By Olumide Babalola, PhD
The recent (and reportedly avoidable) data breaches involving the Corporate Affairs Commission, Remita (the vendor managing the Federal Government’s Treasury Single Account infrastructure) and certain financial institutions have not triggered the level of public reaction one might ordinarily expect from incidents of this nature. This muted response is revealing, not of the insignificance of the breaches, but rather of the relatively low public consciousness around data protection and the value of personal information in Nigeria, including among educated stakeholders.
One is left to contrast this with what typically happens when financial systems are compromised in a way that directly threatens funds. In those instances, public reaction is immediate and intense, leading to panic withdrawals, widespread alarm, and rapid institutional response. Yet where the compromise concerns “only” personal data (names, identifiers, financial metadata, or transactional traces) the reaction tends to dissipate quickly, and normal activity resumes almost uninterrupted. This phenomenon reflects a typically Nigerian kind of privacy apathy that we have seen in the past, though that is not the central concern here. The more pressing issue is how this environment may inadvertently embolden post-incident silence or regulatory minimalism by affected institutions.
This article is concerned not with assigning blame for the breaches themselves, nor with undertaking a forensic post-mortem of how they occurred. Rather, it focuses on what happens after the breach (i.e the post-crisis compliance posture of the affected entities, particularly from the standpoint of Nigeria’s data protection framework.
Article-crisis compliance gap
Cybersecurity discourse has long recognised a difficult truth succinctly captured by Dmitri Alperovitch, co-founder of CrowdStrike, who observed that: “There are only two types of companies: those that have been breached and know it, and those that have been breached and don’t know it.”
This framing, though colloquial, reflects a deeply embedded reality of the modern digital ecosystem i.e system compromise is often not a question of if, but when, and in many cases, how long it remains undetected. The implication of this in regulatory terms is significant. It shifts attention away from prevention alone and places equal weight on detection, disclosure, and response.
The Nigeria Data Protection Act 2023 (NDPA) clearly anticipates this reality. It imposes obligations not only at the point of collection or processing, but also in the aftermath of a breach. Hence, where a personal data breach presents a high risk to the rights and freedoms of data subjects, the Act requires prompt notification to the affected individuals. That notification is not meant to be perfunctory, but it must be sufficiently detailed to inform data subjects of the nature of the breach, its likely consequences, and the practical steps available to mitigate harm. Depending on the circumstances, this disclosure may be made directly or through public communication channels.
In practical terms, this is a statutory recognition that silence is not a neutral option after a breach. Non-disclosure can itself deepen harm by leaving data subjects unaware, unprotected, and unable to take remedial steps.
In that regard, it is striking that days after the reported breaches involving key national institutions and financial infrastructure actors, there is no evidence of meaningful and detailed public notification to affected individuals. The absence or delay of such notification raises a serious question of continuing non-compliance because under the NDPA, breach obligations are not discharged by containment alone, they extend into transparency and accountability after the event.
As cybersecurity expert Kevin Mitnick once put it: “The only way to deal with a data breach is to be honest, quick, and informative.” That principle aligns closely with the spirit of modern data protection regulation, which treats transparency not as an administrative courtesy, but as a legal obligation. Delayed or absent communication is not merely poor practice, it may itself constitute a further breach of statutory duty, particularly where individuals remain exposed to risks arising from the initial compromise.
The regulatory enforcement gap
There is also a secondary, and perhaps more systemic, concern. The NDPA mandates the Nigeria Data Protection Commission (NDPC) to issue guidance and subsidiary regulations setting out clear procedures for breach notification, including how organisations are to inform affected individuals. Sadly, such regulatory instruments, which are essential for translating statutory obligations into operational clarity, have not been issued by the regulator.
It goes without saying that that where such detailed procedural guidance is not readily accessible, consistently published, or actively enforced, a compliance vacuum may emerge. In that vacuum, organisations are left to interpret their obligations in a fragmented manner, and enforcement becomes inconsistent. The result is predictable: uneven or non-compliance, delayed or no notifications, and weak accountability structures.
This is not merely an administrative inconvenience. In data protection systems, clarity is itself a form of enforcement. Where regulated entities are uncertain about procedural expectations, compliance tends to default to minimalism. Conversely, where regulators provide clear, visible, and consistently enforced standards, breach response becomes more disciplined and transparent.
Concluding reflection
Ultimately, the issue is not only that breaches occur, it is that the post-breach ecosystem in Nigeria is not developing as it should. The legal framework under the NDPA is robust in principle, but its effectiveness depends heavily on how seriously post-incident obligations are treated by both regulated entities and the regulator. Until breach notification becomes as routine and consequential as breach prevention, the protection of personal data will remain incomplete. In that sense, the real test of Nigeria’s data protection regime is not whether breaches can be prevented entirely, but whether, once they occur, the response is timely, transparent, and meaningful enough to preserve the rights the law is designed to protect.
