Privacy Commissioner Alexander White said yesterday that sharing information about breaches of confidential data was the best way to “ensure a robust and secure community”.

However, he noted that the Personal Information Protection Act passed by Parliament, which will require his office to be notified of such events so an investigation can be launched, will not come into effect until 2025.

That means the Government is not required to share information with him about whether last week’s “sophisticated and deliberate” cyberattack on its IT systems led to the exposure of citizens’ personal and private information, nor is it required to alert individuals whose data may have been taken by hackers.

Mr White told The Royal Gazette there was not a clear answer to the question of how concerned people should be about a personal data breach “because details about the incident are not yet released”.

He said: “Once Pipa is implemented, it requires organisations to notify individuals so that they can proactively take steps to protect themselves from adverse effects and grants my office the ability to instruct organisations on further steps that may need to be taken as part of the breach response.

“I believe that these notifications will be one of the most practically important aspects of Pipa once Government brings it into effect on January 1, 2025.

“When our office is notified about data breaches, an ensuing investigation would seek to assure that the organisation conducted their analysis of risk and safeguards and acted in a reasonable manner based on the type of information they possess and the type of harms that could fall on individuals.”

Mr White explained that Pipa will require organisations to “protect personal information, with safeguards against risk of loss, unauthorised access, destruction, use, modification or disclosure, or any other misuse”.

He said: “Importantly, these safeguards are to be proportional to the likelihood and severity of the harm, the sensitivity of the information and the context.

“This means that, in practice, the safeguards that an organisation implements will be unique to the risk of harm to the individual.

“There are general best practices, including internationally recognised standards, that organisations should rely on as a form of due diligence, but they may need to supplement those standards depending on their circumstances.”

The Privacy Commissioner said it was tempting to conclude an organisation had done something wrong in the event of a data breach but "no organisation can have perfect cybersecurity and safeguards cannot completely mitigate all risks, no matter how much time, effort or money is spent“.

Mr White said: “While good practices will reduce the chances of an incident, a determined, sophisticated attacker will eventually succeed.

“The organisation must ensure that the controls are appropriate to the threats they face and the risk of harm that the data breach would cause to the individual.”

David Burt described the September 20 cyberattack as a “sophisticated and deliberate attack that has resulted in unprecedented stress on basic government systems”.

Straight after it happened, he said: “It does not at this point in time appear that any data has been taken …”

But at a press conference on Monday, the Premier would not answer questions about whether there was a data breach, insisting: “The investigation efforts are still ongoing, and it would not be wise for me to comment on specifics at this time.”

Mr White told the Gazette his office did not consider its oversight role to be one of “playing gotcha” with organisations.

“This mindset would reward organisations for hiding missteps or issues from the community,” he said.

“Instead, we believe in destigmatising breaches to encourage and incentivise the sharing of lessons learnt and hard-won knowledge about cybersecurity and data issues, so that everyone can benefit.

“Our office aims to protect and mediate and to create incentives to focus on the true issue of preventing harm.

“It is tempting to want to compartmentalise blame but, in fact, an individual could be harmed by a breach even despite due diligence.

“To ensure a robust and secure community, we need to make it OK to share details about what went wrong, how we can contain the issue for now and how the issue can be prevented in the future.”

The chaos caused to the Government’s IT systems by last week’s attack has prompted questions about its cybersecurity and whether there have been any previous breaches.

A national cybersecurity strategy was launched in September 2019, with a preface by Wayne Caines, then the national security minister, which detailed how “cybercriminals seek to use our information and systems against us for their own economic gain”.

Mr Caines warned: “They trade in stolen personal information and use ransomware and other forms of malware to extort money from individuals and businesses … Hacktivists deface websites, disrupt operations and expose sensitive confidential information to the world.”

Michael Weeks, the Minister of National Security at present, told the House of Assembly in June that a cybersecurity unit was being developed to protect the island.

Questions put to the Government yesterday about its cybersecurity processes and past attacks went unanswered by press time.

• Have you been affected by the cyberattack on government services? E-mail news@royalgazette.com

• For updates on government services click here

Download PDF File

National-Cybersecurity-Strategy.pdf