The NDPC Fines Fidelity Bank for Data Breach
On August 21, 2024, NDPC Fines Fidelity Bank. The NDPC (Nigerian Data Protection Commission) issued a huge fine of NGN 555.8 million to Fidelity Bank Plc. Since the commission was established on the 4th of February, 2022, this is one of the few penalties imposed on any organization. The investigation into the data processing activities of the bank started with a complaint lodged with the NDPC. The complaint stated that the bank opened an account for the complainant with personal and sensitive data without express permission of the subject. According to the NDPC, “It is to be noted that the Commission’s initial decision was issued in July 2023, and a directive to pay a remedial fee was issued in December 2023, and over ten correspondents were exchanged. The Commission issued repeated warnings to no avail. The Commission gave several opportunities for full accountability for over one year, considering the need to encourage compliance as a culture. However, Fidelity Bank did not provide the requisite, satisfactory remedial plan.” The commission, NDPC, was left with no other alternative than to issue a fine. NDPC Fines Fidelity Bank For What Reasons? During the investigation, NDPC found the data processing platforms of the bank lacking. Fidelity Bank was found guilty of the following: Why Does It Matter? Personal data is a very important part of every individual and organization. Some examples are: name, credit card number, bank details, age, etc. These data are often used by hackers and cybercriminals to perpetrate crimes like identity theft, fraud, and targeted accounts. Since organizations like banks and businesses gather such information for processing, they need to devise means of data protection. To combat this, Nigeria passed the data protection bill into law as the NDPA (Nigerian Data Protection Act) on 12, 2023. This law guides all organizations towards maximum protection of Nigerian citizens’ data. Now, this law isn’t limited to institutions in Nigeria. For instance, a company in the EU is subject to the NDPA, and so far, the data of a Nigerian is involved. To break it down, these are some of the principles of data protection followed by every organization: In addition to the above, businesses or organizations are mandated to outsource data processing to compliant third-party agencies only. What Does This Mean for Nigerians? The Nigerian banking sector lost approximately NGN 273 billion in 2022 and the number has spiraled beyond that. This shows the importance of data protection and security for banks. Let’s link this back to the ‘NDPC fines Fidelity Bank’ fiasco. Based on the allegations, Nigerians who have accounts with Fidelity Bank are at higher risk of data loss to criminals. Why? The agency the bank uses to process personal data is not NDPA-compliant. In addition to external threats, the personal or sensitive data of their clients risk threats from the inside. All it takes is one corrupt official and the rest is history. Really, the list is endless. What Was The Bank’s Response to The Trending “NDPC Fines Fidelity Bank”? The bank has denied all allegations of data violations by the NDPC. In a statement released on Thursday and signed by Dr. Meksley Nwagboh, Divisional Head, Brand & Communications, Fidelity Bank Plc. said, “Our attention has been drawn to a news story titled, ‘NDPC Fines Fidelity Bank for Data Breach.’ “While the matter is the subject of an ongoing engagement with the regulator, we wish to assure the public that we have conducted ourselves to the highest ethical standards by ensuring full compliance with existing laws on data protection. “Below is a breakdown of our dealings with the NDPC since we received their letter informing us about an alleged data breach: “On April 30th, 2023, we received a notice of investigation from the Nigerian Data Protection Agency (NDPA), now the Nigerian Data Protection Commission (NDPC). “The investigation was in respect of a complaint from [name has been withheld to protect the identity of the complainant], who claimed that [name withheld] details were used to open an account in the bank without [name withheld] consent. “Based on this notice, we conducted an internal investigation into the circumstances surrounding the claim and discovered as follows: It continued; “On May 2, 2023, we responded to the NDPC that the bank did not violate any law because there was no data breach and that the account opening process was not completed. “On our part, we carried out due diligence by immediately blocking the account and subsequently closing the account when we did not receive the outstanding documents. “At no point in the process was the account ever operational. “On July 7th, 2023, we were invited for a pre-action meeting with NDPC. During the meeting, we restated our position as earlier communicated to them in our letter dated May 2nd. “However, despite our explanation and evidence provided to support our claim, the agency informed us that they had reached a conclusion to impose a penalty on the bank. “On December 5, 2023, we got a letter from NDPC demanding we pay a’remedial fee’ of N250 million within 21 days. “We immediately commenced another round of engagements with the Commission as we were convinced we had not breached any existing law or regulation. “While discussions were still ongoing with the NDPC, we received another letter on the 20th of August demanding that we now pay N555.8 million naira. What’s Next After NDPC Fines Fidelity Bank As we anticipate further news on the situation, we hope Fidelity Bank proves its innocence. Otherwise, it might not survive the reputational and financial consequences. The data breach at Fidelity Bank serves as a stark reminder of the risks associated with digital information. The fine imposed by the NDPC can’t even be compared to the threat it poses to individuals. Financial institutions need to prioritize data security and invest in robust protection measures. You can trust us at Johan Consults. If you are a business owner and you are struggling with NDPR and GDPR compliance, you can contact us for a consultation.
