1. Introduction

The prevalence of digital commerce and data-driven business models have transformed the global commercial landscape. However, this transformation has been accompanied by an escalating threat from cyber attacks and data breaches. When commercial parties enter into contracts involving data processing, transmission, or storage, they must necessarily address the allocation of liability arising from potential data breaches. In response, commercial actors increasingly rely on contractual mechanisms such as indemnities, limitation of liability clauses, warranties, and insurance provisions to allocate and mitigate these risks.

Data breach liability operates at the intersection of multiple legal regimes. It is not confined to breach of contract but extends to statutory liability under data protection laws, tortious claims such as negligence, regulatory enforcement actions as well as fiduciary concerns in certain relationships.

Nigeria, as an emerging digital economy with a growing e-commerce sector, has begun to grapple with these issues. The Nigeria Data Protection Act (NDPA) represents a significant legislative response to these challenges, establishing a comprehensive framework for data protection and imposing non-delegateable obligations¹. However, the interplay between the NDPA and commercial contract law remains underdeveloped, creating significant uncertainty for contracting parties seeking to allocate liability for breaches.

 

2. The Statutory Framework in Nigeria

The NDPA constitutes the primary legislative framework governing data protection in Nigeria. The Regulation establishes a comprehensive regime imposing duties upon data controllers and processors regarding the collection, processing, storage, and transmission of personal data.

The NDPA defines a data processor as ‘an individual, private entity, public authority or any other body, who processes personal data on behalf of or at the direction of the data controller or another processor.²‘ A critical obligation imposed upon data processors is contained in Section 29, which requires that a processor shall not engage another processor without prior specific or general written authorisation from the controller. This establishes a hierarchy of responsibility, with the controller bearing ultimate accountability for the acts of processors.

Section 29 of the NDPA also imposes what may be characterised as a ‘standard of reasonable security’ upon data handlers. It provides that ‘a data handler shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk.’ This formulation, similar to Article 32 of the General Data Protection Regulation (GDPR)³, does not establish an absolute liability regime. Rather, it imposes a duty of reasonable care proportionate to the risk posed by the nature and extent of the personal data in question.

Notably, the NDPA does not explicitly require breach notification in all circumstances. Instead, Section 40 provides that notification to the Commissioner is required ‘in the event of a personal data breach,’ with failure to notify constituting a ground for administrative sanctions. However, the Regulation does not expressly impose a duty to notify affected data subjects, a significant departure from the GDPR‘s mandatory notification regime.

Beyond the NDPA, the Nigerian grundnorm provides protection for personal data through constitutional provisions and the common law of tort. Section 37 of the 1999 Constitution of the Federal Republic of Nigeria (as amended) provides that ‘the privacy of citizens, their families, homes, correspondence and other communication shall be accorded recognition and respect.’ This constitutional guarantee has been interpreted by Nigerian courts as establishing a fundamental right to privacy that can ground tortious liability.

At common law, the tort of negligence provides a potential cause of action where a data processor owes a duty of care to a data subject and breaches that duty, causing loss. In the context of data processing, courts have begun to recognise that processors owe a duty of care to data subjects regarding the security of personal information.

2.1 Administrative Sanctions Under the NDPA

The NDPA establishes a comprehensive administrative penalty regime enforced by NITDA as the data protection authority. Section 47 empowers the Commission to issue written warnings, prohibit processing of personal data, suspend data transfer operations, and impose fines. Whilst these administrative remedies are not directly relevant to contractual liability between commercial parties, they establish baseline standards of conduct that courts may regard as relevant to assessing whether a processor has met contractual obligations regarding security.

The existence of administrative penalties does not eliminate private law liability. Rather, as will be discussed below, courts should regard breach of NDPA obligations as evidence of breach of contractual duty, save where the parties have expressly agreed to a different standard.

3. Contractual Allocation of Liability

3.1 Indemnification Clauses

In commercial contracts involving data processing, parties typically seek to allocate liability through indemnification clauses. An indemnification clause is a part of a contract which contains an agreement to not hold a party liable for losses that would occur from specified events.’ In the context of data breaches, the processor typically seeks to indemnify the controller against liability to data subjects and third parties arising from the controller’s loss of data.

However, Nigerian courts have consistently held that indemnification clauses must be construed strictly, particularly where they purport to exclude or limit liability for breach of statutory duty. In Currtis v. Chemical Cleaning and Dying Co, it was held that a party seeking to exclude or limit liability must do so in clear and unambiguous terms, and the clause will be construed against the party relying upon it⁴.

This principle has particular significance in the data breach context. If a processor seeks to exclude liability for breach of NDPA security obligations through an indemnification clause, a Nigerian court would likely require that the exclusion be express, unambiguous, and clearly brought to the attention of the data controller. Furthermore, a court might decline to enforce an exclusion that is manifestly unreasonable or contrary to the fundamental purpose of the NDPA.

It is submitted that indemnification clauses should distinguish between breaches arising from the processor’s negligence or breach of the NDPA; breaches arising from the controller’s instructions or failure to provide necessary security measures; and breaches arising from force majeure events. A blanket indemnification by the processor for all breaches would likely be unenforceable, whilst a narrowly tailored clause allocating responsibility would be upheld.

3.2 Limitation of Liability Clauses

Commercial contracts frequently contain limitation of liability clauses that cap recoverable damages at a specified amount, such as the value of the contract or a multiple thereof. However, these clauses face particular challenges in the data breach context.

First, the harm caused by data breaches often extends far beyond the direct value of the contract. A breach of a database containing millions of customer records may cause losses to data subjects and the controller vastly exceeding the contract value. A limitation clause capping liability at the contract value may therefore be wholly inadequate to compensate actual losses, raising questions as to whether such clauses represent a genuine allocation of risk or an unconscionable attempt to exclude liability.

Second, Nigerian law imposes constraints upon limitation clauses through the general principles of contract law. A limitation clause will not be enforced if it is ambiguous, unreasonable, or contrary to the fundamental purpose of the contract. In the data breach context, a court might conclude that a limitation clause that permits a processor to profit from inadequate security measures (by capping its liability exposure whilst collecting processing fees) is unreasonable.

Comparative analysis with English law and European law is instructive. Under the GDPR, Article 82(6) explicitly permits member states to limit damages to non-pecuniary harm where the processor is not found to be directly responsible for the damage. However, the Regulation does not permit the outright exclusion of liability for breach of data protection obligations. English common law similarly implies a term of reasonable care into contracts for the provision of services, which cannot be entirely excluded.

It is submitted that Nigerian courts should adopt a similar approach: whilst limitation clauses allocating liability proportionately to fault are permissible, absolute caps that prevent recovery for catastrophic breaches should be scrutinised and may be unenforceable.

4. The Problem of Conflicting Standards

A central tension arises where contractual terms conflict with statutory obligations under the NDPA. Where a data processor’s contract with a controller imposes a security standard of ‘industry standard encryption and firewalls,’ whilst the NDPA requires ‘appropriate technical and organisational measures commensurate with the risk.’; If a breach occurs due to the processor’s failure to implement emerging security technologies not classified as ‘industry standard,’ has the processor breached the contract?

The resolution of this question requires courts to engage in what may be termed ‘statutory harmonisation’,interpreting contractual terms in light of their statutory context. Nigerian courts have begun this analysis in related contexts. Applied to the data breach context, this principle suggests that a contractual obligation to implement ‘appropriate’ security measures should be read as incorporating, by reference, the standard of reasonableness established by the NDPA and evolving cyber security best practices. A processor cannot escape NDPA compliance by drafting a contract imposing a lower standard.

However, contracting parties may allocate the risk of compliance differently. For instance, a contract might provide that the processor implements security measures specified by the controller; if the controller’s specified measures prove inadequate, liability falls upon the controller; and if the processor’s failure to implement agreed measures causes loss, liability falls upon the processor. Such an allocation does not violate the NDPA; rather, it allocates responsibility for different aspects of compliance between parties.

The critical distinction is between contractual terms that excuse compliance with mandatory statutory duties (which are unenforceable) and  contractual terms that allocate liability for compliance failures between parties in accordance with statutory principles (which are enforceable).

5. Third-Party Rights and Data Subject Claims

A particularly vexing issue arises in determining whether a data subject who suffers loss as a result of a data breach can recover directly against a processor, or whether recovery must be sought through the data controller. The traditional common law principle of privity of contract provides that only parties to a contract can sue for its breach. Consequently, if a processor breaches its contract with a controller, the controller may sue, but the data subject (who is not a party to the contract) may not.

However, data subjects may pursue alternative claims. First, they may sue the processor in the tort of negligence if they can establish that the processor owed them a duty of care regarding the security of their data. In the United Kingdom context, the Supreme Court in Caparo Industries plc v Dickman established a three-stage test for establishing a duty of care i.e foreseeability of loss; proximity between defendant and claimant; and whether it is fair and reasonable to impose a duty⁵. Data subjects have foreseeability of loss arising from data processor negligence, and arguably possess proximity where the processor holds their personal information. Whether a duty is ‘fair and reasonable’ remains contested.

Second, data subjects may invoke statutory rights. The NDPA, whilst not expressly creating private rights of action for data subjects against processors, establishes statutory duties that courts may regard as actionable by persons intended to benefit from those duties. This principle, derived from the landmark judgment in Anns v Merton London Borough Council suggests that breach of statutory duty regarding data protection may give rise to private law liability⁶.

Third, Nigerian courts may imply contractual terms for the benefit of third parties in circumstances where the parties clearly intended to benefit those third parties. In the data processing context, it is arguable that the controller and processor contract with the (often unstated) intention of protecting data subjects.

Recommendation: The Nigerian Legislature should consider amending the NDPA to create an express private right of action for data subjects against processors who breach statutory security obligations, subject to appropriate limitations on recoverable damages and defences.

6. Causation and Defences

Even where a processor’s security measures prove inadequate, causation remains a critical element of liability. A breach of security obligations only grounds liability where it caused loss to the controller or data subject. Difficult questions arise where multiple factors contribute to a breach.

Consider a situation where a processor implements industry-standard encryption and firewalls but fails to patch an identified vulnerability. An attacker exploits this vulnerability, breaching the database. Has the processor caused loss, or did the attacker’s criminal conduct constitute an intervening act breaking the chain of causation? Nigerian tort law requires that the defendant’s conduct be a ‘substantial’ or ‘material’ cause of loss, not merely a but-for cause.

It is submitted that the processor’s failure to patch a known vulnerability constitutes a substantial cause of loss and does not break the chain of causation. The attacker’s conduct is not an independent, unforeseeable act but the predictable exploitation of a known weakness. However, where an attacker employs a novel, previously unknown vulnerability (zero-day exploit), the question becomes more difficult. A processor might argue that no reasonable security measures could have prevented such an exploit, constituting a force majeure defence.

The NDPA’s requirement of ‘appropriate’ security measures incorporates a reasonableness standard that necessarily accounts for evolving threats and available technology. A processor cannot be expected to implement measures against threats that do not exist and cannot be anticipated. Consequently, a force majeure or act of God defence may be available where a sophisticated, novel attack exploits a vulnerability unknown to the processor and the broader security community.

However, such defences should be narrowly construed. A processor alleging that an attack was unforeseeable must demonstrate that the attack method employed was not merely new but that reasonable security research and industry practices would not have identified the risk. The burden of establishing such a defence should fall upon the processor invoking it. Contributory negligence may also apply where both parties have contributed to a breach. For instance, if a controller fails to implement reasonable access controls on its systems and a processor fails to encrypt sensitive data, both may bear partial responsibility. Nigerian law permits the apportionment of liability in such circumstances.

7. Insurance and Risk Distribution

A practical consideration in allocating liability for data breaches concerns the availability and enforceability of insurance. Cyber liability insurance, insuring against losses arising from data breaches, network attacks, and related incidents, has become increasingly important in commercial practice. However, insurability affects the optimal allocation of liability between contracting parties.

If a processor can obtain cyber liability insurance covering data breaches at a reasonable cost, it may be economically efficient for the processor to bear liability and insure against the risk, rather than impose the risk upon the controller. Conversely, if a controller can better evaluate and manage the risks arising from its data holdings, it may be efficient for the controller to bear liability and procure insurance.

However, the availability of insurance should not distort contractual allocation of liability toward unjust outcomes. Insurance should be viewed as a supplementary mechanism for distributing risks after liability has been fairly allocated between parties. A processor should not be able to use insurance availability as a justification for evading liability for gross negligence or breach of fundamental security standards.

Furthermore, contracts should clearly address the treatment of insurance proceeds. Where a processor obtains insurance covering losses arising from the processor’s negligence, should the controller (who also has insurance) recover from the processor’s insurer, the processor itself, or its own insurance? Contractual clarity on this point prevents disputes and ensures that insurance achieves its risk-distribution function.

Recommendations: (1) Contracting parties should clearly address insurance obligations and entitlement to insurance proceeds in data processing agreements; (2) controllers should require processors to maintain minimum insurance coverage proportionate to the value and sensitivity of data processed; (3) insurers should be informed of contractual allocations of liability to ensure policies operate as intended.

8. Proposed Framework for Liability Allocation

Drawing together the foregoing analysis, this article proposes a principled framework for allocating liability for data breaches in Nigerian commercial contracts:

Processor Liability for Breach of Core Security Obligations

A processor shall bear strict liability for breaches of security obligations expressly undertaken in the contract or required by the NDPA, unless the breach resulted from force majeure events (including zero-day exploits unknown to the security community), compliance with instructions of the controller that created the vulnerability; or the controller’s failure to implement reasonable access controls on its systems.

Controller Liability for Inadequate Instructions or Specifications

A controller shall bear liability where a breach results from the controller’s failure to specify adequate security measures or its failure to implement reasonable governance over the processing activities. This allocation reflects the controller’s superior knowledge of its data and business requirements.

Limitation of Liability

Limitation of liability clauses shall be enforceable up to a reasonable multiple of the contract value or a specified amount, provided that the limitation does not apply to breaches arising from gross negligence, wilful misconduct, or fundamental breaches of NDPA security standards; the limitation is clearly disclosed and accepted by both parties; and the limitation does not reduce recoverable damages below the actual demonstrable losses to data subjects.

Third-Party Rights

Data subjects should possess direct rights of action against processors for breach of statutory security obligations under the NDPA, subject to causation of loss and available defences. Such rights should be enforceable without regard to contractual allocation between controller and processor.

Insurance and Risk Management

Contracts should require processors to maintain cyber liability insurance proportionate to the risks posed by the data processed. Insurance should be regarded as a risk distribution mechanism supplementary to liability allocation, not as an escape hatch for liability.

10. Conclusion

The allocation of liability for data breaches in commercial contracts represents one of the most significant challenges facing Nigerian commercial law in the digital age. The current legal landscape consists of constitutional protections, the NDPA, common law principles, and contract law provides a framework for addressing these challenges, but significant gaps and ambiguities remain.

The analysis herein demonstrates that statutory obligations under the NDPA establish a floor of required conduct that cannot be contracted away. Second, within the parameters established by statute, parties possess substantial freedom to allocate liability according to their bargaining power and respective risks. Third, contractual terms must be interpreted in light of statutory purposes and cannot be enforced where they would substantially undermine statutory protections.

Furthermore, this work reveals significant gaps in Nigerian law requiring legislative attention. The NDPA should be amended to create express private rights of action for data subjects against processors; establish a default allocation of liability proportionate to fault; clarify the enforceability of limitation clauses in data breach contexts; and address the treatment of insurance proceeds.

The cyber threat landscape will continue to evolve, introducing new challenges and vulnerabilities. The legal framework governing liability for breaches must likewise evolve, remaining responsive to technological change whilst maintaining the fundamental commitment to protecting the personal data of Nigerian citizens. This article contributes to that evolutionary process by establishing principles for fair allocation of liability that balance the interests of all stakeholders—data subjects, controllers, processors, and the broader public interest in a secure digital economy.

^{1. National Information Technology Development Agency, Nigeria Data Protection Act 2023 (NITDA, January 2019).}

 ^{2. NDPA 2023, section 65.}

 ^{3. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation) [2016] OJ L119/1, Article 32.}

^{4. Curtis v Chemical Cleaning & Dyeing Co Ltd [1951] 1 KB 805.}

^{5.Caparo Industries plc v Dickman is [1990] 2 AC 605.}

 ^{6. Anns v Merton London Borough Council [1978] AC 728.}