Data Breach: Four Banks and Others Face N400 Million Fine

According to the Nigeria Data Protection Commission, investigations are presently being conducted into over a thousand financial organizations, educational institutions, insurance providers, and consulting firms for varying degrees of citizen data breaches.

This came as Vincent Olatunji, the National Commissioner of the Commission, disclosed that four large banks and three other organizations were subject to fines and punishments totaling N400 million for violations involving breaches of people’s data. Olatunji made this revelation on Tuesday at a Q&A session with media to commemorate a year since President Bola Tinubu signed the Nigeria Data Protection Commission Act into law in Abuja.

Tinubu approved the data protection bill on June 12, 2023, advancing fundamental freedoms and privacy rights in both digital and offline interactions.

As long as citizen data is “processed in a fair, lawful, and accountable manner,” Nigerians can seek legal recourse for any kind of data breach.

“As of this time last year, we were so unsure if the president would assent to the bill—what if the president didn’t sign it, what would have happened?” the national commissioner nostalgically recalled.

“The bill was passed by the ninth Assembly and usually, when a new government comes in, they want to jettison all that the former government did before it got there. More importantly, it was a new government. I was apprehensive, everyone was worried but I kept faith in God even though I was not sure too, and on the 12th of June last year, the president signed it.”

Olatunji stressed that the multiplier impact of passing the measure has caused the value of the country’s data ecosystem to surpass N10 billion. He emphasized the commission’s dedication to protecting citizen data in accordance with international best practices and standards, believing that doing so is crucial to guaranteeing its security, safety, and protection.

“Cumulatively, we have had over 1,000 reports of data breaches between when we started and now. The figure is low because of the low level of awareness among Nigerians.

“Out of the 1,000 cases, about 400 of them are digital revenue companies that we call loan sharks but the main ones we have conducted investigations in the education sector, financial institutions, real estate, insurance, consulting, and schools, and as of today, we have finalized four major investigations and some have paid their remediation fees. In the law, we can fine companies depending on the nature of the breach, impact on the subject, and level of cooperation and we got N400m from remediation fees.”

He also mentioned that there were investigations into data violations going on. Olatunji also emphasized how the Nigeria Data Protection Act is now more widely followed in both the public and private sectors as a result of the NDPC’s efforts.

“When we started, the levels of compliance within the private sector was about 49 percent while the public sector was 4 percent. But today, private sector compliance is above 55, while the public sector has reached 15 percent “, Olatunji said.

The head of the NDPC also declared that Nigeria is now leading the Global Data Assembly’s operations and that the country has had an impact on the data ecosystem in the same way as countries like Kenya, Ghana, China, Singapore, and Malaysia, to name a few.

“The Data Protection Act 2023 is a major milestone for Nigeria. Mr President laid our apprehension to rest when he signed the Act on June 12, 2023. It was a major turnaround for the industry. Now the data ecosystem is beyond everybody because it is a global phenomenon due to the impact of technology.

“In terms of jobs and wealth creation, promotion of tourism, perception, and attraction of foreign direct investments into Nigeria, we have taken a leapfrog and even overtaken some countries.

“And that’s why Nigeria was given the hosting right for 2024 All African Data Protection Commission’s and Institutions. About 30 countries would be here next year for the event,” Olatunji said.

He announced that the commission had reached an agreement to provide 10,000 public servants with training on responsible data management and that the NDPC will train roughly 1,000 data protection officers and processors, including journalists. Olatunji noted that the NDPC worked with the CBN, ICPC, EFCC, and other regulatory bodies to monitor the operations of digital lending platforms while bemoaning the fact that the majority of illicit digital lending platforms lacked addresses that could be located.