The recent data breach at Naivas, one of Kenya's largest supermarkets, is a stark reminder of the need for firms that collect large amounts of personal data to ensure rigorous compliance with the Kenya Data Protection Act (DPA, 2019).
The breach reportedly involved customer and staff data, allegedly stolen by hackers.
Naivas issued a statement acknowledging the breach and stating that they have engaged a cybersecurity firm to investigate the matter.
This breach highlights the need for companies to be transparent about the data they collect and how it is used.
Consumers have a right to know what data is being collected, how it is being used, and how it is being protected. Firms that collect personal data must comply with the law.
Globally, retailers who have suffered such data breaches or theft have paid a steep price.
For example, in the US, Target suffered a massive data breach in 2013 that compromised the personal information of 110 million customers.
This breach resulted in Target paying out $18.5 million in settlements and fines to various regulators, including $10 million to settle a class-action lawsuit brought by affected customers.
Additionally, the company's reputation and stock price took a hit.
Ditto, British supermarket Morrisons in 2014, where a former employee leaked the personal data of nearly 100,000 staff members, including names, addresses, bank account details, and salaries.
The employee was sentenced to eight years in prison for fraud and data theft, and Morrisons was found liable for the breach in a class action lawsuit brought by 5,000 employees.
The company was ordered to pay out £2.5 million in compensation and was found to be in breach of the UK Data Protection Act. The company's reputation was also damaged.
These examples demonstrate the severe financial and reputational consequences that can result from data breaches, even for large and well-established companies.
As the Naivas breach has shown, supermarkets in Kenya are not immune to the risk of data breaches, and must take appropriate measures to protect customer data.
Kenyan has the Office of the Data Protection Commissioner to enforce the DPA, which imposes significant fines for violations of data protection rules.
It is essential that companies in Kenya comply with these regulations and take all necessary measures to protect their customers' personal information.