Do as I say or the Data gets it! – understanding Data Breach consequences in the Cayman Islands

thank you

good morning everybody thanks for the introduction um that's taken about half of my starting off points away so um as was indicated I'm actually a lawyer so you may be wondering what exactly I'm doing here because most typical lawyers don't really know anything about it and I noticed as Andreas was speaking I have the proof of that because I have Bits of Paper for my speech and he had a laptop so I think that points out the difference um what I am here to do is um tell you about some of the consequences I've dealt with as a result of data breaches and to actually andreas's Point um in interacting in those situations with all the techie Folk there was very much

a learning curve from their point of view as to what I was getting asked and also a learning curve for me as to where they're coming from how they've set things up and all that kind of thing so I really think this intersection of policy and in my particular Focus consequences is super important when you're putting the whole thing together um and as Andreas commented on one of the questions at the end it's kind of you know it's the lawyers here and you know the Cs people and the coders here and we just need to get a lot closer together so the point of this talk is is really to sort of run through the consequences but also some of the

reporting requirements to show you how kind of what the guys in the trenches with the actual sort of coding and computers um what's going to be important so the first thing I did when I was asked to do this talk was try and figure out like what is the difference between cyber security and data protection and kind of where do they interact um so basically cyber security covers safety against cyber attacks and date protection covers a set of issues related to data storage management and access the access part of it is largely um about where the cyber security comes in because it's unauthorized access that cyber security is basically targeted against so cyber security has a stronger focus

on protecting the system itself and the data protection legislation and the policies that have to be put in place to comply with the legislation are all going to be aimed at safeguarding personal data which is stored in that system and it's all going to be driven by various regulations so you've got HIPAA in the US you've got gdpr in Europe and here in Cayman we've got the data protection Acts so let's start with what data are we protecting and when you're designing a system you've obviously got to know what is it I'm trying to actually ensure is is going to be um properly protected and what it is is personal data which is a super wide

super wide category it's basically information about an individual um couldn't really get much wider than that and to give you some examples it's employee files your email histories the history of the post to your favorite social network record of your bank transactions more seriously your medical records and also some personal data is actually said to be sensitive so that is actually even more important um and the consequences for it getting out to the bad guys is even more important and sensitive data is probably what you might imagine but it's genetic and Health Data information on Race racial or ethnic Origins political opinions religious or similar beliefs sex life and commission or alleged Commission of offenses

so that is what we are protecting um so what are we protecting it against um well the goal of data protection is to protect the privacy of the individuals concerned but also strike a fair balance with the legitimate interests of the entities who need to use the personal data um and there's a lot in the legislation about the word processing and processing in its broadest term is holding data and using it in any way that's going to mean the data Protection Law applies which is a bit kind of circular but you know just really obtaining recording and holding data is processing it carrying out any operational set of operations on it is processing it organizing it adapting it altering it is

processing it retrieving IT consulting it or using it is Con is processing it disclosing is processing it etc etc so pretty much if you have some information on people and you hold it or you you know use it to do payroll you are processing data so the data protection principles and and these data protection principles these are the ones that are in the data protection act in Cayman but they come out of and are are sort of common with the European and the UK standards so gdpr and now the um England has left the EU they've got their own legislation but it's basically gdpr and our data protection act was based on um the UK law before gdpr it's not

massively different the principles are the same um there's just just a few little things that we're talking about so there are data protection principles are fair and lawful use purpose limitation data minimization data accuracy storage limitation respect for the individuals rights security integrity and confidentiality and then International transfers you'll be very glad to hear that all we're going to really focus on today is the security integrity and confidentiality that is obviously or the most obvious way I should say that cyber security comes and interacts with data protection uh legislation and requirements in any organization and I should just say that who has to comply with this is basically everybody um and that's governments that's organizations that's not for profits

pretty much the only person who doesn't is you on your little home computer anybody else pretty much you do um and when I say on your home computer home computer you know sending emails to your friends doing things on a personal level not working from home um so I had to put this slide in because um data protection policy this is the three three monkeys with the See No Evil Hear no evil speak no evil and um it's kind of kind of a summary of a data protection policy but obviously it's going to have to be a little bit more detailed than that um so looking at security integrity and confidentiality principle what is it that you are

actually required to do in terms of protective measures um and this one a little goes a little bit into what Andreas was saying in terms of you know risk meets um uh a sort of ability to comply cost of compliance Etc and what the legislation uses is the word appropriate you have to use appropriate Technical and organizational measures um against unauthorized or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data so there's a few different aspects to the principle there's the organizational measures staff training policy development there's the technical measures physical protection of data I can't say this word pseudonymization say it slowly encryption um and then also securing ongoing

availability integrity and accessibility you know backups that sort of thing so again you know cyber security meets data protection when you come into the technical measures this there's an element also of obviously when you're designing a system you want it to meet you want to make sure that what you've got on there is going to be is going to be kept there in it in the form that it was originally given to you um but you know we can't we classically think of cyber security um protecting the data from the outside so what measures are actually going to be appropriate um well you're going to have to review the personal data you hold the way and

the way you use it and you're going to have to assess how valuable sensible sensitive or confidential it is now remember we had that um sensitive personal data how much of that have you got if you are a hospital pretty much everything's going to be sensitive personal data if you are something like a not-for-profit you may just hold addresses names email addresses that's personal data but it's not necessarily sensitive personal data so that's going to feed into what are your appropriate measures that you're going to be taking you're going to need to take account of factors such as the nature and extent of your organization's premises and computer systems the number of Staff you have the extent of their access to

personal data and um whether you have anybody that is actually doing data processing on your behalf um there's Concepts in the legislation which you're not going to go into in any detail but you've got the data controller who is really the person who originally has the data and then you have data processing which is anybody who's actually doing something with the data in accordance with the slide those might be two three or more people the data controller is actually responsible for all the data processing even if that's going on in a third-party vendor or something like that so what is appropriate has to take that sort of thing into account as well as of course

what information you're looking at as well so what is a data breach a data breach or a personal data breach it's a breach of security leading to The Accidental or unlawful destruction loss alteration honor authorized disclosure of or access to personal data transmitted store to otherwise processed um now what's interesting about this again is there are scenarios that you can think of you know we're all classically thinking about the hackers have come into the system they've stolen all the data you know maybe they're holding you to Ransom otherwise it's all going up on the Internet something like that but equally it's the breach if your backups fail and it's all gone equally it's a breach if somehow it all

got corrupted and everybody's date of birth got changed by five years equally it's a breach if um you Loft it for a bit but then you got it back so you know let's let's say back up from last week failed but you managed to go back a month and all that data was the same you would have lost it for a bit even though you'd actually managed to restore it all these things the data breaches foreign what's what's going to happen or what what it what do you have to do then so you've got a duty to report all personal data breaches to the onwards button and this is in Cayman the Ombudsman in Cayman is the

um regulator for the data protection act it does other things but um in this particular um context he is the person to whom reports are made the Ombudsman actually has a really good website the forms for reporting are on that website and um lots of guidance about what you need to do when you need to do it Etc um but the other thing about this is you know you might be expecting okay there's going to be a regulator we're going to have to report through regulator that makes sense but actually you've also got a report to the individual whose data was breached and that is often actually the more sensitive issue for organizations most people are like hey we report to

Regulators all the time no no worries but you mean I've actually got to go out and tell my best client that I revealed you know their Bank Account Details to somebody that's where people go oh do I really have to do this um the other thing about this to know and this is very important to communicate to the techie teams you've got to do this within five days this is not five working days this is five days now one of the interesting things is Hackers know this so it is not a coincidence that you tend to get your you know we've got your data it's all going on the internet unless you pay us a gazillion dollars

um on a Friday evening because they know you know you've got to scramble you going into the weekend you've got to call the whole team in you've got to figure out what the hell's going on here and you've got to get your lawyers on board or whoever it is you use for reporting and you've got to get all of this done in five days it's actually worse than some other jurisdictions because it's 72 hours so count yourselves lucky and came and you've got five whole days um and there's a lot of stuff you actually need to know in order to do your reporting um you've got to provide the Ombudsman and the individual um with all the information about the

breach um but also you've got to provide them with the information about the measures you've taken and the measures you recommend any individual to take and indeed because five days is not normally long enough to get your arms around the whole problem the measures that you intend to take the ongoing addressing what you've not been able to find out so far what you will report further when you will report it etc etc etc so all that to say you need robust detection investigation and internal reporting procedures in place and this goes back to I really think what Andrews was talking about which is you've got to build that into your system I think um if your system isn't geared up and

and the people who design the system didn't know what you were going to need to know when you were going to be reporting is going to be quite difficult to kind of reverse engineer that in my experience it's like oh yes we can get it but it's going to take us 10 days you know that's and and you can report that but um it's not terribly satisfactory the things that you have to report when you when you fill in the form you've got to provide a description of the nature of the personal breach so you know what is it was it was it lost was it destruction was it um unauthorized access those specifics you've got to provide the descriptions

the consequences of the breach um has this appeared in public has it simply gone to two or three people is it a ransomware situation um the measures you proposed or already taken to address the breach so you know this is you know oh we just changed a few passwords and that's going to do it or is you know there are a whole bunch of have you have you had to go and employ you know detectives and crawl agencies to try and find you know where the stuff's gone to and all that kind of thing so um there's an awful lot believe me there's an awful lot to get your arms around to understand from you know your

technical people and you know what you have typically in this situation is you know you see CEO your CIO your lawyers and a bunch of computer people sitting in a room none of them speaking the same fundamental language all trying to understand um you know what's happened how can they stop it you know and and what's happened is often super difficult in itself to figure out so so yeah that's that's one of I think you know my major messages really from my experience is if you have these conversations before something happens how are we going to know this how are we going to know the other it's just going to be super helpful when you actually come to the

reporting there is there is an exception to reporting um and it's what I like to call the uh no harm no foul exception um and it's it's what's referenced on the slide here where the breach is unlikely to Prejudice the individual's data rights and freedoms um that was the seven principles we talked about earlier um and then just by way of an example one of the things that most commonly happens which is the data breach is you send a document um to the wrong email address or you send an email which includes somebody who's not really supposed to have got the email um wanna you can reach out if you reach out to the person who received it and they

can you can get a confirmation that um they will destroy it they didn't take any copies etc etc usually that will fall into the kind of no harm no foul principle um that's really common you know I I am my firms came in data champion and I can tell you I probably get asked that three times a week at least um another example um is about um deletions so the example that I sort of copied out of somewhere um the university experience is a breach because somebody's accidentally deleted all the alumni contact details as I mentioned before the date the the details are later we created from the backup that's actually unlikely to affect any

individual's right to have their data process fairly to have it minimized to have it deleted upon requests Etc so that's the kind of breach that doesn't need to be reported and believe me this is not entirely a plug for my profession but I would say if in doubt do ask somebody to give you a professional opinion on it because as we'll come on to consequences of breach and consequences of failing to report a breach even more are are pretty serious um so just quickly I might be sort of teaching everybody to suck eggs but um really we're focused I'm focusing on you know the malicious data breaches that are going to re lead to a reporting

requirement I'm not really going to focus on the no harm no foul I mentioned it to be complete but that's that's not really what this is about you know so and it's because malicious data breaches mostly result from cyber attacks hence cyber security to prevent us from cyber attacks um and as you probably all know you know what we're really talking about here is fishing um The Brute Force attacks and malware um and I probably don't really need to go very much into that with this sort of audiences to what exactly those things are um but essentially trying trying to stop all of those things happening is cyber security unfortunately most people would now tell

you it's not going to be if you have a successful Cyber attack and a data breach it's going to be when and you need to report that breach nine and a half if not 9.9 times out of ten if it's a Cyber attack you're going to be reporting it it's very hard to come up with a situation where there's no harm no foul there um and as we've said you're gonna need to do it quickly and so this is where your security systems should ensure that they totally enable that to happen um so the last thing I'm going to talk about is kind of does this really matter um so yes on very very very many levels so

we've all you know had in the news you know people like um Uber and Equifax and so forth and I'll talk about a couple of examples of fine situations um at the end but you know for a business organization obviously a data breach um can have devastating effects on the reputation and on the financial bottom line I read some statistics that the average cost of um just investigating reporting a data breach um on any sort of sizable organization which I think was 100 staff and above is something in the region of 4.2 million dollars so it's it's not cheap um and that must feed into when we were talking earlier about what is appropriate you know your CFO if nobody else is

going to care that you know all right you're asking me to spend an extra dollar million dollars this year on their system you know um if anybody's giving you pushback you know wave some of those costs of reach statistics in the in their face um for government organizations obviously compromise data can mean exposing highly confidential information to to foreign parties and and very very bad actors and for individuals identity theft is is a huge problem for them and um you know we've all sort of heard of the dark web and everything that's going on on the dark web and you know um the sale of data on the dark web you know this this all goes beyond and is

much more serious than you know Facebook harvesting your likes to sell to advertisers um so failing to notify a breach when you're required to do so under the data protection act in Cayman is a criminal offense and it can result in a convection and a fine of one hundred thousand dollars um I will say that in Cayman the monetary penalties are probably the least of your problems unlike in some other jurisdictions um and failing to notify can also be the subject of a monetary penalty imposed by the Ombudsman of up to a quarter of a million dollars and that would be on top of the fines um the other thing to bear in mind here is

that in some instances the officers of a company which has failed to notify a breach can be personally liable to be criminally convicted now that is going to really mess with your life um so you know these are very serious consequences the flip side of that is that reporting a breach is not necessarily going to lead you to any consequences at all if you know as we said reaches are not if they win if you have taken appropriate measures to guard against the breach and you have taken you know measures to address the breach and address the individual harm the Ombudsman may be perfectly satisfied with your response and also your original systems I may go thank you for

reporting you know stuff happens move on or they may come back with a few recommendations but they're not necessarily going to try and send you to jail try and make you pay them loads of money um if you don't report when you should have reported that will almost inevitably happen um and you know I've I'm obviously in Cayman I'm advising on Cayman data breaches but a lot of times these are internet have an international impact and certainly the financial potential consequences in the US and the EU are much much bigger for instance the general data protection regulation gdpr which is what um prevails in Europe provides that where an organization is committed a data breach the regulatory

body can impose an administrative fine of up to 10 million Euros or up to two percent of a company's worldwide annual turnover of the preceding Financial year whichever is higher so if your meta or somebody like that that is an awful lot of money so I said I was just going to um run you through a few scary examples um and my my favorite is actually Equifax because it's in a sense you know in the worst possible sense um the gift that keeps on giving so cast your mind back to 2017 which is when Equifax lost the personal and financial information of about 150 million people not a small data breach um and that happened because of

um and I quote because I know I have no idea what this means unpatched Apache struts framework in one of its databases um they actually failed to fix the critical vulnerability months after the Patch had been issued and then they failed to inform the public at the breach for weeks after it was discovered so pretty much as bad as it gets um you know they they knew there was a fix they hadn't applied the fix to enhance the security and then they did not report and they did not reach out to the individuals I mean can you imagine you know how this is all your credit information you know that's been out there for weeks how damaging that could

be so in July 2019 they agreed to pay a 575 million dollar fine which had the potential to raise rise to 700 million dollars um and that was in a settlement with the U.S Federal Trade Commission Consumer Financial Protection Bureau and all 50 United States and territories in in the United States of America um they'd already paid uh us 625 000 in the UK for the breach um and that at that time was the maximum fine that could be levied as I've just told you gdpr is really upped the ante on that so if this happened today that would have been a lot more money doesn't end there in 2020 Equifax was made to pay further settlements relating

to the breach of uh 7.75 million plus 2 million in legal fees to financial institutions in the United States and 18.2 million to the state of Massachusetts and 19.5 million to the state of Indiana um so yeah all in that probably did come to somewhere around 600 million for that breach um and there's still a few lawsuits ongoing so it may not end there and the reason I like this as an example is not only because you know the the facts of the example are pretty egregious um but it really demonstrates how this isn't a kind of one and done you know this will roll on and you know I mean if they were paying 2 million in legal costs one of

the people that they settled with only imagine what their legal costs are and only imagine what their administrative costs are so you know it really is an absolutely huge thing um I think I'll just you know touch on another one um and this is more recent so this is January 2022 and it was um Morgan Stanley um and this was what was about interesting about this is this is actually more focused on um the Civil side of things so um they've been they've paid already a 60 million um penalty to the office of the controller Comptroller of currency um and what they failed to do was exercise Pro proper oversight of the 2016 decommissioning of two wealth management

business Data Centers located in the US they felt effectively assess or address risks associated with decommissioning the hardware they also adequately assess the risk of subcontracting the decommissioning work and so remember I said you're responsible for your third parties too so they they'd farm this out somebody had messed it up it was Morgan Stanley who ended up paying the fine um and they did not adequate and expose adequate due diligence in selecting the vendor they didn't monitor their performance and they failed to maintain an appropriate inventory of the data that had been stored on the decommissioned um Hardware devices um that had happened in 2016 it then managed they managed to repeat it all in

2019. um so but then so they've dealt with The Regulators they've paid Their fines but then this being America of course out of the woodwork comes the class action claim for all of the individuals who are affected by this um and essentially long story short um that was another 60 million dollars to settle that particular piece of legislation litigation um and Morgan Stanley's public statement on all this we have previously notified or potentially impacted clients regarding these matters which occurred several years ago and we are pleased to be resolving this related litigation no so that is pretty much what I wanted to say today um I think we've got some time for questions um but thank you very much for listening

[Applause] oh silence I like silence oh and there's hands up at the back too uh hi there thank you very much for the presentation can you confirm that Cayman Islands law firms that house kyc data uh are subject to reporting to the ombudsman yes I mean well reporting if there's a breach yeah you don't I mean there's no there's no registration process or anything like that you don't have to go oh I'm holding data please make a note um but yes if you your a law firm as an organization kyc is personal data some of it may well be sensitive personal data probably is if it's a passport or something like that if there is a data breach and

somehow that information is lost destroyed on authorized access you absolutely have to report that breach and do you have any examples of any Ombudsman fines in Cayman so the data protection act in Cayman um came into force in 2019 and um the and obviously in 2020 we all had covered and working from home and all this kind of thing so the Ombudsman has been more in education mode than enforcement mode but they are now in enforcement mode so to date there has not been a lot of history of prosecutions and fines there's been a lot of work going on with the Ombudsman in terms of ensuring people are aware the Ombudsman now feels like you should

all be aware and so moving forward I don't think there's going to be any level of Tolerance that you don't know what you were supposed to do when you were supposed to do it or how you were supposed to do it thank you foreign

yeah so you spoke a lot about the arms budsman um do you have any experience or have you seen cases with SEMA as it relates to cyber security breaches so I know the Ombudsman would be the regulator for data breaches but SEMA for regulated entities and um SEMA has been very vocal that this year they're going to be focusing on cyber security in their Prudential inspections what have you seen heard or have you seen cases where uh SEMA has made findings and and in that nature just curious to know I haven't seen much of that yet and um it is as you say something that they have announced over the last year that they are going to focus on

um I think frankly they've had their hands full focusing on kyc and trying to you know get themselves off um up to speed so we can get off various lists um so I think it's early days on that I only have a couple of anecdotal um sort of feedbacks if you like from um people I know who've been through a regular steamer inspection and all they were really asked to do was you know do you have a cyber security policy can you give it to us and so forth and so on so I don't think it's got much past that at this stage but you're absolutely right that's going to be coming up on sema's

radar and I mean that's an entirely separate thing to data protection data protection breaches but yeah it's going to be watch this space and you might find yourself and it and I think it's also it's it's going to be different criteria as far as I read yeah so you're going to have to find yourself going again you know within five days I need to know what happened I I need to figure out if I need to report here I need to figure out if I need to report here and I'm sure there will be more things to think about as well thank you

did you did you want the microphone

okay so um I'm from Jamaica we're actually going through an exercise right now because our data protection Act was passed in 2020 and I'm going to be um implemented or I should say enforced December uh 2023 you know people will have to get data privacy offices and right and other compliance measures but I I'm going back to one of the slides which you said where a report would have to be made to the Ombudsman if there was uh a breach that actually that actually like endangered people not like you know he's in a accident but it it it it occurs to me that maybe I don't know what the situation this thing came on but I can tell you

like in Jamaica there we it should be a material difference between breaches by government or large organizations rather versus those by small ones uh I'll give you an example for instance we had our Jam kovid which was exposed on an Amazon S3 bucket for the world to see for a pii we had a conglomerate that had um again got locked by ransomware and nobody knew until somebody dropped it on LinkedIn as such and no notifications to anybody to anybody and yes these are large organizations a lot of information or for the small business business person as such um in human are there different ways of for instance maybe for breaches between more in an in an education mode or or in an

assistive mode rather than an insistive punitive mode for those people because you know for instance if I was in Jamaica is four percent of your of your earnings I don't know what it is in Cayman but it's great I'm assuming it is of similar size well and to your question I mean it all that all feeds into the word appropriate so so let's see if I can make this thing go back

okay so the key word for large organization versus small organization is what measures are appropriate and that that is where this you may not be held to the same standard if you know you're a small company and you know a bunch of people's emails somehow are are hacked doesn't mean you don't have to report you're definitely going to have to report but when the Ombudsman assesses whether your measures to protect that information were appropriate you know they will take into account size resources those sorts of things um and as you rightly point out you know if you are a large multinational organization with a branch in Cayman or or um Jamaica whatever you know you the

measures that are going to have the Ombudsman or your record calculator is going to think would be if if your legislation is the same appropriate are going to be a lot higher and you know but that that's the only get out if you like um and it's a risk-based analysis I mean I know we all hate risk-based analysis because we do it with kyc and AML and all this thing and it's always like okay well we did our risk-based analysis and then somebody comes along and tells you that your risk-based analysis was wrong um but that's all you can do you you there's a there's and I mean I I don't know what resources you have but

um if the legislation as it probably does has the same um eight principles I would thoroughly recommend the Cayman ombudsman's website and the guides on it for what to think about and you know particularly in in you know the um seventh principle the security and integrity mode you know how to go about your risk what factors to take into account and that that's where you just get that measure of you know can we hold you know the the one-man band to the same standard as Google right so I can tell you the principles are basically the same problem that's a lot of confusion in Jamaica is because we have the law but we really don't have the regulations

right like how they're supposed to be you know interpreted so that's where our issue is right and you know obviously you're not going to be able to 100 rely on anything that's come out of you know the UK or Europe or or Cayman in terms of guidance or so forth but if you are an organization trying to comply in Jamaica at the moment at least if what you had an issue and you said well hey we had the legislation but we had nothing else to go by so what we looked at was these other sources which all have the same Concepts as our legislation in order to carry out our risk-based analysis you're going to have

a conversation with your regulator that's going to make some kind of sense

I think we may be uncannily on time thank you everybody [Applause]