Mrs Hadiza Umar, the Head, Corporate Affairs and External Relations of the National Information Technology Development Agency (NITDA), said on Monday, March 15, in a statement she signed and issued in Abuja, that the firm deemed it necessary to sanction Electronic Settlement Limited (ESL), the sum of N5 Million for a data breach.
Electronic Settlement Limited, is a financial technology company, which provides solutions to financial, payment problems in Nigeria.
Umar said NITDA conducted an investigation on the company’s applications and website, in addition to visiting its office in Lagos for a review of its technical documents submitted to the agency, interrogated the staff, and discovered the breach.
She said the company’s documents violated the Nigerian Data Protection Regulation (NDPR), which sought to ensure data protection for citizens, as established by the agency and in line with its IT regulatory mandate.
Umar said the investigation was conducted to assess the risks resulting from the breach, with a view to identifying the causes, remedial actions taken and other necessary issues, to avoid recurrence.
Umar added that the company had been briefed on the agency’s prescriptions for better information security and protection of personal data.
“In compliance with the NDPR and the need to prevent a repeat of this unfortunate breach, NITDA has directed that ESL shall be under a six-month information technology oversight by NITDA.
“It shall involve oversight of the implementation of prescribed security controls and processes.
“There will be clear data security and governance document, drawn up between ESL and all its IT service vendors, identifying roles, responsibilities, and processes involved in securing and protecting personal data.
“The company will conduct regular NDPR training for all staff, publish and implement appropriate policies as required by the regulation. The company will pay the sum of Five million Naira only, as fine in line with the requirements of the NDPR,” she said.
Other sanctions on the company, included submission of 2020/2021 regulatory audit, as required by Article 4.1.6 of the NDPR, which would be conducted by a Data Protection Compliance Organisation licensed by NITDA.
Umar also said that the company would conduct Data Protection Impact Assessment on some data-intensive applications and products.
She, however, commended the management of ESL for the actions taken to mitigate the breach, hence taking responsibility, complying with the investigation process, and generally improving its compliance with the NDPR.