The National Information Technology Development Agency (NITDA) has concluded its investigation process on the personal data breach by Electronic Settlement Limited and fined the firm N5 million for data protection breach.
The investigative process involved an analysis of the company’s applications and websites; visit to the company’s office in Lagos, review of its technical documents as submitted to the Agency and an interrogation of its officials by the NITDA investigation team in Abuja.
A statement issued by the Head, Corporate Affairs and External Relations of NITDA, Mrs Hadiza Umar, said “at the end of the process, we have established that there was a data breach involving the company.
“We commend Electronic Settlement Limited for the actions taken to mitigate this breach. Particularly, it’s taking full responsibility for the breach, updating identified security issues, cooperation with the NITDA investigation team, recruitment of a data protection compliance organisation, submission of its annual NDPR audit report and generally improving its compliance with the NDPR.
“The company’s actions demonstrate its sense of responsibility and duty to protect the data of Nigerians and customers in general.”
NITDA said the objective of the investigation was to assess the risk resulting from the breach, with a view to identifying the causes, remedial actions taken and other necessary issues to avoid recurrence.
“In compliance with the NDPR and the need to prevent a repeat of this unfortunate breach, NITDA has directed” Electronic Settlement Limited shall be under a six-month information technology oversight by NITDA. The oversight shall involve oversight of the implementation of prescribed security controls and processes.
“That a clear data security and governance document is drawn up between that Electronic Settlement Limited and all its Information Technology services vendors identifying roles, responsibilities and processes involved in securing and protecting personal data.
“That the company conduct regular NDPR training for all staff, publish and implement appropriate policies as required by the NDPR.”
That the firm “submit 2020/2021 regulatory audit as required by Article 4.1.6 of the NDPR, conducted by a Data Protection Compliance Organization (DPCO) as licensed by NITDA.
“Conduct Data Protection Impact Assessment on some data-intensive applications and products.
“Payment of the sum of Five million Naira only (5,000,000. 00) as fine in line with the requirements of the NDPR,” the statement added.