News Alert

May 2017

Protecting Personal Data from Cyber-Attacks

Last week the world woke up to the latest cyber-attack of 2017. Initially striking the NHS in the UK, the
malicious “WannaCrypt” ransomware then quickly spread across the globe with more than 200,000 computers
infected across 150 countries. Once infected, the malware prevents organisations from accessing their data
holdings unless a ransom is paid.

The story is becoming increasingly familiar and with each high profile attack the protection of personal data
held by businesses becomes an ever increasing concern. Cybercrime is fuelled by the sheer volume of data now
available, and the increasing use of offsite and cloud storage systems has dispersed that data giving criminals
many more points to access it.

Faced with such threats, businesses have been encouraged to review their cyber security and upgrade their IT
systems. But technology on its own cannot stop a cyber-attack unless the organisation fully understands the
data assets that the technology is trying to protect. An effective cyber security strategy requires a legal
analysis of an organisation’s whole approach to data protection - how the organisation controls the collection,
use and sharing of its data.

Data protection and cyber security are no longer just IT concerns; they are now board level issues.

Do not delay

All businesses located outside the EU who offer goods and services to EU citizens will need to ensure
compliance with the EU’s General Data Protection Regulation (GDPR) which comes into effect in May 2018. The
GDPR includes requirements for personal data security and, in the event of a data breach, notification to the
relevant regulatory authority and any affected individual data subjects.
Comprehensive data protection legislation has also recently been passed in Bermuda and the Cayman Islands.
Drafted around a set of EU-style data privacy principles, both laws are expected to come into force during 2018
and will apply to all organisations processing personal data in those jurisdictions.

Organisations operating in offshore centres need to get it right – reputations, large fines (in some cases up to
the greater of €20 million or 4% of global annual turnover) and criminal liability are now at stake.

Developing a cyber security compliance plan:

At a high level, the steps towards developing an effective compliance plan are as follows:

 What personal data does the business hold and in what format – paper, electronic, tape?

 How was that personal data captured, and for what purposes is it being used and processed by the
business?

 Is that personal data being transferred to any other company within the group or to third parties for
any purpose? If yes, into which jurisdictions is the data being sent?

 What data protection and cyber security regulatory regimes apply to the organisation’s personal data
holdings, considering both the location in or from which the data was collected and the locations where
it is being processed?
  Are the organisation’s existing policies and procedures compliant with applicable data protection laws?
Where are the gaps?

 In the event of a data breach, are systems in place to ensure that the breach can be quickly identified
and the appropriate authorities and any affected data subjects notified?

 Looking to the future, what plans does the business have for processing personal data, having regard to
new business lines, new jurisdictions, new technologies, new business models and other opportunities
for commercialising its data holdings?

Identifying vulnerabilities

Offshore financial centres represent an attractive target for cyber criminals because of the large and often
highly sensitive data holdings being collectively managed by those centres. As organisations increasingly
outsource a significant part of their day-to-day operations to external service providers, these transfers also
leave them vulnerable to attack. Cyber criminals can easily identify and exploit weak links in the flow of
information between the organisation and its external providers.

Data that may have been anonymised or aggregated by an organisation will still require careful handling. The
rise of social media and the increase in online public data sources means cyber criminals are now easily able to
“re-identify” individuals by combining that information with the anonymised or aggregated datasets.

Transferring data to third parties

In an age where highly sensitive information can be exchanged at the touch of a button, data protection issues
must be considered before any transfers of personal data are made to third parties. There is no substitute for
proper due diligence on the systems, policies and procedures of third party providers to ensure that personal
data is handled appropriately and securely. Regular physical audits and independent testing of a service
provider’s controls would also be advisable.

Contractual provisions should be put in place between the organisation and the third party service provider to
ensure that any personal data is processed only for authorised purposes, that all data is stored and transmitted
securely and that disaster recovery practices are in place in the event of a data breach. Use of unauthorised
subcontractors by the service provider should be prohibited without the prior approval of the transferor.

Data protection and new technologies

Financial technologies or “FinTech” are emerging technologies that have the potential to supplement or disrupt
the offshore financial services industry. FinTech solutions also raise data protection and cyber security concerns
that need to be carefully considered before they are adopted.

Blockchain, or distributed ledger technology, is starting to be used to centralise a number of back-office and
compliance functions. Designed to keep a permanent, immutable record of all transactions that have taken
place, the technology is at odds with the requirement under modern data protection legislation to ensure that
all personal data is securely purged once the purpose of use has been fulfilled. As users of the ledgers may be
anonymous, there is also the potential for criminal organisations to apply powerful data analytics to these
datasets to match data that appears to be clear of personally identifiable information to those which are not,
thereby allowing the re-identification of individuals from that data.

The attraction of flexible working has led to a growth in the popularity of “bring-your-own-device” (BYOD)
policies. While some organisations are issuing smartphones and tablets for employees, other employees may be
using their personal devices for business purposes without approval. Where BYOD is offered, a careful balance
needs to be struck between employee satisfaction and protecting personal data. Organisations should put in
place a clear BYOD strategy that sets out minimum do’s and don’ts for using a device. Data should be
encrypted and the organisation should have the ability to remotely access, monitor and wipe the data and
prevent data access from third party apps.
Top-down compliance

Effective data protection starts with knowing your data, but in the era of mobile devices and cloud computing,
identifying the full extent of an organisation’s personal data holdings can be difficult, as the databases are not
always clearly marked out as such. A data audit should be conducted to establish a clear view of the data, both
proprietary data and client-specific personal data.

Implementing a data protection and cyber security compliance programme involves engagement with the right
stakeholders across the organisation. An effective governance regime for approving, overseeing, implementing
and reviewing the various policies also needs to be established. A coordinated chain of command should be
developed, together with written reporting procedures, authority levels and protocols including seeking and
complying with legal advice. The appointment of official roles such as a Data Protection Officer is also
recommended.

Compliance training will be required for personnel at all levels, including key external service providers, to
emphasise the importance of compliance to the organisation. Serious misconduct should be addressed with
appropriate disciplinary action, regardless of seniority. The compliance programme should be reviewed
regularly reflecting changes in the law and regulation, changes in the types of data being collected and used,
and any changes in the technologies utilised by the organisation.

Protecting personal data is now business critical. Even if monetary losses are not sustained as a result of a
cyber-attack, the reputational damage to an organisation following a data breach could be devastating.

At Appleby we offer advice to clients on all aspects of data protection and cyber security compliance, including:

 Privacy impact assessments, which includes a general framework for the organisation to assess privacy
impacts due to proposals for organisational, technological or policy change;

 Data collection and capture, including policies concerning the mechanics of collecting consents;

 Advising on the transfer of personal data as part of business merger and acquisition and joint venture
activity;

 Structuring cross-border data transfers including as part of shared services and cloud arrangements;

 Human resources management, including policies dealing with job applicant data, retention of and
access to employee files, employee monitoring, management of sensitive employee data and the use of
external vendors for functions such as payroll and counselling;

 Data subject access, including procedures for assessing and verifying requests and responding to those
requests;

 Data analytics, including policies specifying the types of profiling data that may be used, and
anonymisation/aggregation principles;

 Responding to data requests from foreign regulators;

 Data breach management, including policies for escalating, containing and remediating breaches and
making breach notifications to regulators and affected parties;

 Complaints handling, including complaints from customers, employees and other affected individuals;
and

 Data quality management, including procedures for updating and correcting databases and determining
if data is to be erased.
If you have any questions, please do not hesitate to contact a member of the Technology and Cyber Team.

Technology and Cyber Team

Steven Rees Davies Andrew Jowett

Partner Partner
Corporate Corporate
Bermuda British Virgin Islands
+1 441 298 3296 +1 284 393 5316
sreesdavies@applebyglobal.com ajowett@applebyglobal.com

Claire Milne WS Richard Sheldon

Partner Counsel
Corporate Dispute Resolution
Isle of Man Guernsey
+44 (0)1624 647 698 +44 (0)1481 755 904
cmilne@applebyglobal.com rsheldon@applebyglobal.com

Peter Colegate Melissa Virahsawmy

Senior Associate Senior Associate
Corporate Corporate
Cayman Islands Mauritius
+1 345 814 2745 +230 203 4312
pcolegate@applebyglobal.com mvirahsawmy@applebyglobal.com

Katherine Johnson Paul Worsnop

Associate Associate
Corporate Corporate
Isle of Man Jersey
+44 (0)1624 647 971 +44 (0)1534 818 225
kjohnson@applebyglobal.com pworsnop@applebyglobal.com

Offshore Legal Services applebyglobal.com

© Appleby Global Group Services Limited 2017 • All Rights Reserved

This eAlert is published by APPLEBY and is not intended to be, nor should it be used as, a substitute for specific legal advice
on any particular transaction or set of circumstances. It does not purport to be comprehensive or to render legal advice and
is only intended to provide general information for the clients and professional contacts of Appleby as of the date hereof.

Appleby (Bermuda) Limited (the Legal Practice) is a limited liability company incorporated in Bermuda and approved and
recognised under the Bermuda Bar (Professional Companies) Rules 2009. “Partner” is a title referring to a director,
shareholder or an employee of the Legal Practice. A list of such persons can be obtained from your relationship partner.

Appleby (Cayman) Ltd. (the Legal Practice) is a limited liability company incorporated in the Cayman Islands and approved
and recognised under the Legal Practitioners (Incorporated Practice) Regulations 2006 (as amended). “Partner” is a title
referring to a director, shareholder or an employee of the Legal Practice. A list of such persons can be obtained from your
relationship partner.

Appleby (Guernsey) LLP is a limited liability partnership with registration number 53, incorporated in Guernsey, that
converted from a Guernsey Partnership of Advocates, known as Appleby, Guernsey Office, on 15 March 2016. Its registered
office is Regency Court, Glategny Esplanade, St Peter Port, Guernsey, GY1 1WW.

Appleby (Isle of Man) LLC (the Legal Practice) is a limited liability company with company number 000944L incorporated in
the Isle of Man with its registered office at 33-37 Athol Street, Douglas, Isle of Man, IM1 1LB. “Partner” is a title referring to
a member or employee of the Legal Practice. A list of such persons can be obtained from your relationship partner.