The Impact of Data Breaches in the Cayman Islands

Data breaches have made recent headlines in the Cayman Islands and you may have wondered what they were all about, and why they matter. Their significance in Cayman’s legal landscape is briefly explained below by Cory Martinson (HSM Paralegal).

The Data Protection Act (DPA), which came into force in September 2019, defines a breach as a security failure that leads to a person’s data being unlawfully exposed, accessed, transmitted or otherwise processed. Personal data is broadly defined as any information that relates to an identifiable living individual. If you own a business with employees then your business is processing personal data even if the business does not collect personal data from customers. It is difficult to think of a business, government entity or organization that does not process some amount of personal data. The DPA is far-reaching.

A breach could be a misdirected email, the insecure destruction of records, ransomware attacks, the loss of a USB drive containing personal data or even unauthorized access  to personal data by an employee of an organization. For example, if a hospital employee views an individual’s medical data without a legitimate business need, then that activity may be a breach. Any unauthorized use of personal data could be a breach under the DPA and all organizations in the Cayman Islands, including government and private entities such as law firms, supermarkets, churches, gas stations, hotels, banks and clubs, are subject to this law.

Every organization has an obligation under the DPA to ensure it has taken appropriate organizational and technical measures to guard against the unlawful processing of personal data. If an organization has a breach and is found to have not implemented appropriate technical and organizational measures, it could be subject to enforcement action by the Ombudsman. The oversight body for the DPA is the Ombudsman.  Examples of organizational measures include privacy policies, training for staff on the DPA and physical security such as locking filing cabinets and limiting access to personal data in paper format. Technical measures would include alarms, CCTV, computer firewalls and the use of encryption. Collectively, these measures increase an organization’s security posture and resilience to personal data breaches. The appropriate security measures for each organization will be dependent on the volume and types of personal data it collects, as well as its financial and technical resources. For example, the Health Services Authority would be expected to have multiple layers of security and protocols protecting the medical data it processes, while a bakery may only be required to have basic physical and technical security measures to protect employee personal data.

If an organization experiences a breach, the DPA requires that it be reported to the Ombudsman within 5 days. All individuals affected by the breach must also be notified within the same period. This requirement can be difficult to meet in some cases, especially when hundreds, or thousands, of people may be affected.

The Ombudsman’s office has broad investigative and enforcement powers that enable it to regulate and enforce compliance with the DPA. The office can issue fines of up to $250,000KYD for non-compliance with the DPA, and if a matter is referred to the Department of Public Prosecutions, the courts may also impose penalties up to $100,000KYD. The chances of being penalized for a first offence that is relatively minor is unlikely and the Ombudsman has yet to levy any financial penalties. However, over time, the Ombudsman may become less willing to forego enforcement action as the DPA will no longer be considered “new” (it came into effect in September 2019) and there will be more of an expectation that organizations should “know better”. As well, under the DPA, a person who suffers damage (which may include financial damage or mental pain or anguish) by reason of a contravention by an organization of any requirement of the law has a cause of action for compensation from the data controller for that damage.

When an organization experiences a breach there is a 4-step process it should follow:

1. Contain the Breach: just as if you were on the water in a boat and it sprung a leak, you would want to do everything possible to stem the flow of water; the same goes for a breach. The organization must take immediate steps to prevent the further exposure of the personal data. These steps may involve shutting down computer systems, reporting a stolen laptop to the police or the physical or technical recovery of the compromised personal data.
2. Evaluate the Risks: carefully consider the risk of harm to the individuals affected as well as to your organization. Some of these risks include financial harm, reputational harm, embarrassment, physical harm and identity theft.
3. Notify: notify the Ombudsman and the individuals affected within 5 days of discovering a breach. The notification of a breach to the Ombudsman should be in writing, but notification to the individuals affected could be by phone, a prominent ad in the newspaper, an email or in person. Notification by phone or in person should be followed up in writing. The notification must describe the nature of the breach, the consequences of the breach, the steps taken or proposed by the organization to address the breach and the recommended measures to the affected individuals to mitigate the possible adverse effects of the breach.
4. Prevention: carefully investigate the cause of the breach and take reasonable steps to prevent breaches in the future. The cause of some breaches may be self-evident and easily rectified, while others may require forensic computer analysis and the implementation of robust security measures, including staff training and written policies and procedures.

Breaches can be time-consuming and costly. The costs of legal advice, notification of the individuals affected, potential lawsuits, security audits and potential fines from the Ombudsman and the courts have the potential to be devastating to some businesses and individuals affected. In IBM Security’s Cost of a Data Breach Report for 2021, it was found that, globally, the average per-record cost of a breach was $161USD. Prevention is key and while it is often not a high priority for organizations it has the added benefit of enhancing customer satisfaction which can, in turn, increase reputation and revenues. Privacy is becoming ever more essential to a modern economy. As data protection awareness grows, so will the need for Cayman businesses and organizations to be privacy savvy.