Data is a commodity as valuable as any product or service in any industry. Data and information gathering is a multimillion-dollar business. From external cyberattacks such as malware, ransomware, and phishing, to internal vulnerabilities such as human error, system failure, lost or stolen devices, dangers that risk exposure of personal data can be found at every turn.
With technology developing so quickly, cyberattacks are getting more sophisticated and are on the rise. In 2021 only, there was a 550% increase in reported cases of cyberattacks in the Caribbean according to a 2021 report by Mandiant Advantage. In Jamaica, it is reported by the Bank of Jamaica that in 2021, $81.23 million in losses are associated with internet banking fraud, a 17% increase from the previous year. Just less than two months ago, Mailpac reported being impacted by an Aeropost data breach that resulted in credit cards of approximately 5% of its customers being compromised.
What does this mean to you? It means now more than ever, your data is likely to be copied, transferred, stored, and otherwise processed in multiple places globally and if not protected, it is accessible to hackers, ‘choppers’ and scammers. We generally know that we should password protect our devices, be careful with our credit cards, pins and passwords, read terms and conditions, and employ two factor authentication for online accounts.
The big question then is, what do you do when your personal data is compromised?
1. First things first: Was your data really compromised?
To know what to do, you must understand what happened. Not every announcement by a data controller that their system is compromised means your data is compromised. We should therefore first aim to understand the difference between a security incident and a data breach. An incident is an event that results in potential exposure of personal data to put it simply. It is any compromise to the availability, integrity and confidentiality of the security structure, system or platform which may or may not result in access to the actual data. It is only a Data Breach when this results in the actual disclosure of personal data to an unauthorized party.
Why is this important? This determines what actions should be taken, how to resolve the matter, and what your rights are.
2. Cover your bases
Before we get to recourse, note that prevention is always better than cure. Even if an incident is reported as not being a data breach, take steps to verify that your data is protected and to further protect your personal data. Block the credit/debit cards potentially at risk and request a replacement card from your bank, change your passwords and exercise your right to further information under the Data Protection Act!
3. Contact the Data Protection Officer
If you receive a report that a data controller who is processing your personal data is compromised, you should first write to the data protection officer of the company/data controller requesting any of the following:
a. Whether your personal data is being processed
b. What personal data is being processed and why
c. Who are the authorized recipients of your personal data
d. Who, other than the data controller, processes your personal data on their behalf
e. That the company ceases any processing of your personal data
The company/data controller must respond within 30 days of your request. In this response, the data protection officer may comply with your request or outline any exemption the company benefits from under the Data Protection Act.
4. What should the data controller do in the event of an incident or data breach?
a. Take steps to mitigate the effects of the breach
b. Report it to the Information Commissioner within 72 hours of any security incident likely to affect personal data and any steps taken to mitigate a security breach
c. Notify each data subject of the breach, if their personal data is affected and steps taken to address/mitigate the effect of a breach
5. What if the data controller fails to act?
You may complain to the Information Commissioner that the data controller failed to notify you as required under the Act or failed to respond to your request. The Information Commissioner has the power to:
a. Direct the data controller to give you the information required in relation to the breach and any request permitted under the Act.
b. Issue an information notice if more information is required by the Commissioner in relation to your request.
c. Issue an assessment notice, complete an assessment, and notify you of the conclusion reached or any action taken by the Commissioner.
d. Serve an enforcement notice which directs the data controller to cease processing personal data, to refrain from acting, or to do any specific act for a specified period of time.
6. What if the data controller fails to comply with any notice issued by the Commissioner?
The data controller and the data protection officer are open to criminal liability under section 53 of the Act.
7. How do you get compensated?
The Data Protection Act provides that the data controller is only liable to compensate a data subject who can establish that he/she suffered damage as a result of a data breach. At this juncture, having received the information above, you are in a better position to know whether any damage suffered by you is as a result of a data breach. Once you have suffered damage, contact an attorney!
8. Who do I speak to?
You may be guided through the process by an attorney or any expert on data protection. Experts are accredited Data Protection Professionals such as members of the International Association of Privacy Professionals. Once you are seeking to recover any loss, it is always best to consult an attorney.
Please note that data controllers have until November 30, 2023 to become compliant with the obligations under the Data Protection Act.
Samantha Grant is an Attorney-at-Law at the law firm DunnCox. You may contact her at samantha.grant@dunncox.com.