NCBA Bank has been ordered to pay one of its customers Sh250,000 for sending his sensitive data to the wrong email address in a privacy breach.
The Office of the Data Protection Commissioner (ODPC) sided with Brian Githaiga, who complained that the lender did not correct and update his correct email address even after being informing it was wrong several times.
By failing to correct the address, the bank continued to send Mr Githaiga's transactions to the wrong person, even after the recipient also wrote back to the bank saying she did not have an account with them.
NCBA denied that it had recorded the complainant's incorrect email address and claimed that it was Mr Githaiga who had provided two email addresses on the application form when he opened the bank account.
The bank further claimed that Mr Githaiga had only requested it to delete the second email address from his business account details, which it did on the same day.
ODPC investigation found that the complainant had indeed provided two different emails when opening the account, but had requested the deletion of the second address, which wasn’t executed as the bank claimed.
“The office finds that despite the allegations by the respondent that the complainant’s instructions for deletion were executed on 7th July 2023, the complainant provided evidence to the contrary,” said data commissioner Immaculate Kassait in a ruling published last week.
“The respondent (NCBA Bank) is hereby found liable for violating the complainant’s right to erasure…[and is] ordered to compensate the complainant Sh250,000.”
This is not the first time that spam emails have cost a Kenyan bank in a data breach.
Last year, the ODPC ordered Family Bank and SBM Bank to pay Sh250,000 and Sh450,000, respectively to individuals to whom they had erroneously been sending emails and ignored their complaints.
In all three cases, the common violation cited by the data privacy regulator is the right of erasure, which entitles data subjects to have their data erased or changed within 14 days of making the request.
The regulator also found that all three lenders had “intentionally or negligently” violated the complainant’s rights due to their continued ignorance of the users’ requests for erasure.
Outside the banking sector, telecommunications firm Zuku has also recently suffered a similar blow from the data regulator for failing to delete the contact information of a customer who was no longer a client.
