Are there any data breach notification requirements?
A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Local data protection regulations have required data controllers to report such breaches in certain circumstances.
Nigeria does not currently require the data protection authority or data subjects to be notified of in the event of a personal data breach. That said, the Nigerian Data Protection Regulation does impose a general duty of care towards data subjects, such as employees.
Employers who do not meet that duty of care are liable for the actions and inactions of those who handle the personal data that the employer collects. Therefore, while a data breach notification may not be required, it is a good idea to follow common international best practices and consider disclosing a breach to the data supervisory authority, when appropriate. Also, note that there is a draft Data Protection Framework from 2016, which could require data breach notification to the Nigerian Information Technology Development Agency (NITDA) in the future.