The National Information Technology Development Agency (NITDA) has slammed a N5 million fine on Electronic Settlement Limited after finding the company guilty of a data breach.

NITDA’s Head of Corporate Affairs and External Relations, Hadiza Umar, disclosed this on Monday in a statement, the Voice of Nigeria reports.

The agency imposed the fine after it conducted investigations, which included a visit to the company’s Lagos office, a thorough analysis of its submitted technical documents, and interrogation of its staff members.

It ordered the company to pay N5 million “as fine in line with the requirements of the NDPR.”

The statement by Ms. Umar said, “We have established that there was a data breach involving the company. We commend Electronic Settlement Limited for the actions taken to mitigate this breach. 

“Particularly, it’s taken full responsibility for the breach; updating identified security issues, cooperation with the NITDA investigation team, recruitment of a data protection compliance organisation, submission of its NDPR audit report, and generally improving its compliance with the NDPR.”

Applauding the company’s sense of responsibility and its resolve to protect the data of its customers, she pointed out that the agency’s objective of the investigation “was to access the risk resulting from the breach, with a view to identifying the causes, remedial actions taken and other necessary issues to avoid recurrence.”

To further avoid a repeat of the breach, improve security and data protection, and comply with NDPR provisions, the agency said, “Electronic Settlement Limited shall (be) under a six-month information technology oversight by NITDA. The oversight shall involve oversight of the implementation of prescribed security controls and processes.

“That a clear data security and governance document is drawn up between the Electronic Settlement Limited and all its Information Technology services vendors identifying roles, responsibilities, and processes involved in securing and protecting personal data.

“That the company conducts regular NDPR training for all staff, publish and implement appropriate policies as required by the NDPR.”

The agency also directed the firm to submit its 2020/2021 regulatory audit (as required by Article 4.1.6 of the NDPR, conducted by a Data Protection Compliance Organisation (DPCO) as licensed by NITDA), conduct Data Protection Impact Assessment on some data-intensive applications, and products.

“The agency has graciously approved the extension of time to file the annual audit report to 30th June 2021,” said the statement.