The Economist (6th May, 2017) reported that big data companies (BDC); Alphabet (Google’s ParentCo.), Amazon, Microsoft, Apple, Facebook and Amazon raked in more than US$25 billion revenues in Q1 2017, a trend that typifies the industry as ‘the new oil.’ Steady investment in acquisition of Information Technology (IT) companies was recently exemplified in Microsoft’s US$26.2 billion deal for LinkedIn. More so, IT has stimulated growth of the knowledge economy and new industry expertise, viz: data analytics, Artificial Intelligence (AI), Search Engine Optimization (SEO), amongst others.
Central to the revenue of these companies is the mining of users’ data (using data analytics to understand consumer trend and behaviour) and subsequent sale to advertisers by offering free, and to some extent, premium services, to their users. This calls to question issues of users’ data security in cases of data breach by unauthorised persons and liability for such breach.
These incidents of real or potential data breaches could erode gains recorded in the IT industry by increasing legal risk and exposure to class-action suits by users. This article seeks to look at ways to boost investors’ and users’ confidence to ensure continuous growth in the industry, given the opportunities in sub-Saharan Africa and Nigeria in particular.
Cyberattacks: Threat to New Oil?
With over 3.8 billion people connected to the internet as at June, 2017 according to Internet Live Start, cyber-attacks have become a usual occurrence. Cyberattacks sometimes take the form of: indiscriminate and destructive attacks; cyberwarfare; government and corporate espionage; stolen email and login credentials; stolen credit card and financial data; and stolen medical related data which have prompted governments all over the world to put in place regulations to curb these incidents. Indeed, Nigeria enacted its Cybercrime (Prevention, Prohibition, etc.) Act No. 17 2015 (which provides legal, regulatory and institutional framework for the prohibition, detection, prosecution and punishment of cybercrimes in Nigeria. It also provides for the retention and protection of data by financial institutions, criminalizes the interception of electronic communications amongst others) in reaction to these attacks.
The question that further arises is do IT companies have a duty to make full public disclosure when their systems have been compromised or become vulnerable to attacks? It has been observed that companies are reluctant to make full disclosure of incidents of data breach due to its resultant reputational damage which could erode share value of the companies.
The first attempt at compelling companies and government to disclose incidents of data breach in the USA was initiated by California in 2002 vide its Data Security Breach Notification Law (effective July 1, 2003 and amended in 2015) captured under 1798.29 (a) and 1798.82 (a), California Civil Code. In respect of government’s disclosure obligation, it provides, “any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data ….” Whist for businesses operating in the State, it provides, “a person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose a breach of the security of the system….”
The fact that there is no equivalent Nigerian provision is a serious cause for concern. To draw an allusion, whilst Nigerian public companies under para 34.5(g), SEC’s Code of Corporate Governance, 2011 are under an obligation to disclose risk management policies (including steps taken to ensure that its systems are not vulnerable to cyberattacks), to guide investors in their investment decision, private companies do not have similar disclosure obligations. The closest attempt to impose such obligation was witnessed in the Financial Reporting Council of Nigeria (FRCN)’s Code of Corporate Governance, 2016 which is currently suspended. Thus, this makes risk exposure (including cyberattack) disclosure discretionary for private companies. As at date, there is no particular requirement for data holders (DHs) to disclose any incidents of data breach to data owners (DOs) despite the revelation by the Senate that more than US$450 million had been lost through cyberattacks by Nigerian firms in over 3,500 attacks.
However, the recently passed Electronic Transaction Bill, 2017 (ETB) (passed in May, 2017 and awaiting Presidential Assent. Given that the President is yet to assent the bill and the 30 days window had lapsed – section 58(4), 1999 Constitution (as amended) – the National Assembly would have to undergo the whole process of passage of the bill again (National Assembly v. President & Ors.  9 NWLR (Pt. 824) 104) reposes more responsibilities on DHs. Accordingly, section 23, ETB provides “a data holder must implement appropriate technical and organizational measures and exercise reasonable care to protect personal data against accidental loss and against unauthorised alteration, processing, disclosure or access, in particular where processing involves the transmission of data over a network, and against all other unlawful forms of processing.”
The ETB further strengthens DO’s rights in determining how and for what purpose their data could be processed. It states in section 20(4) that: “an individual shall be entitled to apply for the suspension, withdrawal or order the blocking removal or destruction of personal data, on proof that it is incomplete, outdated, false, compromised, unlawfully obtained, used for unauthorised purpose or no longer necessary for the purpose for which it was collected.” It is arguable whether a mere application to the DH would suffice in deleting owners’ data from its database.
There are also instances where these data have been replicated and stored (lawfully shared) with multiple channels most of whom may not be known to, or have a relationship with, the DO. Could the liability of the DH under section 22, ETB (which makes a DH liable to compensate DO for damage), extend to any person acting under the instruction of the DH or could DHs be liable for third party ‘unlawful’ processing of owners’ data after a request to delete same has been sent to the DH? Despite ETB’s silence on issues of DHs’ vicarious liability, there could be compelling argument (depending on the terms of contract between the DH and DO) to suggest that such DH may become liable upon written notice to delete owner’s data and failure to notify others (DHs or processors) with whom it has shared such data which results in damage to the DO.
Recourse of Data Owners against Data Holders for Breach
Considering the emergence of business models built on data analytics, especially in the financial services industry, the need for optimum data security cannot be over emphasized. It is no longer news that IT companies globally suffer reputational and financial loss as a result data breach.
Under section 21(3) ETB, 2017, for a data owner (defined as an individual who is the subject of personal data) to successfully claim against DHs, he must show that he has suffered ‘damage’ by reason of contravention of the provisions of the Bill. Merely failing to secure owner’s data thereby resulting in unauthorized access is insufficient to claim compensation. This is however not restricted to data owners as the Bill rightly employed the word, ‘individual’ thereby opening up the category of persons that could institute an action against DHs, once such a person could show that damage resulted from the contravention of the Bill by DHs.
Cyber and Privacy Insurance Policy Options
It is becoming increasingly expedient that DHs put in place mechanisms to engender users’ and investor confidence to promote growth. An option that has been widely adopted in advanced economies (US, Canada, South Africa, amongst others) in mitigating DH’s monetary loss resulting from data breach is the Cyber Liability Insurance (CLI). As its name implies, it is specifically designed to cover users of technology services and products as it relates to the collection and usage of data. This insurance policy option could be applicable to liability resulting from data breach affecting client or user’s personal information. Depending on the insurance policy, it could also cover notification costs, cost of defending data breach claims, fines, credit monitoring, amongst others.
In Nigeria, there is no express provision for Cyber Liability Insurance (CLI). Notwithstanding, section 2(h) and (5), Insurance Act, Cap. I17 LFN, 2004, allows insurance companies to carry on new category of miscellaneous insurance business if they show evidence of adequate reinsurance arrangement in respect if that category of insurance business and requisite capital where necessary. Considering the level of cyberattacks and its potential to erode investor and user confidence in Nigeria’s budding cyberspace, it may be prescient that CLI products be introduced by insurance companies (few insurance companies have introduced the product, it is yet to gain full traction) in collaboration with National Insurance Commission (NAICOM) and NITDA such that it would be compulsory for DHs to insure the data they hold against theft, loss, damage, liability or damage arising from unauthorized access.
The provision of CLI would ensure that DHs pass the risk of potential liability to insurance companies which would in turn settle any claim that may arise in respect of the insurance policy thus boosting investors’ and users’ market confidence.
The threat of cyber-attacks pose a grave danger to upping the potential in big data in Nigeria. Investors must be assured of security of their investment in data companies whilst users must also have heightened confidence in the security of the system to protect personal information provided to DHs. In this regard, law enforcement agencies are constantly wading off cyberattacks through arrest and prosecution of offenders (which could take months and sometimes years) whilst the damage has been done leaving DOs distrust with the system.
The regulator, NITDA however need to put in place mechanisms to ensure that incidents of breach are disclosed to those affected and adequate compensation paid in the event the DO suffered damage as a result of the breach. Nonetheless to protect DHs, there should be collaboration with NAICOM (the insurance regulator), to provide compulsory CLI. This would ultimately increase liquidity in the insurance industry whilst ensuring incremental insurance penetration rate in Nigeria.
Chuks Okoriekwe is a commercial lawyer and practices with LeLaw Barristers & Solicitors.