ON 27th December 2019, multiple news outlets reported that a breach occurred on the website of the Lagos State internal revenue service which lead to confidential information of taxpayers being visible to other users of the website. LIRS subsequently confirmed that a breach occurred but downplayed its extent, stating that sensitive financial information was not exposed. Thankfully, the breach was contained quite quickly things could have been much worse, which is why the National Information Technology Development Agency (NITDA) announced that it would be conducting an extensive investigation into the processes with which data is handled by LIRS and other organisations in similar positions which are known technically as data processors or data controllers. One good effect of this incident is that it shed new light on the issues of data protection, privacy and the regulations through which they are protected in Nigeria. Although those issues have become very prominent outside the shores of Nigeria, they still remain on the back burner in the national consciousness as well as governmental law and policy making.
That is troubling in light of increasing technological interconnectedness as well as the ability of corporate bodies to acquire immense amounts of information from an individual with or without the person’s knowledge and/or informed consent.
As a side note, the emphasis on the consent being informed is essential because the terms and conditions for accessing products and services, especially on the internet, are often worded in a deliberately convoluted manner so as to make it difficult for an end user to be certain what exactly he or she is agreeing to, making it possible for companies to acquire, use and even sell the personal data of their customers with little or no restrictions. Thus, while it is sometimes out of one’s control how data is utilised such as in the case of LIRS, there are certain precautions which can and should be taken by every individual and business in order to ensure that their sensitive information is secure and that the risk of breaches is eliminated or at least brought to the barest minimum.
The first precautionary step you should begin taking immediately is to consciously give out as little data as you can. If you spend even a brief period of time on the internet, you will come across many websites, services, products and organisations which will ask you to give them some information about yourself or another. It is important to keep in mind that the more places to which you deposit your data the higher the likelihood that a breach will affect you. There are legitimate instances where it is essential to give out your data but they are also other instances which you can and should avoid as much as you can, such as publication of sensitive information on social media as well as using official email accounts to sign up on random websites. One poignant example of how people expose themselves to data breaches can be seen on social media platforms such as Twitter and Facebook where people post everything from their names, addresses, dates of birth and even bank details in the name of giveaways or other similar activities. Because these details are often given separately and in isolated instances, people often believe that they are safe. In reality however, persons intending to commit identity theft or other forms of fraud can easily find these disparate pieces of information and piece them together in order to get a full profile of such individuals which they can then use to impersonate and defraud them.
The next step is to ensure that your devices are secure – without this, all of your effort to reduce sharing sensitive information would be ineffectual. All your activity online is done through one device or another. That may be your computer at work, your personal laptop, your phone or tablet or any other device but what is common with all of them is that they are susceptible to being exploited by hackers or other persons with nefarious intent if you do not keep them secure enough.
Keeping your device secure consists of both physical as well as digital actions. On one hand, you must ensure that your devices are set to lock when you are not using them in order to prevent them from being accessed by people without your authorisation. In the case of flash drives or external hard drives, it is also important to keep them in a place where you are able to monitor who accesses them at every point in time.
On the digital side of things, you must ensure that your devices are equipped with quality antivirus software. Such software must be kept updated so as to be able to prevent even the latest malware from being installed on your devices. Unless you are running a business with extremely valuable and sensitive information (customers’ financial details, for instance), a free software package should normally suffice. The crucial thing is to keep it up-to-date. If you require more advanced protection for your business, you should consider consulting an expert to find the best solution for your needs.
Password hygiene is the third strategy you should adopt immediately. If you’re like most people, you probably have a default password with you use across all the different websites, services and other online portals which you access on a regular basis. This makes sense to the extent that it makes it easy to remember your passwords. The danger however is that if a single one of those platforms is breached or somebody is able to decipher your password on one platform, such a person can get access to every single one of your other platforms without any difficulty.
To prevent that happening, some best practices you should adhere to include having a separate password for different services or at least having a group of passwords with you rotate randomly. Secondly, make sure that your passwords are random so that people who know some personal details about you cannot put two and two together to figure out what your password or pin is. For instance, you should never use your date of birth as your ATM pin.
In addition, make sure that you change your password regularly just in case there has been a breach you do not know about. Lastly and perhaps most importantly, on sites and services where it’s available, be sure to turn on two-factor authentication which basically means that a code will be sent to your phone which you then have to enter into the website before you are able to access it. That way, nobody can access any platform with your identity unless they also have access to your phone.
In conclusion, it is clear that while certain things are out of your control, there are several things you can do to make sure that your data and privacy are assured online and offline. The Nigeria Information Technology Development Agency has been taking several steps to secure the data of Nigerian citizens and ensure that corporate bodies act responsibly with the information that they have acquired (such as the release of the Nigeria Data Protection Regulation (‘NDPR’)) but there’s still a long way to go. That makes it essential that individuals also take precautions to assure their own privacy.
Whether as an individual or as a business keeping your data insecure is a priority and with the tips above you can be sure that you would have increased your data security significantly. As digital activities continue to become the mainstay in every sphere, the threats will increase and keep your data safe will continue to grow in importance and urgency. Start today to avoid falling victim.
- Adekunbi, a law practitioner writes in from Ilorin, Kwara State.
and then