Introduction

Data breaches are every organisation's worst nightmare. They involve the breach of security of personal data leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. 2 They do not only result in the loss of the goodwill of an organisation garnered over the years, but they could also have severe financial implications capable of crippling the organisation. Regrettably, no matter how protected and prepared an organisation is against a data breach, there may still be a slim possibility of the occurrence of a breach, especially in this digital age with the proliferation of new technologies. It is interesting to note, that some of the biggest data breach incidents have occurred in some of the biggest multinational companies, irrespective of their data protection practices.3 Consequently, it is advisable for every organisation involved in data processing operations to always stay prepared to manage data breach incidents, set-up systems, plans and procedures for managing data breaches when they occur, since their occurrence is sometimes inevitable.

Steps to take when faced with a Data Breach Incident

1. Carryout an investigation

Any organisation faced with a data breach should immediately embark on an investigation to ascertain the areas where the breach occurred, identify the cause of the breach and the number of data subjects affected by such breach.4 The Data Protection Officer (DPO) within the organisation is expected to record the occurrence of such breach in the Data Breach Management Register of the organisation.5

2. Inform the affected data subjects and relevant authorities

As soon as the preliminary investigations are concluded, the next step to take is to notify the affected data subjects of the occurrence of the breach.6 It is not advisable for an organisation to conceal any relevant information from the affected data subjects, as data breaches have the likelihood of affecting the rights and freedoms of data subjects.7 In Nigeria, data controllers are obligated to self-report personal data breaches to the National Information Technology Development Agency (NITDA) within 72 hours of becoming aware of such breach.8 This timeline is required to be documented in an organisation's data protection and privacy policy. 9

A notification of data breach to NITDA must include the following information:10

  1. a description of the circumstances of the loss or unauthorised access or disclosure;
  2. the date or time period during which the loss or unauthorised access or disclosure occurred;
  3. a description of the personal information involved in the loss or unauthorised access or disclosure;
  4. an assessment of the risk of harm to individuals as a result of the loss or unauthorised access or disclosure;
  5. an estimate of the number of individuals to whom there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure;
  6. a description of steps the organization has taken to reduce the risk of harm to individuals;
  7. a description of any steps the organisation has taken to notify individuals of the loss or unauthorized access or disclosure; and
  8. the name and contact information for a person who can answer, on behalf of the organization, the Agency's questions about the loss, unauthorized access or disclosure.

3. Engage a Data Protection Compliance Organisation (DPCO) or an individual with sufficient expertise in managing data breaches

DPCOs are licensed organisations in Nigeria which are knowledgeable in managing data breaches and providing guidance on the data protection compliance requirements required of an organisation involved in data processing.11 They could help an affected organisation conduct a comprehensive audit of their systems and data protection practices, draw up a remedial plan to assist the organisation remediate the identified data breaches.12 In the absence of a DPCO, an organisation could engage the services of an individual with sufficient expertise in managing data breaches and providing advisory on data protection compliances required of an organisation.

4. Commence remedial actions

It is essential for data controllers and processors to immediately kickstart remedial actions to mitigate the effect of the data breach. Remedial actions are not always the same for every organisation, they are tailored to address the unique nature of each data breach. They may involve updating and improving security software, adoption of advanced encryption technologies, embarking on organisational measures to ensure the security of personal data, developing, or updating data protection policies, appointment of a new data protection officer, dismissal of compromised staff members etc.13 In the event that the data breach occurred as a result of the organisation's poor information security system, a vulnerability test should be conducted after the improvement of the security systems and network architecture, to determine the effectiveness of the improved security system and identify any other area requiring improvement.

5. Rebuild goodwill

Rather than dwelling on the unfortunate data breach incident, data controllers or processors can take positive steps towards rebuilding the business's smeared trust and reputation. This can be achieved by multiple ways, some of which include; issuing a public apology to the affected data subjects, including their customers, vendors and relevant third parties; taking responsibility for the lapses in their data protection practices; regularly updating their customers and relevant third parties of their new strategies, practices and policies towards data protection; providing compensation to victims of the data breach; engaging a public relations expert primarily responsible for the management of the organisation's communication on public platforms; providing incentives to new customers with the aim of showing them the organisation's improved data protection practices etc.

Conclusion

In today's data driven world, data breaches have the capability of affecting millions of data subjects at the same time.14 Beyond affecting the victims of a data breach, they are also capable of affecting the brand reputation and liquidity of a business. Regardless of how careful a data processor or controller may be, a data breach could still occur in their organisation. However, upon the occurrence of a data breach, the modality of managing the breach will determine how well the business recovers from the incident. The 5 steps identified above provides data controllers and processors with some guidance on how to manage data breach incidents. If they require more guidance on any of the identified steps, they should engage the services of a DPCO or an individual with sufficient expertise and knowledge in managing data breaches and data protection compliance requirements under the relevant data protection law(s) or regulation(s).

Footnotes

1 Sandra Eke, Associate Intellectual Property & Technology Department, SPA Ajibade & Co., Lagos, Nigeria.

2 Art. 1.3(xxii) Nigeria Data Protection Regulation (NDPR) 2019.

3 In August 2013, Yahoo experienced a data breach that affected the accounts of over 3 billion data subjects; in February 2019, Facebook encountered a data breach that affected about 533 million users, in November 2019, Alibaba, encountered a data breach that affected about 1.1 billion user data; in June 2021, LinkedIn experienced a data breach that affected about 700 million users. Read further on this by visiting this website: CSO, "The 15 biggest data breaches of the 21st century" available at: https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html accessed 20 December 2021.

4 See Para. 9.3 NDPR Implementation Framework.

5 Such Register should contain details of security incidents and attempted compromise of the information security system of the data controller.

6Ibid.

7 See Para. 9.4 NDPR Implementation Framework.

8 See Para. 3.2(ix) and Para. 9.2 NDPR Implementation Framework.

9Ibid.

10 See Para. 9.3 NDPR Implementation Framework.

11 See Para. 6.5 NDPR Implementation Framework.

12 Ibid.

13 Clario, "What You Should Do After A Data Breach" available at: https://clario.co/blog/what-to-do-after-data-breach/ accessed 20th December 2021.

14 Supra note 2.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.