*Uche Val Obi, SAN with Samuel Uzoigwe and Doyin Fadare1
Introduction
The Nigeria Data Protection Act 2023 ("the NDPA") imposes several duties and obligations on businesses and organizations (whether a data controller or data processor). One of these is the obligation to report a personal data breach when such breach meets a certain reporting threshold. The NDPA defines Personal data breach as "a breach of security of a data controller or data processor leading to or likely to lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed."2 A personal data breach is not synonymous with a security incident . A security incident in data protection parlance is an event such as a malware attack, inadvertence of an employee, etc., that potentially puts personal data at risk for unauthorized exposure.3 A security incident may be neutralized before any damage is caused, or personal data is compromised. Therefore, not all security incidents will lead to a personal data breach, and for a security incident to amount to a personal data breach, either one or all of the events in the above definition must have occurred. By virtue of the NDPA, not all personal data breach will create a reporting obligation for data controllers and processors. A data breach reporting obligation depends on a variety of factors and the business or organization involved.
In view of the intricacies surrounding personal data breach notification obligations, a data controller or data processor's ability to adequately fulfil this obligation is premised on the existence of adequate procedures and controls to ensure the health of personal data in its custody, monitor its use and location, and cultivate adequate compliance with the NDPA.
Types of Personal Data Breach
The NDPA does not categorize personal data breach into types, but drawing examples from other jurisdictions, personal data breach under the NDPA can be categorized using these three security principles – confidentiality, integrity and availability of personal data – as well as any combination of these.4 This categorization helps in better understanding personal data breach.
Confidentiality Breach
This is where there is an unauthorized or accidental disclosure of, or access to personal data breach.5 An example of this type of personal data breach is where an employee inadvertently sends personal information of data subjects to unauthorized email recipients. Similarly, where malicious actors through phishing or any other social engineering technique, gain access to the financial, residential or health records of a data subject, this qualifies as a confidentiality breach.
Integrity Breach
This kind of personal data breach involves the accidental or unauthorized alteration of personal data. An example is where a database containing a patients critical health information is altered. This may lead to catastrophic consequences for such patient if the altered information is relied on to render medical services to the patient. Another illustration is where the email address or mobile phone number of a data subject with a financial institution is altered, causing the data subject to lose the ability to properly secure their account using two-factor authentication purposes.
Availability Breach
This involves the accidental or unlawful destruction, or loss of access to personal data. Where personal data stored in the cloud is deleted accidentally or by unauthorized parties, it amounts to a personal data breach. An example is a significant disruption to the normal service of an organization, for instance, a power failure or denial of service attack, or infection from a ransomware rendering personal data temporarily or permanently unavailable.6
A personal data breach can occur in either of the above forms, or a combination of any or all of the above forms.
Identifying Personal Data Breach
Identifying whether a personal breach has occurred is key to a data controller or processor's data breach management process, and breach notification obligations, as it determines when a data controller or processor becomes "aware" of a personal data breach. Knowledge of a data breach may be instant to a data controller or processor, or it may take some time and investigation to confirm if there has been a personal data breach. It could also concern personal data stored in physical or virtual storage facilities or any other form of storage.
An apt example7 is a case where a USB key with unencrypted personal data is lost. It is often not possible to ascertain whether unauthorized persons gained access to that data as the USB key might fall into a drainage system or a place unreachable to actors with malicious intent. In such a case, a Controller may not necessarily be certain whether unauthorized access to the personal data has taken place, but an availability breach has occurred and is deemed to be aware the moment it has notice of the loss of the USB key. Under the NDPA, the loss of a USB key containing personal data qualifies as a personal data breach.
Identification of personal data breaches is dependent on a case-by-case basis and requires an expert understanding of the event juxtaposed with the applicable regulations. Whatever the case, it is important that an initial inquiry into a data breach should commence as quickly as possible to determine whether a breach has occurred with a reasonable amount of assurance; after which a further in-depth investigation can take place.8
Navigating Personal Data Breach Incidents
According to an IBM report, the global average cost of a data breach in 2023 was USD 4.45 million, which marks a 15% increase over 3 years.9 The financial, regulatory and reputational consequences of a personal data breach could significantly hamper the operations and value of a business or organization. These consequences demand that businesses and organizations be adequately prepared at all times to navigate personal data breach incidents so as to be able to mitigate adverse consequences.
Navigating personal data breach incidents in Nigeria starts with the establishment of technical and organizational controls prior to the processing of personal data – not after a data breach – and at regular intervals during processing, following proper privacy risk assessment.10 These necessary controls are preventive, detective and remedial in nature. As the names imply, the controls help to prevent, detect, and remediate personal data breaches if any to aid organizations in returning to normal working conditions as efficiently as possible ensuring business continuity. The first step to data breach management is from the point of determining the purpose for processing personal data, and this also entails understanding the kinds of personal data being processed by an organization and their locations throughout personal data lifecycle.
To view the full article click here
Footnotes
1. Uche Val Obi, SAN and Samuel Uzoigwe are Managing Partner and Executive Associate respectively at Alliance Law Firm, Lagos while Doyin Fadare was an Executive Associate at the same firm.
2. Section 65, NDPA.
3. Mahmood Sher-Jan, IAPP, https://iapp.org/news/a/is-it-an-incident-or-a-breach-how-to-tell-and-why-it-matters/ accessed August 15, 2023.
4. Guidelines 9/2022 on personal data breach notification under GDPR, page 8, available at https://edpb.europa.eu/system/files/202304/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf accessed August 15, 2023.
5. Section 65 NDPA
6. Ibid.
7. Ibid.
8. Ibid.
9. https://www.ibm.com/reports/data-breach
10. Section 24 (1)(f) and 24(2) NDPA.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
