Cayman’s data protection legislation forms a key part of efforts to ward off cyber criminals seeking to misuse personal information or exfiltrate data gathered through legitimate business practices.
It provides a legal framework to ensure any breaches are punished and it’s a role that falls to Ombudsman Sandy Hermiston and her team, who take this function very seriously.
As she continues to champion safe data practices locally to ensure personal data is protected whenever it is extracted and wherever it is held, Hermiston says it not just about monitoring.
“We are responsible for investigating data breaches that have been reported to us, and complaints from data subjects about the handling of their data. We’re also responsible for promoting best practice in complying with the Data Protection Act,” Hermiston said in an emailed response to queries from the Cayman Compass.
According to the Office of the Ombudsman’s 2020 annual report, 65 breach notifications were received, more than double the 25 recorded in 2019.
A total of 16 of those notifications in 2020 were carried forward to this year.
When these investigations are concluded, she said her office will offer recommendations to the affected organisations on how they might improve their systems and processes to prevent similar breaches from occurring.
“We also have guidance on our website to help organiations to understand their obligations under the law,” she said.
So far, Cayman has not suffered any significant data breach, but “Cayman, like almost any other jurisdiction, faces cyberthreats from malicious actors. These include, but are not limited to, phishing, social engineering, malware, ransomware and such like,” she said.
She pointed out that some of the more common categories of breaches that her office is notified about involve misdirected emails, ransomware, phishing attacks and human error.
Breaches take various forms
Among the cases that were on the Ombudsman’s radar in 2020 were a phishing attack that caused a data breach at a fund services company in Canada – a sister company of a Cayman Islands-based firm.
The breach involved data on employees and over 2,000 external data subjects, including many who were based in the Cayman Islands.
After investigation, the Ombudsman’s annual report, said “it found no evidence that the threat actor downloaded the contents of any email messages from the compromised account, or that other systems (other than email) were affected”.
Another report pointed to a ‘white hat hacker’ who hacked into a disk drive belonging to a bank’s data processor and “sent the bank a few files to show certain weaknesses in their security setup”.
“The hacker demonstrated that the breach was contained and shared information on how the drive had been accessed. Most of the data on the drive was of a technical nature, but some files contained personal data belonging to approximately 1,800 bank customers, including email addresses, active login names, ID codes and account numbers and balances, but no passwords. The hacker claimed, and this was later confirmed, not to have copied any files containing personal data,” the report stated.
All remote access granted to the data processor was revoked and a secure erase was performed on the hard disk drive once the investigation into the breach had been completed.
It is examples like these that prompt Hermiston’s caution that businesses should get expert advice from IT security providers if they are concerned about protecting their data, and they should regularly review their security plans.
“There are good, accessible online resources for members of the public to learn some basics of cyber security, such as https://staysafeonline.org – they give guidance on how to recognize phishing emails, how to shop securely online and how to protect yourself against viruses and other malware,” she added.