How Secure Is Our Data?

Data is at the heart of so much of the digital economy. Its commercial importance combined with increased regulatory requirements and scrutiny laws means data protection and cyber resilience are now board-level issues- Nick Elverston, Global Co-head of Digital Economy, Ashurst

On the 24th of December 2019, I received a call from my aunt telling me about her conversation with an ‘unidentified contact’ who claimed to be calling from her bank. According to her, she was asked some leading questions about her bank information. Upon hearing this, I immediately interrupted, asking her what her response was but she was evasive about the question. From my calculations, this was either the activities of bank officials which is an uncommon practice or a deceptive act from scammers. Sadly, she was scammed because of the little dialogue she had with this ‘unidentified contact’ .

My aunt’s story is just one of the thousands of Nigerians that have been scammed online due to the breach of confidentiality of their data in the banking industry by online fraudsters. A study published by the Cyber Security Experts Association of Nigeria (CSEAN) in 2016 revealed that Nigeria loses about N127 billion annually due to cyber security attacks. You see, in this digital age where countless online conversations are exchanged online daily; a large number of financial transactions take place and a lot of information is being stored on digital platforms, we need to continually ask ourselves this simple question: how secure is our data?

Most times, I think about how secure my PIN is after withdrawing money with the use of Point of Sale (POS) machines, and how secure my business conversations with people are. What if these conversations are not truly ‘end to end encrypted’? How secure is a document I share with another person? Do not mind me, I am just generally a curious person. In fact, Facebook, the biggest social media corporation which has a user base of over 2.7 billion(about a third of the world’s population) was accused in 2018 of breaching data privacy rules in relation to the Cambridge Analytica scandal. As a result, the United States Federal Trade Commission and the United Kingdom imposed a fine of $5billion and €500,000 respectively on the social media corporation for failing to protect the data of its users.

Thus, as technological tools become more disruptive and highly intelligent coupled with an increase in the use of digital tools and social media platforms, there is the possibility of people being at risk due to mismanagement, unauthorized transfer, and breach of their data.

What does data mean in this Digital Economy?

No doubt, the definition of data happens to be the simplest definition of all concepts I was taught in secondary school. It is defined in two words: raw facts. However, as simple as this looks, the phrase “raw facts” encompasses a lot in this digital age. According to the National Information Technology Development Agency (NITDA), “Data” means ‘’characters, symbols and binary on which operations are performed by a computer, which may be stored or transmitted in the form of electronic signals, stored in any format or any device.’’ Copious examples of data (raw facts) in Nigeria include a person’s age, birth date, biometric verification number, National Identification Number (NIN), home and office addresses, phone numbers amongst others. All these are considered as confidential information to persons or organisations they belong to. Thus, a breach of such information might have dire consequences on such a person, relatives, friends, organisations and even the society.

Who has access to our Data?

Before the deep intrusion of technology into the Nigerian economy, institutions like banks, hospitals, educational institutions, fast-moving consumer goods companies, media companies, telecommunication companies, security agencies, the Nigerian Information Technology Development Agency (NITDA), amongst others are examples of organisations that had access to data of persons in Nigeria. However, the rise of more technology companies across all sectors in Nigeria expanded the scope of data retrieval, data control and data processing.

Thus, we now have such companies like those in the fintech industry, health-tech industry, edtech industry, e-commerce industry and logistics industry who receive and store a large amount of data and information from residents and non-residents in Nigeria. For example, logistics companies like DHL and GIG have access to the home and office addresses of their users because they are expected to deliver goods their customers ordered via their platforms.

What are the risks attached to Data Breach?

The risks attached to data breaches include loss of a huge amount of money, as seen in my aunt’s case, damage to the reputation of persons, loss and destruction of companies’ sensitive data, and terrorists’ attack amongst others. Thus, data ought to be given the same level of judicial notice and protection as fundamental human rights like the right to life, dignity and personal liberty.

Data Protection in Nigeria

Despite the delicate nature of the data of persons in Nigeria, it is sad to note that the country does not have national legislation on data privacy and protection. For now, persons who are aggrieved due to the breach of their data will have to rely on the provisions of Section 37 of the Constitution of the Federal Republic of Nigeria, 1999. This Section expressly provides that: “the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.”

Also, there is the National Data Protection Regulations (NDPR), subsidiary legislation made by the National Information Technology Development Agency (NITDA), an agency empowered by the Federal Government of Nigeria to regulate companies and institutions that have access to and the control of data.

The NDPR provides for the protection of persons whose data have been breached online. The objective of the NDPR is to “safeguard the rights of natural persons to data privacy, to foster safe-conduct for transactions involving the exchange of personal data, to prevent manipulation of personal data, and to ensure that Nigerian businesses remain competitive in international trade through the safe-guards afforded by a just and equitable legal regulatory framework on data protection and which is in tune with best practice.”

Data: The New Oil?

In the words of Tran Trang Linh, “Becoming data-centred is the critical technology strategy of many businesses worldwide. It is not a coincidence that the most valuable companies (based on their market value) in the last few years are dominantly technology companies that use data as “a mine of business knowledge”. Thus, data is the bedrock upon which technology companies thrive and tech startups in Nigeria are no exception to this as they might likely perish without access to data.

According to Joris Toonders, “data in the 21st Century is like oil in the 18th century; an immensely, untapped valuable asset. Like oil, for those who see data’s fundamental value and learn to extract and use it there will be huge rewards”. But should the new “oil” be treated the same way the exploration, production, processing and distribution of crude oil was and is currently being treated in terms of environmental pollution?

It is important we take cognizance of the fact that the failure of our government to effectively regulate the activities of oil and gas corporations accounts for a major reason for the pollution of the Niger-Delta region of Nigeria. Hence, this same attitude must not be extended to the Information and technology companies which have been contributing significantly to the Gross Domestic Product and revenue of Nigeria. Data, which is the valuable asset these companies make use of for business growth must be well regulated. Companies in the Information and Communications Sector must be heavily sanctioned if found guilty of failing to safeguard the personal data of their users or customers.

Data is not just numbers or statistics; we constitute those numbers. Our lives are at stake here and the government needs to fulfil its part of the social contract we have with them to ensure that our data (our life history, bank details, medical details etc.) are well safeguarded against unscrupulous elements, who hide under the mask of being technology companies.

Conclusion

The Information and Communications Technology sector in Nigeria is fast becoming a major contributor to the country’s economy. Is it not due time to have a statute in Nigeria, which contains explicit provisions on how companies in this sector collect, use, transfer, and store data? Or would it profits over the rights of Nigerians again as it has been practised in the Niger-Delta region of the country?