The Cayman Islands has seen an increase in data breaches in the first quarter of this year.
The discovery of malware on a server used to process local bank-transfer information, made public earlier this week by the automated clearing house of seven retail banks, is only the latest example of a security violation on island.
The Office of the Ombudsman received a total of 34 data-breach reports during the first three months of 2021. This was the highest tally since the Data Protection Act came into effect in September 2019.
In the 18 months ending March 2021, businesses and organisations disclosed a total of 124 breaches.
“The vast majority of the breaches that have been reported to us were relatively minor, e.g. in the form of a misdirected email, but there have also been quite serious ones,” Deputy Ombudsman Jan Liebaers told the Compass via email.
More serious cases, for instance, included ransomware attacks. These cyberattacks use malicious software to encrypt an organisation’s critical data so that it cannot be accessed, and demand a ransom to provide access.
Cayman’s data protection legislation defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or, access to, personal data transmitted, stored or otherwise processed.”
In other words, it involves a security violation that leads to unauthorised individuals gaining access to sensitive or confidential data.
In the event of a breach, the data controller – the person who exercises control over personal data and decides how it is handled – must, under the law, notify anyone whose data has been disclosed or accessed, as well as the Office of the Ombudsman, without delay.
The incident should be disclosed no later than five days after discovering the breach.
The notification must describe the nature of the breach, its consequences, the measures proposed or taken to address the breach, and the mitigating measures recommended by the data controller.
Not every personal data breach will automatically lead to an enforcement action by the ombudsman. Whether an investigation will be launched depends on the individual circumstances in each case.
But all cases have to reported because, in addition to the loss of control over personal information, data breaches can lead to identity theft, fraud and financial loss in the most serious cases.