On March 28, 2024, the Bermuda Office of the Privacy Commissioner (PrivCom) published a blog discussing security breaches, the nature of personal information processed by organizations, and the importance of data security.

Managing security breaches 

The blog suggests that security breaches are complex events that are not necessarily an organization's fault. Further, the blog highlights the importance of aligning security controls with potential threats and the harm a breach might cause. The blog indicates that PrivCom currently does not mandate breach reporting, but instead encourages organizations to focus on preparing for compliance with security and data breach notification provisions of the Personal Information Protection Act 2016 (PIPA) slated for enforcement in 2025.

The blog points out various harms that could arise from the misuse or accidental mishandling of personal information, including financial loss, emotional distress, and discrimination. The blog also mentions the potential for information to be used in creating synthetic identities, complicating the attribution of fraudulent activities.

To facilitate organizational compliance with PIPA, the blog highlights resources on best cybersecurity practices, including advice on backups, cybersecurity awareness, and breach response.

PIPA and PrivCom's role

Ahead of PIPA's implementation in 2025, the blog outlines the anticipated requirement for organizations to notify individuals affected by data breaches, facilitating protective measures against adverse effects. The blog also states that PrivCom would release further guidance on data breach notifications and the process for reporting breaches.

You can read the blog here.