There is a very high chance that, at some point in the last several years, your personal information was stolen through a data breach or otherwise. Not something small like your age or hobbies, but the deep stuff, bank details, emails, health information or academic information.

Have we all made this very easy for online fraudsters? You and I hand over this information every time we sign up for new apps, open a bank account, apply for online courses, or any of the other fillings that go along with the modern online consumer-financial economy. With so much stolen information in circulation, there's almost certainly an oversupply of raw materials for fraud. But for the unlucky few, those of you who graduate from "data breach victim" to "identity theft victim," it is quite messy.

This was the story of one Seguya whose identity was stolen in 2016. Using a fake driving permit in Seguya's name, his photo downloaded from LinkedIn and private information accessed from the database of Seguya's employer— the fraudster went from bank to bank over three days in August that year setting up accounts. The fraudster registered a business, opened another bank account and told the bank he was in auto sales.

He then sold one car to two people. Police tracked down the real Seguya (victim) a few months later and arrested him. The real Seguya had no idea what this was all about but all evidence pointed towards him. The extent of the damage—and the time it took to clean it up—is something to worry all of us. The fraudster's wreckage, intruded Seguya's financial life: For example, his bank account was frozen.

Seguya's story has exposed the vulnerability of the systems that guard the private information we casually hand over to companies, health-care providers, and government. At the time, there was no law to protect his data.

The recently enacted Data Protection and Privacy Act, 2019 is a positive step to curtail this vice. The law imposes a duty any data controller, collector or processor to ensure security and integrity of data.

Security measures prescribed include adopting appropriate, reasonable, technical or organisational measures to prevent loss, damage or unlawful access of the personal data.

This includes identifying foreseeable internal and external risks, regularly verifying safeguards and updating them to respond to new risks. This is good on paper, it remains to be seen how this can be enforced having in mind the cost and technical requirements of these measures.

Where there is a breach, the law requires the data controller to immediately notify the National Information Technology Authority (NITA) so that remedial action can be taken. NITA then determines whether the data controller or processor should notify the victim of the breach.

This Notification must provide sufficient information regarding the breach. Knowing the bureaucratic nature of our institutions, one wonders whether this is practical.

While the law is in place, we need regulations to clear some of the ambiguities in the law so that everyone's data is protected. The law seems to be slower than the fraudsters and this is recipe for disaster.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.