Generally, organisations may be categorised into those who have experienced cybersecurity incidents and those that would experience cyber incidents.[1] The reality is that most organisations, whether they have experienced a cyber threat/incident in the past or not, may be on their way to their first or the next cyber threat/incident. These incidents may manifest in different ways, most common occurrence include personal data breaches, loss of information, or other information technology related happenstances or incidents which impact information technology system/network. A cybersecurity incident may be an incident which has been defined as such, either by law or in the organisation’s cyber-threat intelligence programs. Different laws have different requirements in respect of cyber incident responses and reporting. In preparing to respond to a cybersecurity incident, organisations are required to take into consideration applicable legal requirements for reporting cybersecurity incidents.
Against the recent spate of international cybersecurity incidents reported by Harrods, Marks & Spencer, Co-op, Addidas among others, this article examines some key requirements under Nigerian law in relation to escalating/reporting cybersecurity incidents.[2]
Cybercrimes Act (Prohibition, Prevention etc) Act 2015 and Cybercrimes Act (Prohibition, Prevention etc) (Amendment) Act 2024
A cyber threat under this law refers to any attacks, intrusions and other disruptions liable to hinder the functioning of another computer system or network. Organisations are required to report all cyberthreats to the National Computer Emergency Response Team Coordination Center (ngCERT) through their respective sectorial Computer Emergency Response Team (CERT) or sectorial Security Operation Centers (SOC) (where available) immediately, and no later than 72 hours, after detection.[3]
Therefore, organisations should identify the sectoral CERT or SOC relevant to their business operations and the relevant means of notifying such CERT or SOC in their incident response plans. Some sectoral CERTs and SOCs currently operating in Nigeria include (a) Nigeria Financial Computer Emergency Response Team (NigFinCERT); and (b) the Nigeria Communications Commission Computer Security Incidence Response Team (NCC CSIRT).
Nigeria Data Protection Act 2023
A personal data breach is a security incident that results or is likely to result in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.[4] Personal data breach as a cybersecurity incident would typically involve where a breach of personal information through or contained in information technology system/network. In the event of a personal data breach, organisations acting as data controllers[5] are required to report such breaches to the Nigeria Data Protection Commission (NPDC) no later than 72 hours after becoming aware of such breach, where the breach is likely to result in a risk to the rights and freedoms of a data subject.[6] A personal data breach may be deemed to result in such risk, where by the nature of the breach and personal data involved, is likely to impact any right and freedom of data subject, such as social or economic rights as contained in the constitution or other legal or similar instrument. Some examples of this includes personal data breaches involving account login information, residential address, criminal and health records, Bank Verification Numbers (BVN), National Identification Numbers (NIN) etc.
Click here to download the full publication.
Associate, Yetunde Olashore contributed to this publication.
[1] Andrew T Garbarino, ‘More Than Ever, Cybersecurity Is a Board-Level Concern’ (2019) 262 New York Law Journal 1, 1.
[2] Cyber Monitoring Centre estimates cost of UK retail attacks at £440 million
[3] Section 21 Cybercrimes Act (Prohibition, Prevention etc.) 2015 and Section 3 Cybercrimes Act (Prohibition, Prevention etc.) (Amendment) Act 2024
[4] Section 65 Nigeria Data Protection Act 2023
[5] “Data controller” means an individual, private entity, public commission, agency or any other body who, alone or jointly with others, determines the purposes and means of processing of personal data.
[6] Section 40(2) Nigeria Data Protection Act 2023
--
Read the original publication at Aluko & Oyebode
