The National Information Technology Development Agency (NITDA) has sanctioned Electronic Settlement Limited (ESL) with a fine of N5 Million for data breach.
Mrs Hadiza Umar, the agency’s Head, Corporate Affairs and External Relations, said this on Monday, in a statement she signed and issued in Abuja.
Electronic Settlement Limited (ESL), is a financial technology company, which provides solutions to financial, payment problems in Nigeria.
Umar said NITDA conducted an investigation on the company’s applications and website, in addition to visiting its office in Lagos for a review of it’s technical documents submitted to the agency, interrogated the staff and discovered the breach.
She said the company’s documents violated the Nigerian Data Protection Regulation (NDPR), which sought to ensure data protection for citizens, as established by the agency and in line with its IT regulatory mandate.
Umar said the investigation was conducted to assess the risks resulting from the breach, with a view to identifying the causes, remedial actions taken and other necessary issues, to avoid recurrence.
Umar added that the company had been briefed on the agency’s prescriptions for better information security and protection of personal data.
“In compliance with the NDPR and the need to prevent a repeat of this unfortunate breach, NITDA has directed that ESL shall be under a six-month information technology oversight by NITDA. It shall involve oversight of implementation of prescribed security controls and processes.
“There will be a clear data security and governance document, drawn up between ESL and all its IT service vendors, identifying roles, responsibilities and processes involved in securing and protecting personal data. The company will conduct regular NDPR training for all staff, publish and implement appropriate policies as required by the regulation. The company will pay the sum of Five million Naira only, as fine in line with the requirements of the NDPR”.
Other sanctions on the company, included submission of 2020/2021 regulatory audit, as required by Article 4.1.6 of the NDPR, which would be conducted by a Data Protection Compliance Organisation licensed by NITDA.
Umar also said that the company would conduct Data Protection Impact Assessment on some data intensive applications and products.
She, however, commended the management of ESL for the actions taken to mitigate the breach, hence taking responsibility, complying with the investigation process and generally improving its compliance with the NDPR.
Umar thanked the public for its continued interest in ensuring the full implementation of the NDPR to safeguard the personal data of citizens.
“NITDA is, therefore, using this opportunity to encourage every data controller and processor to embark on necessary measures to protect personal data,” the NITDA Corporate affairs chief said.
She announced that NITDA had extended the initial March 15 deadline to June 30, for data processors to file their annual audit reports.
Umar said that NITDA reaffirms its continued commitment to implementing the NDPR vigorously and providing periodic updates to the public on its activities and investigations in the discharge of its mandate.