By Patrick Herbert
![](https://thenigerialawyer.com/wp-content/uploads/2024/04/Idrinstitute.jpg")
![](https://thenigerialawyer.com/wp-content/uploads/2024/03/2024.lidw_.jpg")
Data has severally been declared as the new oil.
This statement by itself is an admission that there are striking similarities between data and oil, not just in importance, but in the risks that their improper handling poses to the human ecosystem.
A data breach, therefore, poses as much a hazard to society as an oil spillage.
But unlike an oil spillage that threatens the natural and marine ecosystem, a data breach or spillage harms the very people whose data has been breached by impinging on their privacy rights.
Bruce Schneier, the security technologist, was perhaps referring to this hazard posed by potential data breaches when he made the bold statement that “data is the pollution problem of the information age, and protecting privacy is the environmental challenge.”
The Nigeria Data Protection Act 2023 (hereinafter referred to as the “NDPA”) in its interpretation section defines a personal data breach as a breach of security of a data controller or data processor leading to or likely to lead to the accidental or unlawful destruction, loss, or alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
What is obvious from the NDPA’s definition of a personal data breach is that a data breach can be intentional or unintentional.
A personal data breach can therefore occur in a variety of ways, whether deliberate or accidental.
Some examples of personal data breaches include the following:
- Loss or theft of unencrypted devices containing personal data (e.g., laptop, mobile phones, tablet devices, USB sticks or paper records)
- A cyberattack leading to access by an unauthorized third party or unlawful disclosure, alteration, or deletion of personal data
- Sending or emailing personal data to the wrong recipient in error
- Alteration of personal data without permission
- Loss of availability of personal data
- Data input error/human error
- Non-secure disposal of hardware or paperwork containing personal data
In today’s evolving security landscape, the most likely threat to the security of personal data is a cyberattack.
Cybercriminals often target organizations holding valuable data via cyberspace with malicious attacks such as malware, ransomware, phishing, spoofing, code injection and identity-based attacks, amongst others.
These malicious activities are aimed at disrupting, disabling, destroying, maliciously controlling a computing environment, or destroying the integrity of data or stealing information being held by a data controller or processor.
The impact of a cyberattack on an organization in control of personal data can be far-reaching.
They can result in a severe data breach which could lead to huge fines on the affected controllers or processors by data protection regulators such as the Nigeria Data Protection Commission.
They can ruin a controller or processor’s reputation with data subjects who may have been loyal customers.
And in many cases, they can also cost the controller or processor financially.
This is particularly so for controllers and processors within the financial services sector, as such attacks can affect the financial stability of the entities concerned, sometimes leading to a credit-rating downgrade, according to a recent Harvard Business Review report.
A report by IBM states that the cost of a data breach averaged $4.35 million in 2022.
In Nigeria, a report by the Punch Newspaper states that commercial banks lost the tune of N 15 billion (at the time about $32.36m) to electronic fraud and cybercrime.
Furthermore, a recent study by Surfshark, an Amsterdam-based cybersecurity firm revealed that Nigeria is the 32nd most breached country in the first quarter of 2023. The report further stated that Nigeria had 82,000 leaked accounts from January to March 2023.
Given this ever-increasing cyber threat landscape, data controllers and processors cannot take the likelihood of a cyberattack on their data centers lightly.
Besides data breaches occurring from cyberattacks, other sources of potential data breaches can occur from within a data controller or processor itself: Employees who have access to such data could disclose them through carelessness, inadvertence, lapse of judgment,4 or even falling prey to social engineering attacks.
To forestall the risks of personal data breaches, data protection regulations around the world have imposed strict obligations on controllers and processors to secure such data through technical and organizational measures.
While data controllers and processors have sought compliance with their regulatory obligations by implementing measures to secure personal data stored by them, the reality is that privacy-related incidents can sometimes still occur regardless of the safeguards in place.
This reality has led to many data protection regulations requiring data controllers and processors to notify the regulatory authorities of the occurrence of serious data breaches that threaten the rights and freedom of data subjects while also taking remedial action to mitigate their effects.
For example, Article 67(1) of the U.K. Data Protection Act 2018, requires a data controller to notify the Commissioner if the controller becomes aware of a personal data breach in relation to personal data for which the controller is responsible within 72 hours after becoming aware of it.
The obligation to notify the Commissioner under the above provision is not applicable where the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals.
Furthermore section 67(4) of the U.K. Data Protection Act outlines the contents of the notification to be sent to the authority which includes:
- a description of the nature of the personal data breach, including the categories and number of data subjects and categories of data records affected
- the name and contact details of the DPO
- a description of the likely consequences of the personal data breach
- a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including measures to mitigate its possible adverse effects.
Similarly, the European Union General Data Protection Regulation 2018 (GDPR), contains provisions that are a replica of section 67 of the UK Data Protection Act.
This can be found in Article 33 of the GDPR.
The GDPR, however, imposes an additional obligation on controllers requiring them to document any personal data breaches, their effects and the remediation action taken which is to enable the supervisory authority verify compliance with the Article.
Under the NDPA, data controllers have similar data breach notification obligations.
Section 40(2) of the NDPA mandates data controllers to notify the Commission within 72 hours of becoming aware of a breach where a personal data breach is likely to result in a high risk to the rights and freedom of a data subject.
Section 40(2) & (4) of the Act lists the contents of the notification to be sent to the Commission in the event of a breach which is as follows:
- a description of the nature of the personal data breach
- the categories and approximate numbers of data subjects and personal data records concerned
- the name and contact details of a point of contact of the data controller
- a description of the likely consequences taken or proposed to be taken to address the personal data breach, including measures to mitigate its possible adverse effects.
In addition to notifying the commission in the event of a data breach likely to result in a risk to the rights and freedom of individuals, a data controller under the Act is further required to notify the affected data subjects of the data breach in a clear and plain language, including advise about measures the data subject could take to mitigate the breach.
Where, however, such direct communication with the data subject is not possible or would involve disproportionate effort or expense, the Act allows a data controller to make a public announcement in one or more widely used media sources where the data subject is likely to be informed.
While The NDPA has followed the example of the GDPR and the U.K. Data Protection Act by imposing stringent reporting requirements on data controllers and processors in the event of a serious data breach, the Act does not state what technical and organizational measures are to be taken by data controllers to mitigate a confirmed data breach.
These mitigation or remedial measures are a blank cheque left to the controllers to fill out.
However, in the event of a data breach, there is an expectation that a data controller or processor would take remedial action to blunt the impact of a data breach within the 72 hours the controller learns of the breach, prior to notifying the Commission.
To protect the privacy of data subjects and minimize the risks from personal data breaches, data controllers and processors in practice develop incident response plans stating detailed steps to be followed by staff when a data breach incident occurs.
In addition to implementing an incident response plan, data controllers and processors may decide to set up an in-house dedicated computer security incident response team (known as CSIRT), normally composed of a data protection officer and a group of IT experts.
The CSIRT team will normally be tasked with the responsibility of implementing the incident response plan in the event of a data breach as well as protecting data management infrastructure, detecting and resolving any computer, network, or cybersecurity incidents.
In addition to responding to data breaches they may be required to implement the principles of data protection by design and by default in order to protect the confidentiality, integrity and availability of personal data (known as the CIA triad in cybersecurity).
For smaller and less buoyant data controllers and processors, they may see the need for establishing a CSIRT team as a luxury they cannot afford and may elect instead to outsource the risk and complexities of addressing a data breach incident to a willing third-party service provider, and in some cases a data protection organization who can deal with the fallout from a data breach incident.
But whatever the data controller or processor’s approach to dealing with a data breach, it is critical they operationalize a data breach incident response plan to guide them through the data breach life cycle.
To achieve this, a data controller and processor could choose to adopt a widerange of data breach incident response frameworks and standards.
These frameworks and standards detail a set of steps to be taken once a data breach has been reported and include procedures for incident reporting, breach impact assessment and breach notification to affected data subjects and data protection regulatory bodies.
One of the most widely used incident response standards is the National Institute of Standards and Technology (NIST), a U.S. government organization involved in developing cybersecurity standards for many industries.
Although the standard was originally designed to address risks from cybersecurity attacks, it can also be adapted for other forms of data breaches.
The NIST lists four phases of an incident response plan, which for ease of understanding can be further broken down into six.
The phases are as follows:
- Preparation
This first phase of the incident response plan requires the data controller or processor to be proactive rather than reactive in managing and minimizing risks from potential data breach incidents.
It aligns with the popular mantra that prevention is better than cure.
Preparation demands that a data controller or processor develops a privacy incident response plan before a data breach incident, including procedures and measures to be followed in such an event rather than hoping to “play it by ear” in the heat of an incident.
It ensures a data controller or processor is prepared for the occurrence of a data breach and that it puts measures in place to avoid the data breach in the first place.
This may involve establishing, training, and equipping an incident response team (like the CSIRT) to be called in whenever there is a breach.
It may also require conducting risk assessments to discover vulnerabilities within IT infrastructures, networks, and computer systems, in addition to implementing controls and measures to “patch up” such weaknesses before they can be exploited by threat actors.
To test the effectiveness and readiness of an incident response plan, a data controller or processor could conduct tabletop exercises where staff are taken through a typical privacy incident scenario and their responses assessed.
Preparations for handling data breaches are two-fold. The first involves periodic awareness training for staff and security response teams in charge of data breach management. The other is conducting adequate risk assessment on data processing operations and IT infrastructure involved in such operations to detect potential data breach risks.
To detect and flag such risks, a data controller or processor could deploy a network security or cyber-attack prevention mechanism such as the Security Incident Event Management (SIEM), a type of software that can detect security incidences or monitor network activity by alerting systems administrators of a potential data breach incident. Installing antiviruses and firewalls within computer systems used for the processing of personal data may also be of necessity.
Furthermore, the NIST framework recommends resources for data controllers and processors, which have been adapted for compliance with data protection regulations and laws, to assist them in preparing for a data breach incident.
These resources include:
i. The contact information of the controller or processor’s data protection officer or the relevant member of the DPO team (where this is applicable)
ii. A means of communication with any department that is directly or indirectly affected by the data breach
iii. A war room (a situation center or meeting place, whether permanent or temporary) for any relevant parties to convene during a data breach incident for communication and coordination.
iv. Utilizing encryption methods to encrypt personal data that the controller or data processor stores.
v. Securing necessary hardware such as laptops, work stations, packet sniffers/analyzers (to monitor network traffic), digital forensic tools (to be used during the analysis phase of the data breach) and other networking equipment.
2. Detection
Detection and analysis of a data breach has been described by the NIST as the most challenging phase of the incident response process, owing largely to the difficulty associated with determining whether an incident has occurred, and if so, the type, extent and magnitude of the breach.
The detection phase of a data breach is when a data controller or processor realizes that a data breach incident has occurred from a variety of attack vectors which can include malware attacks (e.g., Ransomware), phishing attacks (e.g., impersonation or vishing), smishing attacks via emails, denial of service attacks, loss or stolen laptops or mobile phones, or dumpster diving attacks where retired IT assets and documents containing personal data are improperly disposed, amongst others.
The means of detection can include:
i. A critical network malfunction
ii. Alerts from a data loss prevention (DLP) tool or a Security Incident and Event Management system
iii. Notifications from employees in the event of loss/theft of sensitive equipment containing personal data of data subjects
iv. Reports from end users/data subjects of problems experienced when using products involved in the processing of such personal data
v. Alerts from antivirus software of a possible malware or virus intrusion
vi. Alerts from operating systems, services and application and network devices logs of unauthorized access to personal data.
While these are some of the means by which data breach incidents can be detected, the list is by no means exhaustive.
- Analysis
Once a controller or processor has been alerted to a potential data breach, the analysis phase usually begins. This would involve conducting an in-depth data breach forensic analysis to determine the source, cause, nature and impact of the incident that led to the data breach.
Detailed analysis is necessary to carry out proper documentation as required by privacy laws and to collect evidence of the data breach to be included in any notifications to be sent to the regulatory bodies. It may also be necessary to remediate the breach and prevent future attacks and leakages.
- Containment
After a data controller or processor has analyzed and confirmed that a data breach incident has taken place, the next phase of action is the containment of the incident. Steps at containment are often geared towards mitigating the effects of the breach and preventing further data loss.
Containment strategies, where an incident is linked to an intentional act of data compromise, are aimed at removing active attackers from a controller or processor’s IT infrastructure and computer systems and preventing the attack vectors from spreading to other areas. Where however the breach is unintentional, containment measures may look to prevent further data leakages.
With the help of cybersecurity professionals, measures deployed at the containment stage may involve isolating the threat, implementing authentication to prevent further unauthorized access to data, resetting of passwords or implementation of security patches to address vulnerabilities.
Where the primary attack vector is a malware or virus, a controller or processor’s incident response team could deploy the technique of sandboxing to study and better understand the attack vector involved in a safe and segregated environment.
- Recovery and Eradication
In the recovery and eradication phase, the incident response team will normally seek to eradicate the cause of the data breach incident after a detailed analysis of the situation. This may involve scanning affected systems and networks for traces of malware and eradicating them through the deletion of corrupted files or isolation of affected information assets.
It could also require removing malware from computer systems, blocking further access to data by intruders, or disabling affected user accounts.
In observance of the principle of availability in the CIA triad, particularly where the data subject’s right to access their personal data has been disrupted as a result of the privacy incident, the response team may also look to restore affected systems from a backup file to its previous state as part of the recovery phase.
- Post-Incident Stage
This closing phase of the incident response plan calls for a dual approach to dealing with an incident.
The first aspect requires the controller or processor to reflect on the incident and draw important lessons from it.
Although the saying goes that lightning does not strike the same place twice, in truth, lightening does strike the same place, and even more so when it comes to cyber-attacks. In today’s cyberthreat landscape, cybercriminals after enjoining the spoils from a successful infiltration attempt, and at the risk of embarrassing the organization, are emboldened to relaunch the same attack on an organization holding valuable data barely before it has recovered from an earlier attack.
This is why it is so important for organizations that have been the subject of attacks leading to data breaches to review all aspects of the incident to further strengthen their security posture against future incidents.
It is recommended the incident review should be done at a meeting with members of the incident response team in attendance.
Questions to be considered at this stage of the incident management life cycle should include the following:
What led to the data breach incident?
Was the response of the incident response team swift?
How did the incident response team perform during the incident?
How can the incident be prevented from happening again?
How can the controller or processor strengthen its IT resilience capabilities in the face of future incidents?
How can the controller or processor beef up its security systems against similar attacks?
For compliance with section 40(8) of the NDPA, a data controller or processor should at this stage document the data breach, including details of its effects and what measures were taken to mitigate the breach. This documentation will be particularly useful in the event of a notification to or an inquiry by the Commission.
The second aspect and perhaps the most important is the requirement for notification of the regulatory authorities about a data breach incident, in the case of data controllers and processors in Nigeria, the Nigeria Data Protection Commission and the affected data subjects. The contents of such notification have been earlier outlined in this article.
It should be borne in mind that whether a notification of a data breach to the Commission is required depends on the nature and severity of the data breach concerned.
As has been earlier pointed out, it is only in cases where a data breach is of such a serious nature as to be likely to result in a risk to the rights and freedoms of individuals that a data controller or processor is required to report such incident to the Commission and the affected data subjects.
In minor or less serious incidents that do not threaten the rights and freedoms of data subjects, such a notification may not be necessary.
The challenge, then, is determining when a data breach incident warrants notification to the commission and when it does not.
The NDPA in its section 40(7) lists some criteria which can be used by data controllers and processors to evaluate whether a data breach will likely result in a risk to the rights and freedom of data subjects.
The factors to be considered, in no particular order, include:
- The nature, scope and sensitivity of the personal data involved
- The likely effectiveness of any technical and administrative measures implemented to mitigate the likely harm resulting from the breach
- Any subsequent measures taken by the data controller to mitigate such risk
To augment the above criteria outlined in the Act, data controllers and processors evaluating the impact of a data breach could turn to scoring models that rank data breach incidents by severity of the incident.
The European Union Agency for Network and Information Security (ENISA) has provided a methodology for the assessment of the severity of personal data breaches that is used by some data controllers and processors internationally in assessing the severity of a personal data breach and to determine when to report such incident to regulatory bodies.
The model scores risk and impact of data breaches from very low to low to medium to high and very high.
The severity of a data breach is often calculated based on a range of factors including data type, ease of identification of a data subject from the data disclosed, and the circumstances leading to the breach.
Data controllers and processors in Nigeria could also use the ENISA methodology or other internationally recognized data breach risk assessment scoring models, in addition to the criteria provided in the NDPA, to assess the impact of a data breach on the rights and freedoms of data subject and whether the incidents warrant notifications to the Nigeria Data Protection Commission.
Besides the ENISA risk calculation methodology, other factors which could determine the severity of a data breach and whether it impacts on the rights and freedom of affected data subjects include:
- The type or category of personal data involved
- The nature and circumstance of the data breach
- The likelihood of personal data being put to illegal use
- The number of data subjects affected by the breach
From the foregoing it is clear that while data controllers and processors are required by the NDPA to implement organizational and technical measures to safeguard the personal data of individuals stored by them, they are also expected to observe data breach management practices and develop incident response plans to contain any adverse impact from a personal data breach.
This is necessary to ensure that the right to privacy of data subjects is safeguarded even during data breach incidents.
Patrick Herbert is an experienced litigator and a certified data protection officer. He also has expertise in energy law, financial technology, and intellectual property law.
He can be reached at legalmindspublishing@gmail.com
REFERENCES
Antoni G, Connor F and William J, GDPR and Cybersecurity for Business Information Systems (Rivers Publishers, 2018)
Danny Brando and others, ‘Implications of Cyber Risk for Financial Stability’ (Federal Reserve, 12 May 2022)
<https://www.federalreserve.gov/econres/notes/feds-notes/implications-of-cyber-risk-for-financial-stability-20220512.html> accessed 1 December 2023
‘Data Breach Statistics 2023’Q1 vs. 2022’ Q4’ (Surfshark, 10 May 2023)
<https://surfshark.com/research/study/data-breach-statistics-2023-q1> accessed 29 November 2023
European Union Agency for Cybersecurity, ‘Recommendations for a Methodology of the Assessment of Severity of Personal Data Breaches’
<https://www.enisa.europa.eu/publications/dbn-severity> accessed 30 November 2023
Information Commissioners’ Office, ‘Personal Data Breaches’
<https://ico.org.uk/for-organisations/law-enforcement/guide-to-le-processing/personal-data-breaches> accessed 29 November 2023
Katie Donegan, ‘Computer Security Incident Response Team’ (Techtarget, February 2023)
<https://www.techtarget.com/whatis/definition/Computer-Security-Incident-Response-Team-CSIRT> assessed 30 November 2023
Keman Huang and others, ‘The Devastating Business Impacts of a Cyber Breach’ (Harvard Business Review, 4 May 2023)
<https://hbr.org/2023/05/the-devastating-business-impacts-of-a-cyber-breach> accessed 29 November 2023
Kurt Baker, ‘Types of Cyber Attacks’ (Crowdstrike, 9 November 2023)
<https://www.crowdstrike.com/cybersecurity-101/cyberattacks/most-common-types-of-cyberattacks/> accessed 30 November 2023
Godfrey George, ‘Bank Customers, Companies Lose Billions to Nigeria’s Weak Cybersecurity’ (Punch Newspaper, 2 April 2023)
<https://punchng.com/bank-customers-companies-lose-billions-to-nigerias-weak-cybersecurity/> accessed 30 November 2023
National Institute of Standards and Technology, ‘Computer Security Incident Handling Guide’ (NIST, August 2012)
<http://dx.doi.org/10.6028/NIST.SP.800-61r2> accessed 30 November 2023
National Institute of Standards and Technology, ‘Cyber Attack’
<https://csrc.nist.gov/glossary/term/cyber_attack#> accessed 30 November 2023
NIALS' Compendia Series: Your One-Stop Solution For Navigating Nigerian Laws (2004-2023)
Email: info@nials.edu.ng, tugomak@yahoo.co.uk, Contact: For Inquiry and information, kindly contact, NIALS Director of Marketing: +2348074128732, +2348100363602.
