{"id":1966,"date":"2025-06-25T10:15:47","date_gmt":"2025-06-25T09:15:47","guid":{"rendered":"https:\/\/lexluminar.com\/?p=1966"},"modified":"2025-06-25T10:15:53","modified_gmt":"2025-06-25T09:15:53","slug":"best-practices-for-responding-to-data-breaches-and-security-incidents","status":"publish","type":"post","link":"https:\/\/lexluminar.com\/fr\/best-practices-for-responding-to-data-breaches-and-security-incidents\/","title":{"rendered":"Best Practices for Responding to Data Breaches and Security Incidents"},"content":{"rendered":"

Introduction<\/strong><\/h2>\n\n\n\n

Data breaches are no longer speculative threats; they are present-day realities that confront organisations across all sectors. The Nigeria Data Protection Act (NDPA) 2023 addresses this challenge by establishing a regulatory framework that prioritises preventive safeguards, prompt incident reporting, and data subject rights. But how well do organizations understand their obligations under this law when a breach occurs?<\/p>\n\n\n\n

In this article, we unpack what the NDPA requires, highlight lessons from recent Nigerian cases, and outline practical steps every business should take before\u2014and after\u2014a data breach occurs.<\/p>\n\n\n\n

<\/div>\n\n\n\n

The Importance of Timely Detection and Containment<\/h3>\n\n\n\n

The first step in responding to a data breach is detection<\/strong>. Organisations must deploy systems capable of identifying anomalies that may indicate potential violations. The NDPA, under Section 39(1)<\/strong>, mandates that data controllers implement \u201cappropriate technical and organisational measures\u201d to ensure data security\u00b9.<\/p>\n\n\n\n

The 2022 PLASCHEMA<\/strong> data leak, which exposed the health-related personal data of over 37,000 Nigerians due to misconfigured Amazon Web Services (AWS) servers, highlights the risks associated with inadequate internal monitoring.\u00b2 Although external researchers flagged the issue, the vulnerability persisted for nearly four months. This delay in containment escalated the potential harm.<\/p>\n\n\n\n

Once a breach is detected, Containment should be implemented immediately to prevent further compromise. The longer the exposure, the greater the risk\u2014and the higher the scrutiny from regulators.<\/p>\n\n\n\n

<\/div>\n\n\n\n

Assessing Risk and Regulatory Thresholds for Notification<\/h3>\n\n\n\n

After identifying a breach, organisations must assess whether the incident is likely to result in a risk to the rights and freedoms<\/em> of individuals, referred to as data subjects<\/em>.  This involves determining whether the incident could result in harm, such as financial loss, identity theft, or reputational damage.<\/p>\n\n\n\n

Section 40(7) of the NDPA adopts a risk-based approach<\/strong> similar to global standards like the EU\u2019s GDPR.\u00b3Not every breach must be reported to the Nigeria Data Protection Commission (NDPC), but failing to assess or document the decision can itself become a compliance issue. This step should not be skipped or downplayed; it is crucial. A written risk analysis should be prepared for every breach, even those deemed minor.<\/p>\n\n\n\n

<\/div>\n\n\n\n

Regulatory Notification: The 72-Hour Rule<\/h3>\n\n\n\n

If the risk to individuals is significant, organisations must notify the NDPC within 72 hours<\/strong> of becoming aware of the breach, as required by Section 40(2) of the Act.\u2074 This deadline underscores the importance of being prepared.<\/p>\n\n\n\n

In the Fidelity Bank case<\/strong>, the NDPC imposed a \u20a6555.8 million fine for breaches that included failing to adhere to lawful consent practices\u2075. Though not explicitly tied to breach notification, the case reinforces that enforcement can arise from layered non-compliance\u2014where poor data handling meets inadequate breach response.<\/p>\n\n\n\n

Organisations must designate a responsible officer, such as a Data Protection Officer (DPO)<\/strong> or compliance manager, who is empowered to lead the response, communicate with regulators, and make prompt notification decisions within this timeframe.<\/p>\n\n\n\n

<\/div>\n\n\n\n

Communicating with Data Subjects<\/h3>\n\n\n\n

Where the risk to data subjects is high, Section 40(3)<\/strong> mandates direct communication with those affected<\/strong>\u2076. This is often the most delicate part of the response: conveying bad news while maintaining credibility.<\/p>\n\n\n\n

Many companies delay or underreport incidents to protect their reputations. However, transparency often reduces reputational fallout and strengthens credibility. Notifications must be clear, timely, and explain:<\/p>\n\n\n\n