In this blog post, PrivCom is offering a series of opinions, advice, and guidance to help alleviate the uncertainty that members of the public may be experiencing.
Following last week’s cyberattack, it remains unclear whether the hackers gained unauthorised access to any personal data of private citizens. The Office of the Privacy Commissioner (PrivCom) staff meet regularly with Government personnel to discuss best practices and ways we can support one another, but PrivCom is not directly involved in operational matters. Since, at this point, any answer here would be entirely speculative, PrivCom defers to Her Excellency the Governor, who cautioned against speculation.
What sort of personal information do organisations obtain and store?
Personal information can be used for a variety of processes. Consider purchasing an item online: an individual will likely provide personal information such as
· a credit card or bank details for the payment,
· a mailing or physical address for delivery, or
· an email address for a confirmation or receipt.
All these pieces of information could then potentially be used for another purpose. Privacy laws help set norms of trust that the recipient will not make additional payments, or stalk us at our home, or spam our email with unwanted messages.
Why is it important for this information to be held securely?
There are a variety of types of harms that an individual could face if personal information is misused – even accidentally. Some harms include:
· the physical harm of harassment;
· economic harms like identity theft;
· emotional harm such as anxiety or embarrassment;
· discrimination or unequal treatment based on personal characteristics;
· a chilling effect of preventing someone from exercising a right; or
· the loss of autonomy or control of decisions.
Personal information may be intentionally or maliciously stolen and used to open accounts or credit cards in an individual’s name. Or, different details from multiple individuals can be combined to create an entirely synthetic identity. Once the synthetic identity is used to create an account, it can be difficult to prove it does not actually belong to one of the real people it is based upon.
Information does not have to be stolen to be misused or for there to be a problem: perhaps it simply has an error or is not up to date. For example, if your medical records are not accurate, you could receive the incorrect blood type. If your financial records are not accurate, you could be harmed by receiving a higher mortgage rate than you should.
To understand more about the types of harms that can be caused by different types of personal information misuse, see our guidance note, “What’s the harm if personal information is misused?”
What does a breach of security mean for organisations?
It is tempting to conclude that if an organisation has suffered a breach, they must have done something wrong. However, no organisation can have perfect cybersecurity, and safeguards cannot completely mitigate all risks – no matter how much time, effort, or money is spent. While good practices will reduce the chances of an incident, a determined, sophisticated attacker will eventually succeed. The organisation must ensure that the controls are appropriate to the threats they face and the risk of harm that the data breach would cause to the individual.
Importantly, substantive provisions of PIPA, such as those relating to security safeguards and data breach notification, have been announced to come into effect on 1st January 2025. PrivCom does not require or expect organisations to notify our office of data breaches before that time.
What you can do as an organisation
To help organisations understand these issues, our office has published the following guidance and advice:
A comprehensive “Guide to PIPA” that includes checklists and questions for organisations to ask about, among other topics,
· security safeguards, and
· data breach response, including tips on how to communicate notifications to affected individuals;
Cybersecurity-specific blogs, such as
· 30 Daily Tips for Cybersecurity Awareness Month 2020: every October is Cybersecurity Awareness Month, and there are international events and resources that we share regularly.
In addition, here in Bermuda we will be hosting the Global Privacy Assembly, which is a meeting of worldwide regulators of these topics, from 15-20 October 2023. This event is a tremendous opportunity for Bermudians to learn from the world’s foremost experts on issues related to personal information. If you would like to participant in the GPA annual meeting, register here.
What you can do as an individual
The UK’s National Cyber Security Centre (NCSC)’s Cyber Aware website has an excellent guide to “Top Tips” that individuals can review in a matter of minutes to proactively protect themselves. The US-based National Cybersecurity Alliance has advice on how to shop online safely.
If individuals are concerned an account has been hacked, the NCSC also a guide on steps to take.
One strategy to detect identity theft, such as fraudulent accounts being opened in your name, is to check your credit report. In countries such as the US, UK, or Canada that utilise credit reports, it may also be possible to initiate a credit freeze. This will prevent a credit card or account from being opened in your name until it is “unfrozen.” However, your right to freeze your credit, and the ease with which you can freeze or unfreeze your credit report, varies by country and credit bureau.
As described on the Experian web site, for US-based accounts: “You must contact each national credit bureau individually to freeze (or unfreeze) your credit reports. Each credit bureau will do a credit freeze for free upon request. Each credit bureau allows online and phone credit freeze request. Use the following links to start a credit freeze individually at each credit bureau: 1) Experian Credit Freeze; 2) TransUnion Credit Freeze; 3) Equifax Credit Freeze”.
Our office will continue to publish advice for the public to help individuals understand their rights.
Why is it important for organisations holding individuals’ personal information to notify any people who may be affected by a breach of personal information?
Data breach notification requirements, such as those found in PIPA, are intended to warn individuals about potential adverse effects so they may take steps to protect themselves. This messaging is also an opportunity for the organisation to communicate to their customer or client the measures that they are taking to address the issue and mitigate potential adverse effects. It is important to note that not every incident requires a data breach notification under PIPA, only incidents in which a loss, disclosure, or accessing of personal information is likely to adversely affect an individual.
The exact nature of the notification, such as the timing or the details that are shared, should be without undue delay and in any case appropriate to the risk of harm. Our office has published guidance and considerations about data breach notifications in our “Guide to PIPA”, and more of such guidance, including the mechanism for notifying our office, will be forthcoming in the run-up to PIPA’s implementation and beyond.
What is the role of PIPA and PrivCom?
Once the Government brings PIPA into effect on 1st January 2025, where there is a breach, the Act will require organisations to notify individuals so that they can proactively take steps to protect themselves from adverse effects and grants PrivCom the ability to instruct organisations on further steps that may need to be taken as part of the breach response. These notifications will be one of the most practically important aspects of PIPA. When our office is notified about data breaches, an ensuing investigation would seek to assure that the organisation conducted their analysis of risk and safeguards, and acted in a reasonable manner based on the type of information they possess and the type of harms that could fall on individuals.
PIPA contains requirements that an organisation should protect personal information with safeguards against risk of loss, unauthorised access, destruction, use, modification or disclosure, or any other misuse. Importantly, these safeguards are to be proportional to the likelihood and severity of the harm, the sensitivity of the information, and the context. This means that, in practice, the safeguards that an organisation implements will be unique to the risk of harm to the individual. There are general best practices, including internationally recognised standards, that organisations should rely on as a form of due diligence, but they may need to supplement those standards depending on their circumstances.
As Commissioner White has written in PrivCom’s regulatory philosophy, the Mid-Atlantic Privacy Compass, we do not consider our oversight role to be playing “gotcha” with organisations. This mind set would reward organisations for hiding missteps or issues from the community. Instead, we believe in de-stigmatising breaches to encourage and incentivise the sharing of lessons learnt and hard-won knowledge about cybersecurity and data issues, so that everyone can benefit. Our office aims to protect and mediate, and to create incentives to focus on the true issue of preventing harm.
It is tempting to want to compartmentalise blame, but in fact an individual could be harmed by a breach even despite due diligence. To ensure a robust and secure community, we need to make it OK to share details about what went wrong, how we can contain the issue for now, and how the issue can be prevented in the future.
Privacy laws in the 20th and 21st centuries
Some people think that privacy is the same thing as secrecy, or trying to hide something. In fact, privacy is about being in control. It means that each individual should have the ability to control how the information about themselves is used.
As privacy laws have developed over the 20th century to today, initial privacy concerns centred around government use of personal data to violate rights and freedoms. In the latter half of the century personal data became commodified. Corporations, multinationals, and other organisations came to possess as much data relating to individuals as any government – and in many cases, more. Technology, and technology companies, became an integral part of our lives, leading to a company or third party being involved in even the simplest of actions or communications. Consider: how often do you have in-person conversations versus ones using a messaging app or email?
Increasingly, the economic models on which corporations are built relate to “surveillance capitalism,” or the idea that these entities profit by observing consumers and influencing behaviour. Many companies make their money by observing what you do or learning what you like, so they can sell that information to others. They build profiles, mainly so that they can sell ads that will be more likely to catch your attention. (That’s what it means when a website asks you if you would like “relevant” ads. It may be relevant, because they are auctioning “You” off using a profile to sell the advertising space to companies--all in the span of a second!) For example, apps, or the companies behind them, may process data to tell if accounts are associated from the same device or if devices use the same Wi-Fi network. If you share your contact list, they can see that your online friends have the same phone numbers as the people in your phone.
In time, we have learned (sometimes quickly, sometimes slowly) that privacy is not only a fundamental right, it is an enabling right. Privacy enables democratic society to function by protecting freedoms of assembly and secret ballots. Privacy enables our economies by providing the basis for trust in transactions like those online, that may be removed and impersonal. Now and in the not-too-distant future, each of us is being summarized into a profile that delivers “personalized content” and advertisements that shape our worldview; privacy will be essential to maintaining our autonomy and self-determinism, the very integrity of our minds.
To reach out to PrivCom, please visit our Contact page.