
At this time the public is aware from press releases that the Department of Education has reported a cybersecurity incident at their vendor, PowerSchool. As a general principle, until the facts of the matter have been confirmed and the investigative process has been completed, my office would not formally provide a public statement regarding a reported breach of security. To be clear: this matter is still under review, which involves collecting documentation and evidence. Details regarding ongoing matters undertaken by my office are considered confidential. With that being said, I understand that we are in the early days of the implementation of PIPA and that providing clarity can be useful.
Under PIPA there is legal requirement for an organisation that is using personal information to, without undue delay, notify PrivCom of a breach. The legal requirement to notify my office is based on a multi-part test: PIPA considers a breach of security to be an incident that leads to, for example, unauthorised access to personal information which is likely to adversely affect an individual. In other words, there must be an action, such as unauthorised access, and there must be a determination that the consequence is likely to be an adverse effect to an individual.
Breach notifications have several policy objectives. The requirement for transparency means that organisations are held responsible for their due diligence and level of care. The requirement to inform individuals about adverse effects gives the individuals warning so that they may take action to protect themselves from harm, if possible. Because our office is made aware of the breach, we can offer an expert opinion on whether further steps may be needed.
A breach of security can take time to investigate and resolve. Notification of a breach should occur as soon as possible, or in other words without undue delay. Once an organisation is aware of a breach, they are permitted to assess the situation and validate details before notification. An example of undue delay before notification would be if the time spent assessing the situation would increase the likelihood or severity of the harm to an individual. If an organisation would like advice on the steps to take, then they may provide a preliminary notification to my office even before they are certain that there is a risk of harm to an individual.
To assist organisations in notifying my office of a breach, an electronic breach notification form can be found at our website, privacy.bm, in the “Organisations Hub” (https://www.privacy.bm/organisations-hub). This form will guide organisations on what information to include in a breach notification to our office. We also have template letters that organisations can use to notify individuals.
I want to emphasize a point that I have stated many times over the years: the fact that an organisation suffers a breach of security does not necessarily mean that the organisation behaved inappropriately or negligently. Organisations should put in place reasonable measures and safeguards that are proportional to the risk of harm to individuals from a breach of personal information. These measures will depend on the types and uses of personal information. PIPA does not require perfection, which is an impossible standard.
I would like to commend Commissioner Richards and the Department of Education for their proactive transparency, for notifying my office appropriately, and for their willingness to promptly respond to follow-up requests and discussions.