compensation for their loss. Although this is a discretionary power exercisable by the Commission, this power should be exercised more rigorously when a fault is found on the part of a data controller.

Policy Recommendations:

  1. In light of the escalating threat landscape, the Commission should consider adopting a specific security standard as a minimum technical requirement for data controllers or processors. Alternatively, a review of the security standard ISO 27001:2013 prescribed under the Implementation Framework could provide a more robust foundation. The Commission should also monitor the changing threats to information security systems and adjust the standards accordingly.

  2. The Commission should, by Regulations, require data controllers and processors to obtain cyber insurance.  This would mitigate the impact of data breaches on both data subjects, data controllers, and processors by paying for the costs and liabilities associated with data breaches.

[1] See Section 48 of the Act

[2] https://nvd.nist.gov/vuln/detail/CVE-2021-42192

[3] https://brandnewsday.com/2022/02/16/jumia-konga-customers-in-trouble-as-hackers-now-extract-e-commerce-site-payment-details/

[4] Skimmers are tiny, malicious card readers hidden within legitimate card readers that harvest data from every person who swipes their cards.

[5] The hackers can use the names, email addresses, phone numbers, and order details to impersonate the customers and access their online accounts, such as banking, social media, or e-commerce.

[6] The hackers can use the email addresses and phone numbers to send unsolicited or unwanted messages or calls to the customers, advertising products or services, promoting scams, or spreading propaganda.

[7] The hackers can use the personal information to publicly expose or publish the customers’ identities, locations, or other details, without their consent or knowledge.

[8] The hackers can use the email addresses and phone numbers to send fake messages or calls to the customers, pretending to be a legitimate entity and trick them into revealing more sensitive information, such as passwords, payment details, or security codes.

[9] The hackers can use the personal information to threaten or extort the customers, demanding money or other favours in exchange for not exposing or misusing their data.

[10] A standard template for the audit report is included in Annexure A of the Implementation Framework (Section 6.6.2 of the Implementation Framework)

Want to reach out?