NBA Digital Seal Platform Violates Data Protection Law And Compromises Client Confidentiality: A Data Protection Professional’s Warning To The Nigerian Legal Community

By Ataguba Solomon Aboje, Esq, FIP, AIGP, CIPM, CIPP/E, CIPP/US, CC

The Nigerian Bar Association has replaced its secure digital seal system with a cloud-based platform that violates basic data protection principles and places lawyers at immediate risk of breaching professional confidentiality obligations. As a data protection specialist with certifications including Fellow of Information Privacy (FIP) and having completed comprehensive analysis of the Nigeria Data Protection Act 2023, I write to warn colleagues about critical security and compliance failures that make this platform unsuitable for processing confidential legal documents.

The Fundamental Architectural Flaw

The previous NBA digital seal system operated via a Microsoft Word plugin that processed documents locally on lawyers’ own computers. Documents never left the lawyer’s device. No upload to external servers occurred. No third-party access was created. This architecture respected the fundamental principle of maintaining custody and control over confidential client information.

The new system at https://digitalseal.nigerianbar.online operates entirely differently. Lawyers must now upload PDF documents to external servers controlled by third parties for remote seal application. This architectural change introduces multiple points where confidentiality may be compromised and personal data accessed by unauthorised parties.

From a data protection perspective, uploading a client’s sealed affidavit containing financial information, medical records, or business dealings to this platform means transferring custody of that personal data to unknown third parties under unknown security conditions. This is precisely what data protection law is designed to prevent.

Critical Security Failure: Universal Default Password

The NBA’s official communication to every lawyer states: “Your Default Password is: “*****”. A universal default password!!! This represents a catastrophic security breach. Every lawyer who received this message—and anyone who intercepts or is forwarded this communication—now possesses credentials to access any NBA member’s account until that individual changes their password.

During the window between system launch and individual password changes, any person with this information can potentially log into any lawyer’s account, view their dashboard, and possibly upload fraudulent documents in that lawyer’s name. If documents remain on servers after sealing, unauthorised access could extend to viewing those documents.

This violates the fundamental principle of security by design under Section 24 NDPA 2023. Proper security architecture requires unique initial passwords for each user, mandatory password changes on first login, or secure password reset mechanisms using verified contact information. Broadcasting a universal default password is professionally indefensible.

Single-Factor Authentication Is Inadequate

The platform employs only Supreme Court Number and password for authentication—no multi-factor authentication despite handling confidential legal documents. Modern security standards codified in ISO 27001, NIST Cybersecurity Framework, and GDPR technical requirements universally require multi-factor authentication for systems processing sensitive information.

Section 24(2) NDPA 2023 requires data controllers to implement security measures “having regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing.” Single-factor authentication for confidential legal documents demonstrably falls below “the state of the art” in 2026.

Complete Absence of Data Protection Transparency

There is no privacy notice—the most basic data protection compliance requirement. Section 22 NDPA 2023 mandates that data controllers provide clear information about data processing. The NBA has provided none.

The communication contains zero information about:

• Encryption: Whether documents are encrypted during transmission or storage, what standards are used, or how encryption keys are managed
• Data Location: Whether servers are in Nigeria, offshore, or distributed across multiple jurisdictions
• Access Controls: Who can access uploaded documents—platform administrators, hosting providers, IT contractors
• Data Retention: How long documents remain on servers after sealing
• Secure Deletion: Whether documents are permanently deleted after processing or retained indefinitely
• Cross-Border Transfers: Whether data leaves Nigeria, violating Section 43 NDPA 2023 restrictions
• Data Processing Agreements: The contractual framework governing processor obligations under Section 36 NDPA 2023
• Security Measures: Technical and organisational safeguards protecting uploaded data
• Breach Procedures: What happens if the platform is compromised
• Data Subject Rights: How lawyers or their clients can exercise rights of access, rectification, or erasure

Without this information, lawyers cannot conduct the data protection impact assessment required under Section 31 NDPA 2023, cannot discharge obligations to implement appropriate security measures under Section 24, cannot provide clients with required privacy information under Section 23, and cannot legitimately transfer data to a processor whose security they have not verified.

Lawyers’ Obligations as Data Controllers

Many lawyers may not appreciate that when processing client personal data, they are data controllers with direct obligations under NDPA 2023. The NBA is not processing this data on your behalf in a manner that transfers your compliance obligations. You remain the data controller responsible for lawful processing.

Section 24(1) requires data controllers to “implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to data.” Before using this platform, every lawyer must ask: can I demonstrate that uploading my client’s personal data to this platform constitutes “appropriate technical and organisational measures”?

If the Nigeria Data Protection Commission investigates a breach, they will ask: did you review the platform’s security audit? Did you verify encryption standards? Did you execute a data processing agreement? Did you conduct a data protection impact assessment? Did you verify data location and retention policies?

Without affirmative answers, you have failed to discharge your obligations as data controller. Section 65 NDPA 2023 provides maximum penalties of 2% of annual gross revenue or ₦10 million (whichever is higher) for security violations. Beyond regulatory sanctions, you face potential civil liability if a client suffers loss due to compromise of their personal data.

Breach of Professional Confidentiality

Beyond statutory data protection requirements, solicitors owe fundamental confidentiality duties under Rule 19 of the Rules of Professional Conduct 2023. These duties exist independently of data protection law.

Rule 19 prohibits disclosing information obtained in the professional relationship unless required by law or with client consent. Uploading confidential documents to third-party platforms where unknown persons may access them constitutes disclosure unless clients have given informed consent to this specific processing.

How many lawyers have explained to clients: “To apply my digital seal, I need to upload your affidavit to servers operated by third parties, stored in unknown locations, under unspecified security conditions”? Without such disclosure and informed consent, uploading the document breaches Rule 19.

If inadequate platform security leads to a data breach exposing client information, the lawyer has violated professional duties even though the breach resulted from the platform operator’s failure rather than the lawyer’s direct action. The defence “but the NBA told me to use it” will not absolve you of independent professional obligations before the Legal Practitioners Disciplinary Committee.

The Contractual Injustice

Beyond security failures affecting all users, the NBA has locked out lawyers who purchased seals under the previous plugin-based system—without refunds, credits, or transitional arrangements. These lawyers paid for seals with specific security characteristics: local processing, no cloud upload, no third-party access.

By discontinuing that system and denying access to purchased seals, the NBA has committed fundamental breach of contract. This is equivalent to purchasing a safe and being told you can only access contents if you first send them to a third party for processing.

Affected lawyers are entitled to rescind contracts and demand full refunds of all monies paid for unused seals, plus damages for time, expense, and losses flowing from inability to seal documents during the transition. The absence of any transitional provisions demonstrates regulatory inadequacy inexcusable from a professional body.

What Lawyers Must Do Immediately

1. Do Not Upload Confidential Documents

Until comprehensive security assurances are obtained and independently verified, do not upload documents containing client personal data, privileged communications, confidential business information, or sensitive personal information. In practical terms, this means do not use this platform for virtually any legal document requiring a seal.

2. Change Your Password Now

If you accessed the platform, immediately change to a strong unique password of at least 16 characters using a password manager. Do not reuse passwords from other systems.

3. Demand Security Documentation

Send formal written requests to the NBA President, General Secretary, and NBA-ICT Committee demanding:

• Independent security audit reports
• Data protection impact assessment
• Encryption standards and key management details
• Access control policies
• Data retention and deletion policies
• Server location and cross-border transfer compliance
• Data processing agreements
• ISO 27001 or equivalent certification
• Privacy notice complying with Section 22 NDPA 2023

Make clear that without this documentation you cannot discharge your obligations as a data controller and cannot lawfully use the platform.

4. Use Alternative Authentication Methods

Traditional physical seals remain valid and provide superior security. Scanned physical seals create digital representations without third-party platform risks.

5. For Those Locked Out: Demand Refund

Send formal demand letters within 14 days requiring either restoration of access to the Microsoft Word plugin system or full refund of all monies paid for unused seals plus interest. Make clear you consider the NBA in fundamental breach of contract and reserve all legal rights including proceedings for breach of contract.

Consider coordinating with other affected lawyers for collective action.

6. Lodge NDPC Complaints

File formal complaints with the Nigeria Data Protection Commission regarding the platform’s security deficiencies, absence of required privacy notice, lack of data processing agreements, violations of Section 24 security requirements, and requiring lawyers to use an inadequately secured platform for client personal data.

Under Section 37 NDPA 2023, any person may lodge complaints. The Commission has authority to investigate and take enforcement action including compliance notices, administrative fines, and suspension orders.

The NBA Must Be Held Accountable

These are not minor technical imperfections. They are fundamental failures of security architecture, data protection compliance, and respect for lawyers’ contractual rights and professional obligations.

The NBA must immediately:

• Implement mandatory password resets with unique credentials
• Deploy multi-factor authentication as mandatory
• Publish comprehensive privacy notice complying with Section 22 NDPA 2023
• Execute data processing agreements with all platform operators
• Conduct and publish independent security audit
• Obtain ISO 27001 or equivalent certification
• Conduct and publish data protection impact assessment
• Provide full refunds or restored access for lawyers locked out from purchased seals
• Establish transparent incident response procedures
• Consult members before implementing system changes affecting professional obligations

Until these deficiencies are addressed, this platform does not meet the security and compliance standards required for processing confidential legal documents containing personal data.

Professional Standards Must Prevail

Lawyers cannot be compelled to breach their professional obligations. Our statutory duties under NDPA 2023 and professional duties under the Rules of Professional Conduct supersede any NBA administrative directive to use a particular platform.

It is unreasonable to require lawyers to use a system with identified security deficiencies when a secure alternative previously existed. Any sanction for refusing to use an insecure system would be disproportionate when balanced against legitimate confidentiality concerns.

Our primary obligation is to our clients—not to regulatory convenience. Until the NBA demonstrates that this platform meets the security and compliance standards our obligations require, we must decline to use it.

The Nigeria Data Protection Commission should investigate this platform’s compliance with NDPA 2023. The Nigerian legal profession must demand accountability and refuse to compromise client confidentiality for administrative convenience.

Our professional duties and our clients’ interests must come first.

Ataguba Solomon Aboje is a solicitor qualified in England & Wales, Ireland, and Nigeria, specialising in data protection and privacy law. He holds certifications including Fellow of Information Privacy (FIP), AIGP, CIPM, CIPP/E, CIPP/US, and CC, and has authored comprehensive analysis of Nigerian data protection law including the NDPA 2023.

The views expressed are those of the author based on professional analysis of data protection law and cybersecurity principles. Lawyers should seek independent legal advice regarding their specific circumstances.

______________________________________________________________________ [A MUST HAVE] Evidence Act Demystified With Recent And Contemporary Cases And Materials

Available now for NGN 40,000 at ASC Publications, 10, Boyle Street, Onikan, Lagos. Beside High Court, TBS. Email publications@ayindesanni.com or WhatsApp +2347056667384. Purchase Link: https://paystack.com/buy/evidence-act-complete-annotation ______________________________________________________________________ ARTIFICIAL INTELLIGENCE FOR LAWYERS: A COMPREHENSIVE GUIDE Reimagine your practice with the power of AI “...this is the only Nigerian book I know of on the topic.” — Ohio Books Ltd Authored by Ben Ijeoma Adigwe, Esq., ACIArb (UK), LL.M, Dip. in Artificial Intelligence, Director, Delta State Ministry of Justice, Asaba, Nigeria. Bonus: Get a FREE eBook titled “How to Use the AI in Legalpedia and Law Pavilion” with every purchase.

How to Order: 📞 Call, Text, or WhatsApp: 08034917063 | 07055285878 📧 Email: benadigwe1@gmail.com 🌐 Website: www.benadigwe.com

Ebook Version: Access directly online at: https://selar.com/prv626

________________________________________________________________________ The Law And Practice Of Redundancy In Nigeria: A Practitioner’s Guide, Authored By A Labour & Employment Law Expert Bimbo Atilola _______________________________________________________________________ "You Don't Need To Be Rich, You Just Need To Start" — Victoria Ezeigwe, Esq Launches Investment Handbook For Nigerians Starting With ₦5,000

Get your copy today and take the first step toward financial growth:👉 https://selar.co/4f16676016

_______________________________________________________________________