Hot topics: data protection, cybersecurity

  • Stephanie Shih of Appleby

    Stephanie Shih of Appleby

Two current hot topics in the office are data protection and cybersecurity. Not only are they areas that we advise our clients on, but they also directly affect our day-to-day habits in the office.

Gone are the days when a lawyer’s desk and office would be covered with piles of paper and folders. In recent months, all of us at Appleby have gone through extensive security awareness training. We have also become subject to various compliance policies and procedures that ensure that we have a strong and secure data/cyber environment.

The drive for increased data protection in Bermuda is due to several factors, such as:

• The coming into force of the EU General Data Protection Regulation (GDPR) in May 2018

• The upcoming Personal Information Protection Act (Pipa) that will be coming into force later this year and

• New York State’s introduction of Cybersecurity Regulations in March 2017

GDPR is designed to protect all European Union citizens from privacy and data breaches in an increasingly data-driven world.

The GDPR regime imposes new and enhanced responsibilities on businesses for safeguarding the data that they process. GDPR applies to all organisations holding and processing EU residents’ personal data, regardless of geographical location, so just by merely offering goods and services to an EU resident, GDPR compliance requirements must be met.

Potential fines for non-compliance are phenomenal, being up to €20 million or 4 per cent of annual global revenues, whichever is higher.

Pipa is anticipated to come into full effect in December and will regulate the future processing of all personal data in Bermuda. Pipa was drafted in parallel with GDPR with the goal of enabling the unhindered transfer of personal information between Bermuda and any EU member state, and between the increasing number of other countries that have been or will be deemed adequate by the EU Commission.

This is particularly useful considering the current market environment where Bermuda is actively seeking to attract digital asset businesses and ICO activity by creating a regulatory environment for these businesses.

Pipa will further cement Bermuda’s reputation as a leading international offshore centre. Under Pipa, refusal to comply or failure to comply with an order issued by the Commissioner is an offence. A corporate entity is liable on conviction to a fine of up to $250,000. Individuals found in breach may be subject to a fine of up to $25,000, or imprisonment for a term of two years, or both.

In March 2017 New York State introduced Cybersecurity Regulations that require financial services organisations to formally assess their cybersecurity risks and establish a programme to address those risks. The regulations include a requirement to establish minimum cybersecurity practices that their suppliers and service providers must meet.

These new regulations have enforced security requirements upon the supply chain of American financial institutions. So, even though an organisation may not be directly regulated, if the organisation has American clients that are bound by such regulations, they must be prepared to be on the receiving end of their client’s cybersecurity requirements.

With all these regulations in place, businesses globally and locally alike will feel increased pressure to ensure that they are ready for the authorities. Ignoring the regulations and their potential impact on your business in the event of a data breach or non-compliance simply isn’t an option. Compliance will cost money and time, but avoidance will cost far more should the penalties hit.

Actions to consider as soon as possible:

• Review and seek advice on what these regulations might mean to you and your business

• Assess the level of privacy and cybersecurity risk to which your business is exposed

• Based on your company’s policies, draft appropriate personal information collection statements, customer terms and conditions, website privacy policies, and employment terms and conditions

• Invest in cybersecurity and put in place appropriate technical safeguards to protect personal information from loss, destruction or unlawful access

• Prepare policies to govern how your company’s human resources department will deal with job applicant data, retention of and access to employee files, employee monitoring, management of sensitive employee data and the use of external vendors for functions such as payroll

Attorney Stephanie Shih is a member of the Corporate Team at Appleby. A copy of this column is available on the firm’s web site at This column should not be used as a substitute for professional legal advice. Before proceeding with any matters discussed here, persons are advised to consult with a lawyer

You must be registered or signed-in to post comment or to vote.

Published Sep 21, 2018 at 8:00 am (Updated Sep 20, 2018 at 10:06 pm)

Hot topics: data protection, cybersecurity

What you
Need to
1. For a smooth experience with our commenting system we recommend that you use Internet Explorer 10 or higher, Firefox or Chrome Browsers. Additionally please clear both your browser's cache and cookies - How do I clear my cache and cookies?
2. Please respect the use of this community forum and its users.
3. Any poster that insults, threatens or verbally abuses another member, uses defamatory language, or deliberately disrupts discussions will be banned.
4. Users who violate the Terms of Service or any commenting rules will be banned.
5. Please stay on topic. "Trolling" to incite emotional responses and disrupt conversations will be deleted.
6. To understand further what is and isn't allowed and the actions we may take, please read our Terms of Service
7. To report breaches of the Terms of Service use the flag icon

  • Take Our Poll

    Today's Obituaries

    eMoo Posts