Digital innovation is reshaping the way the majority of industries and businesses are functioning today. It’s becoming more and more evident that data collection and its analysis will become the basis of future service offerings and business models. We’ve all heard the catchline “data is the new gold”, though of course not everybody loves data in the same way that people love gold – especially when you consider millions of prospectors all over the globe scrambling to get their hands on it.
The Cayman Islands is in a unique position, in that it just might be the smallest jurisdictions to have a modern data protection law, which came into effect 30 September 2019. These new regulations indicate the importance placed on personal data in the Cayman Islands and the need to protect against its misuse in both the public and private sectors.
Cayman Tech City and Digital Cayman recently hosted a “Tech Talks” discussion which placed data protection under the spotlight. The discussion was led by Brian Gallagher, co-founder of Digital Consulting Group SEZC a subsidiary of Instars and Cayman Tech City based company, who was joined by; The Deputy Ombudsman – Information Rights Division, Jan Liebaers, a key member of the drafting committees of the Data Protection Law 2017; Blair Lilford, founder of SALT Technology Group; and Iain Kenny, a leading expert in data protection and former Chair of the Cayman Finance LRC Data Protection Working Group.
We recently regrouped with Jan Liebaers and Iain Kenny for some key takeaways and factors to consider.
CEC: Jan, as Deputy Ombudsman within the Information Rights Division, can you give us some insights into what drives government regulation? Now that Cayman’s data protection law has come into effect, how do we support consumer education?
Jan Liebaers: The Data Protection Law (DPL) provides much needed regulation for the processing of personal data. In our interconnected world we are reminded, almost on a daily basis, of breaches and personal data being misused. This is a particular risk in a digital environment where such information often ends up entirely beyond the control of the individual it relates to, and where personal data is too often used for purposes the individual is not even aware of. The Cayman Islands has now joined a growing community of jurisdictions that are pushing back by introducing principled-based rules on the processing of personal data. The DPL also grants specific rights to individuals in respect of their own personal data (with certain exceptions), for instance the right to access your data, the right to have incorrect data rectified, the right to restrict how your data is processed, and other related rights.
Privacy is a basic human right, enshrined in the Cayman Islands Constitution. In practical terms it is an opportunity for businesses to set themselves apart from the competition, by showing their customers they do not take them or their data for granted.
As always, education is key. It is important that businesses, organizations and public authorities, whether big or small, understand the requirements of the DPL, recognize the specific risks their processing entails, know what tools are at their disposal, and act responsibly towards the personal data they have been entrusted with. Individuals for their part play an important role in this equation. They are the subject of the data and can also play an essential role by monitoring how their data is treated, and insisting their rights are respected.
Detailed guidance for data controllers and data subjects is available on the Ombudsman website www.ombudsman.ky. Our team of specialists offer detailed monthly data protection awareness sessions. We answer inquiries, investigate complaints and data breaches, and have the power to enforce compliance, where necessary.
CEC: Iain, you have a unique background as a former detective within a Technological Crimes Unit. How exactly should companies take a zero-trust posture for all devices and data, and in your opinion, what does the future of data protection look like?
Iain Kenny: Historically security was focused on the perimeter of organizations. But with the modern understanding that with the complexity of technology, the multiple ingress and egress points for personally identifiable information (“PII”) and the inability to eliminate the human factor we now understand that the historical perimeter security model is obsolete. Organizations realized that it is not a matter of if an organization will suffer a data breach but when that breach will occur and in most cases, the breach will be a result of a failure of controls within the network perimeter. The Target data breach that occurred in the USA was deemed to have occurred due to the failure to adequately segregate the access of an external contractor to manage the heating, ventilation and cooling systems from the core network. The breach of the external contractor’s systems then resulted in unchecked and unlimited access to Target’s network infrastructure where data for 60 million customer accounts was accessed. As a result of these types of large-scale breaches, the concept of Zero Trust has become pivotal in implementing effective cyber risk management.
Due to the increase of sophistication of cyber criminals and the financial limitations of government to hire, train and retain cyber professionals in law enforcement, it is now clear that the duty to protect client data rests solely with the data custodians going forward.
Zero Trust ensures that by default no one has access to key PII within the organization and places layers of control both internally and at the perimeter to enable effective risk management around sensitive data assets. This methodology is focused around layered defenses and no longer focused on protecting just the perimeter. Access is prohibited and restricted unless explicitly authorized.
Although Zero Trust models can increase complexity and sometimes upfront information technology costs, the financial damage of a data breach both from an incident response perspective as well as potential lost revenue as a result of reputational damage, in most cases, far exceed the cost of implementation of Zero Trust.
The old logic of collect and retain everything that may be useful in the future needs to be retired as this increases the risk of impact should a breach occur and this model is now directly in conflict with new data privacy laws such as the Cayman Data Protection Law (“DPL”) or the General Data Protection Regulation (“GDPR”) which regulate and limit the collection, use and retention of PII.
Just like technology we must evolve our methods and sophistication to address the ever-evolving risks. Had the City of Troy adopted a zero-trust model they would have never wheeled the giant horse inside the city walls and the Trojan war may have not been lost to the Greeks.
The discussion, which took place 12 December 2019 at The Greenhouse, was part of an ongoing series of monthly ‘Tech Talks’ by Cayman Tech City in partnership with Digital Cayman. Tech Talks are open to members of the public working within the Cayman Islands’ technology sector. For more information and to register your interest email email@example.com.