By Michael Irene, PhD
As part of its mission to ensure that companies comply with the new Nigerian Data Protection Regulation, the National Information Development Agency (NITDA), on Friday, 27th December 2019, reported a data protection breach involving the Lagos State Internal Revenue Service (LIRS). The report gives a broad perspective of the breach. However, it contains no specific details of how many data subjects were affected, when the breach occurred and how it occurred or suggest incident management strategies. This article highlights steps LIRS must take to manage this incident.
Notifying the regulator in the detection of a personal data breach event, which arises after the controller has become aware of a breach, has been duly observed by LIRS. This is a laudable step and a welcome development (because breaches, before now, are usually not reported).
Second, LIRS must inform data subjects of personal data breaches if those breaches are likely to present high risks to the rights and freedoms of individuals. A notification pop-up appears LIRS’ website notifying the public about the breach. This, again, must be applauded as these are concrete steps in a good-quality incident response strategy.
It must be said that any organisation with NDPR programs already underway will be familiar with the principles of good program design that underpin the success of any regulatory large-scale business transformation exercise. For a regulatory body like LIRS, they must have successful programs united and guided by a board-endorsed vision to integrate into operations through strategy and necessary organisational structures, ensuring technical and organisational controls are employed.
A strong security program should not only be a consideration for data protection regulatory compliance, but it should be also part of a standard organisational management process LIRS must have developed to protect financial, operational, reputational and legal interests. This program should have been embedded in their NDPR compliance mechanisms before now.
But a mere visit to the LIRS site shows otherwise. The basic NDPR requirements are missing. For starters, LIRS has no privacy policy or cookie policy on their website. This highlights where they stand concerning data protection. One wonders, therefore, how capable they are to manage this recent incident.
Below, I illustrate the kind of issues that LIRS will address during the development of their positions for compliance with the NDPR security principle and risk reduction in the future.
The causes of security failure are multiple, ranging from accidents(unintentional) to deliberate(intentional) actions, but LIRS must address the following factors:
• Perform threat and vulnerability assessments and security maturity assessments
• The management of security
• Human factors
•The physical environment
• The cyber and technology environment
• The policy, controls and business processes framework
• Incident detection and response
Of course, for LIRS to be able to perform comprehensive risk assessments, it needs to identify and understand the full information lifecycle. LIRS should go through a data mapping and inventory exercise to be able to pinpoint all points of data capture and data entry and should be able to plot the flow of the data through the organisational until the point of redundancy is reached, when the data is finally deleted or destroyed.
In the current incident response, their incident response plan must include the following essentials:
• Formal understanding and approval by senior leadership;
• A governance model connected both to the anticipatory aspects of incident response and the response aspects of incident response;
• Principles for decision-making. The incident response team, if any, and everyone invloved with the performance of incident repsonse functions must know how, when and why decisions can be made and for what purpose;
• A list of who will be involved and what their roles will be;
• Predictive, forward-looking outcome analysis;
• Compulsory reporting of ‘unusual’ events;
• Performance metrics—what is a successful response?
The threat and vulnerability assessments and maturity assessments that are performed for general security purposes will guide the organisation in the right direction, but, as well as installing necessary incident detection technologies, such as intrusion detection, the organisation needs to understand whether it is already compromised. One of the great problems with cybersecurity is that criminals and hackers are both patient and good at hiding their tracks. It is very ccommon for cyberattacks to lie unnoticed on a network, even for many years. Therefore, compromise testing needs to be performed using advanced forensics techniques.
Even world class security programmes get hacked. It is better to for LIRS to know, analyse and respond to the existing threat than to be in the dark.
Another critical building block for managing the incident properly from LIRS’ perspective is a taxonomy and classification scheme, so that everyone knows the sensitivity and personal nature of the data compromised in the current breach. Misclassification is a very serious problem in incident management as this may lead the organisation to reach the wrong conclusion on treatment of breaches.
Moving forward, LIRS must develop a good incident response plan that is well rehearsed. The triage and remedial steps that need to be taken should be indentified in advance of an incident, which will help to minimise the risk of damage to the organisation.
This is an opportunity for NITDA to show that it’s very serious about the data protection regulation in Nigeria. They must be shrewd and dilligent in handling this LIRS breach.
_______________________________________________________________________
Twitter: @moshoke
Email: mike@mireneglobalconsults.com.ng
