The Cayman Islands Ombudsman has found that a local liquor retail group contravened the Data Protection Law (2017) when it failed to take adequate technical and organizational measures to protect against unauthorized processing of employees’, shareholders’ and pension account members’ personal data.
The Ombudsman also found that Jacques Scott Group Ltd. (JSG) failed to incorporate certain mandatory provisions into its agreement with its IT provider, which constitutes a separate violation.
JSG reported the ransomware attack last year after employees discovered they were locked out of a number of the company’s critical network systems. The breach involved the personal data of about 150 people but did not include computer passwords or personal financial data. Jacques Scott was proactive in notifying both the Office of the Ombudsman and the affected individuals of the ransomware attack. In addition, along with its IT services provider, the company did take mitigating action following the breach.
It is believed no customer data was accessed and, importantly, there appears to have been no serious or ongoing consequences for those whose data was compromised in the ransomware attack.
“This situation is a good representation of the serious data protection concerns now facing both private and public sector organizations in Cayman,” said Sandy Hermiston, Cayman Islands Ombudsman. “Mitigation after the fact is simply not enough. All of these entities must proactively take security precautions with their computerized record-keeping systems – the Data Protection Law makes it their responsibility.”
JSG separately sought and received recommendations on IT security from Deloitte and the Ombudsman supported these recommendations, urging their implementation. In addition, the Ombudsman recommended future steps to prevent ransomware attacks including:
-Providing training to employees on cybersecurity prevention and response, in line with any information security policies and procedures the company may develop
-Enabling logs on all critical network devices to ensure information is kept in the event of future cyberattacks and also ensuring multiple backups of information are maintained with that at least one backup kept off-site
-Implementing periodic vulnerability assessments to identify IT security weaknesses
As with all enforcement orders made under the Data Protection Law, the entity against which the order is made has 45 days to seek judicial review of the Ombudsman’s decision. The link to the executive summary of the order can be found here: https://ombudsman.ky/images/pdf/DP_Enforcement_Order_201900212_-_Exec_Summary.pdf
Anyone with questions about Cayman’s Data Protection Law, which took effect on 30 September 2019, should go to our website www.ombudsman.ky for further information. Data protection complaints and/or notifications can be made to the Ombudsman’s office at 946-6283 or via email at info@ombudsman.ky.