Author: Margaret Ogbonnah
Introduction
A data breach is an accidental or unlawful incident that exposes confidential or protected information which results in the loss or theft of customers’ bank accounts or credit card details, personal health information, passwords or email.
Data breaches are every organization’s worst nightmare. They do not only result in the loss of goodwill of an organization garnered over the years, but they could also have severe financial implications capable of crippling the organization.
Regrettably, no matter how protected and prepared an organization is against a data breach, there may still be a slim possibility of the occurrence of a breach, especially in this digital age with the proliferation of new technologies. It is interesting to note, that some of the biggest data breach incidents have occurred in some of the biggest multinational companies, irrespective of their data protection practices. Consequently, it is advisable for every organization involved in data processing operations to always stay prepared to manage data breach incidents and set-up systems, plans or procedures for managing data breaches when they occur, since their occurrence is sometimes inevitable. The essence of this article is to briefly discuss the effective ways of managing data breach by an organization.
Reactive Measures of Managing Data Breach Incidents by Organizations.
1. Carry out An Investigation;
Any organization faced with a data breach should immediately embark on an investigation to ascertain the areas where the breach occurred, identify the cause of the breach and the number of data subjects affected by such breach. The Data Protection Officer (DPO) within the organization is expected to record the occurrence of such breach in the Data Breach Management Register of the organization.
2. Inform The Affected Data Subjects And Relevant Authorities
As soon as the preliminary investigations are concluded, the next reactive measure
to implement is to notify the affected data subjects of the occurrence of the breach. It is pertinent to state that it is not advisable for an organization to conceal any relevant information from the affected data subjects, as data breaches have the likelihood of affecting the rights and freedom of data subjects.
In Nigeria, according to section 40 sub (2) of the Data Protection Act 2023, data controllers are obligated to self-report personal data breaches to the National Information Technology Development Agency (NITDA) within 72 hours of becoming aware of such breach. This timeline is required to be documented in the organization’s data protection and privacy policy.
Moreso, according section 40 sub (1) to (4) of the Data Protection Act 2023, notification of data breach to NITDA must include the following information:
➢ a description of the circumstances of the loss or unauthorized access or disclosure;
➢ the date or time period during which the loss or unauthorized access or disclosure occurred;
➢ a description of the personal information involved in the loss or unauthorized access or disclosure;
➢ an assessment of the risk of harm to individuals as a result of the loss or unauthorized access or disclosure;
➢ an estimate of the number of individuals to whom there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure;
➢ a description of measures the organization has taken to reduce the risk of harm to individuals;
➢ a description of any measures the organization has taken to notify individuals of the loss or unauthorized access or disclosure; and
➢ the name and contact information for a person who can answer, on behalf of the organization, the Agency’s questions about the loss, unauthorized access
or disclosure.
3. Engage a Data Protection Compliance Organization (DPCO) or an Individual with Sufficient Expertise in Managing Data Breaches
DPCOs are licensed organizations in Nigeria which are knowledgeable in managing data breaches and providing guidance on the data protection compliance requirements required of an organization involved in data processing. They could help an affected organization conduct a comprehensive audit of their systems and data protection practices, draw up a remedial plan to assist the organization remediate the identified data breaches. In the absence of a DPCO, an organization could engage the services of an individual with sufficient expertise in managing data breaches and providing advisory on data protection compliances required of an organization.
4. Commence Remedial Actions
It is essential for data controllers and processors to immediately kick start remedial actions to mitigate the effect of the data breach. Remedial actions are not always the same for every organization, they are tailored to address the unique nature of each data breach. They may involve updating and improving security software, adoption of advanced encryption technologies, embarking on organizational measures to ensure the security of personal data, developing or updating data protection policies, appointment of a new data protection officer, dismissal of compromised staff members etc.
In the event that the data breach occurred as a result of the organization’s poor information security system, a vulnerability test should be conducted after the improvement of the security systems and network architecture, to determine the effectiveness of the improved security system and identify any other area requiring improvement.
5. Rebuild Goodwill
Rather than dwelling on the unfortunate data breach incident, data controllers or processors can take positive steps towards rebuilding the business’s smeared trust and reputation. This can be achieved by multiple ways, some of which include; issuing a public apology to the affected data subjects including their customers, vendors and relevant third parties; taking responsibility for the lapses in their data protection practices; regularly updating their customers and relevant third parties of their new strategies, practices and policies towards data protection; providing compensation to victims of the data breach; engaging a public relations expert primarily responsible for the management of the organization’s communication on public platforms; providing incentives to new customers with the aim of showing them the organization’s improved data protection practices etc.
Conclusion
In today’s data driven world, data breaches have the capability of affecting millions of data subjects at the same time. Beyond affecting the victims of a data breach, they are also capable of affecting the brand reputation and liquidity of a business. Regardless of how careful a data processor or controller may be, a data breach could still occur in their organization. However, upon the occurrence of a data breach, the modality of managing the breach will determine how well the business recovers from the incident. The five (5) steps identified above provide data controllers and processors with some guidance on how to manage data breach incidents.
However, if they require more guidance on any of the identified steps, they should engage the services of a DPCO or an individual with sufficient expertise and knowledge in managing data breaches and data protection compliance requirements under the relevant data protection law(s) or regulation(s).
References
1. Section 40 (2) of Data Protection Act, 2023.
2. Section 40 sub (1) to (4) of Data Protection Act, 2023.
3. https://www.mondaq.com/nigeria/privacy-protection/1159070/5-stepsto-take-when-faced-with-a-data-breach-incident.
4. https://www.bing.com/search?q=how+to+handle+data+breach+in+nigeria&cvid=dc9819ae27dc42c3936d8a5e55ea82d0&aqs=edge..69i57j0l8.14
683j0j1&pglt=41&FORM=ANNTA1&PC=WSEDDB&ntref=1.
5. Understanding Nigerian Data Protection Compliance Requirements And Managing Breach – Data Protection – Nigeria (mondaq.com).
6. Challenges of Data protection and compliance in Nigeria (linkedin.com).
7. Alleged data breach: NDPB investigates two Nigerian banks — Nigeria
—