It is not reasonable for any business to ask whether they will suffer from a data breach. Empirical data suggests it is more a question of when will it happen.
In the Jamaican reality the most appropriate question for the average business to ask is when will the public find out that we have suffered a data breach. The assumption in this scenario is that the data controller is aware that they have suffered a data breach. Without someone employed to manage information security and who actively monitors the systems, how is the data controller even to know that there has been a data breach?
For the purposes of this discussion we will assume that the data controller knows that there has been a data breach and, as such, explore what, who, and when the data controller is required to notify.
In the past three weeks there have been two examples of how two financial institutions have sought to recover from a data breach: Victoria Mutual Wealth Management(VMWM) and Jamaica National Bank — who both issued releases to their customers saying that they have suffered a data breach.
In the case of Victoria Mutual it appears as if a release was put out after the information had already got out in the public space, while for Jamaica National Bank, in the midst of all the noise caused by VMWM, quietly advised their customer base and members of the public that they also suffered a data breach. The notification from JN Bank came by way of an e-mail that was couched in generic language, a portion of the relevant sections reads as follows:
“Recently, we had an isolated incident in which a few of our JN Bank VISA credit card customers received a JN Bank credit card payment reminder bearing the name and address of another credit card customer. We traced the cause of the breach to one of our software suppliers, who has since corrected the programme. We have also contacted the affected members and apologised to them.
“The JN Group takes its responsibility of protecting the privacy of each member very seriously. Therefore, we have been implementing measures to protect your privacy, which are in keeping with international and local standards and laws, such as the General Data Protection Regulation in the United Kingdom and the proposed Data Protection Act for Jamaica. In compliance with those laws, we have established a data protection office and have appointed Mr L Anthony Robinson as the group’s data protection officer.”
The VMWM release, that we are more familiar with, read as follows:
“On Thursday February 13, 2020 a member of the VM Wealth team inadvertently sent an e-mail to a subset of VM Wealth clients with an attachment containing non-financial information on some of our clients. For emphasis, it is important to note that none of our customers’ financial information was shared.
“The VM Wealth Management team is in the process of contacting clients who received the e-mail to apologise. We will be advising those persons whose information was inadvertently disclosed and will address any concerns they have. Our clients’ privacy is of utmost importance and we wish to assure all stakeholders that we have already fortified our internal processes to keep your data safe. We will be conducting further reviews and will implement any additional controls that are deemed necessary.”
It is worthwhile noting that while VMWM was quick to say that no financial information had been disclosed, JN Bank did not make a similar statement. Members of the public are left to conclude that financial information had been disclosed by JN Bank. While this may be an incorrect conclusion, members of the public are unfortunately left to assume the worst, as JN Bank, in their public communication, did not specifically state what information was disclosed or the quantity of data that was disclosed.
On the passage of the Data Protection Act (DPA) data controllers will be obliged to comply with Section 21(5) which states:
“Where a contravention or security breach is likely to affect a data subject, the data controller shall without undue delay notify the data subject of:
* the nature of the contravention or security breach;
* the measures taken or proposed to be taken to mitigate or address the possible adverse effects of the breach; and
* the name, address and other relevant contact information of its data protection officer.”
There was a robust discussion at the final sitting of the joint select committee tasked with looking at the Bill between the chairman, Minister Fayval Williams, senators Robert Morgan, Sophia Frazer Binns, and Member of Parliament Julian Robinson around the threshold that has to be crossed to require the data controller to be compelled to inform the data subject of the breach.
The Bill originally required the data controller to inform the data subject where it was “likely to affect a data subject”. After to-ing and fro-ing, the committee decided to adopt the original wording of the Bill and now require data controllers to notify data subjects where it is likely to affect their rights, instead of where there could be a serious risk of damage. While not articulated by the members of the committee, the thinking behind this would be to ensure accountability of the data controller to the data subject, and ensure that the data subjects would have enough information to protect themselves against threats caused by the data breach.
The committee members feared that if there was a high threshold to cross before being compelled to advise the data subject, data controllers may, more often than not, fail to advise the data subject, thus leaving the data subject exposed.
A relevant question that went insufficiently answered, however, was what would be considered a high risk or what is something that is likely to affect the data subject.
Recital 75 and 85 of the General Data Protection Regulation shed some light on what a risk would be: “This risk exists when the breach may lead to physical, material, or non-material damage for the individuals whose data have been breached. Examples of such damage are discrimination, identity theft or fraud, financial loss, and damage to reputation. When the breach involves personal data that reveals racial or ethnic origin, political opinion, religion or philosophical beliefs, or trade union membership, or includes genetic data, data concerning health or data concerning sex life, or criminal convictions and offences or related security measures, such damage should be considered likely to occur.”
Recitals 75 and 76 of the General Data Protection Regulation suggest that, generally, when assessing risk, consideration should be given to both the likelihood and severity of the risk to the rights and freedoms of data subjects. It further states that risk should be evaluated on the basis of an objective assessment.
WP29, the precursor to the European Data Protection Board, in making this assessment, recommends the assessment should take into account the following criteria:
• the type of breach
• the nature, sensitivity, and volume of personal data
• the ease of identification of individuals
• the severity of consequences for individuals
• special characteristics of the individual
• special characteristics of the data controller
• the number of affected individuals
The legal requirements having been identified, it is important to note that the law does not require notifying members of the public of a data breach. Given the nature of social media, data controllers, as was done in the two recent instances of data breaches, would be well advised to get ahead of a data breach fallout and communicate with the public in a clear, accurate, and succinct manner; the ultimate objective here being to maintain the hard-earned trust of your customers.
If a company hopes to maintain customer trust one should consider using dedicated messages when communicating a breach to data subjects and members of the public. The data breach notification should not be sent with other information, such as regular updates, newsletters, or standard messages. This helps to make the communication of the breach to be clear and transparent. Communicating a breach to individuals allows the controller to provide information on the risks presented as a result of the breach and the steps those individuals can take to protect themselves from its potential consequences. The focus of any breach response plan should be on protecting individuals and their personal data.
Dennis Brooks, a communication strategist, in response to the two mentioned incidents, recommends in general that “all companies move swift and manage the communication that comes out of it (a data breach), to restore confidence… and move to shape and influence the narrative positively to be as honest as you can with the people who are closest to the breach as possible. He suggests that this is important “so that you can take them into your confidence and assure them that you have come to a full understanding of what caused the breach and what you need to do to fix it”.
He further suggested that “managing social media, where communication can move rapidly and, more importantly, miscommunication and disinformation can move rapidly, you have a responsibility to your brand, but also to the people in question to communicate effectively with them”.
The reality is that most organisations have inadequate controls or mitigation measures, and as such under-defended organisations may already allow malware in their systems and will always have human error to contend with. In light these circumstances data breaches are inevitable, even given adequate budget and resources, further establishing adequate security will take time. In these circumstances it is worthwhile to consider establishing a personal data security incident management policy and incident response team while implementing a cyber defence/data protection programme.
An incident response plan and accompanying detailed procedures should be defined to ensure effective and orderly response to incidents pertaining personal data. All actions should include how the aspect of internal and external communications should be handled, with specific attention to the escalation sequence from the first responders up to the organisation’s management that is in charge of taking the most complex or costly decisions.
Before activating any incident response procedure, the evolving status of the incident should be ascertained to a certain level of confidence. The incident response procedure should include guidance elements to facilitate the understanding and evaluation of the incident status, even by non-specialized personnel. All personnel involved in any incident response procedure within the incident response plan should receive periodical training on the procedures in which he/she is involved.
To increase the effectiveness of an incident response plan and depending on the size and complexity of the organisation, a temporary or permanent incident response team can be established. This team should be in charge, and thus also competent for performing most of the operational actions included in the incident response plan and escalate to the management if needed.
Clear and effective communication is necessary to maintain customer trust and give them sufficient information to protect themselves against potential harm that may follow as a result of the data breach. Assisting customers to protect themselves will also go a far way in mitigating any damages to which the company may subsequently be exposed.
Chukwuemeka Cameron, LLM, is an attorney, trained data protection officer, and founder of Design Privacy, a consulting firm that helps you comply with privacy laws and and build trust with your customers. Send comments to the Observer or [email protected].
Now you can read the Jamaica Observer ePaper anytime, anywhere. The Jamaica Observer ePaper is available to you at home or at work, and is the same edition as the printed copy available at
