The Tribune

By NEIL HARTNELL

Tribune Business Editor

nhartnell@tribunemedia.net

THE Data Protection Commissioner has seen a near 20-fold increase in the number of complaints since she took the post two years ago, with her office now preparing to investigate the hacking of a Bahamian bank’s website.

Sharmie Farrington-Austin told Tribune Business that since taking office in June 2013, the number of personal data/privacy breach complaints had skyrocketed partly due to the Commission’s work on education and public awareness.

“When I took this chair, we had a maximum of five complaints a year maybe,” she recalled. “Now, we’re well into the 90s, so that can tell you the level of increase. There has been a big increase in privacy breach complaints to this office.”

Mrs Farrington-Austin also warned Bahamians not to become so caught up in the forthcoming general election campaign that they inadvertently breached the Data Protection Act and other relevant laws.

“Silly season is coming up, and people become so caught up in the election season that they disclose the individual’s private information,” she explained. “People should be careful not to do that.”

Mrs Farrington-Austin, meanwhile, said the Data Protection Commission had been “stressing” the need for banks to upgrade protection of customers’ private financial data before the hacking attack, and $30,000 extortion demand, made on the Fidelity Group of Companies.

She explained that her office’s first priority was to work with Fidelity and its data controllers to “contain the breach”, and then determine how to prevent further occurrences.

This newspaper revealed on Friday how a group, calling itself ‘Hack for Trump’, was seeking a ransom payment from the Bahamian-headquartered financial provider to prevent the leaked information being disclosed on the Internet.

Fidelity, though, moved quickly to reassure clients there had been no widespread leak of personal financial data. It pointed out that ‘Hack for Trump’ had admitted itself that it had been unable to access the sensitive personal financial data that Fidelity held on its customers

Anwer Sunderji, Fidelity’s chairman, said the group appeared to have hacked an external server that hosts Fidelity’s public website.

Reassuring Fidelity’s hundreds of clients, he told Tribune Business: “We know that none of the data we have got compromised.

They [Hack for Trump] say themselves, they confirmed, that they weren’t able to break into our servers. They got our personnel evaluations and they got e-mails that were received via our general information address on our website.”

Mr Sunderji said the only possible exposure was “minor”, and involved the possibility that “a very small number of customers” may have e-mailed their account or policy numbers to the general e-mail address on the website.

Meanwhile, confirming that her office had begun a probe following notification of the breach by Fidelity, Mrs Farrington-Austin said all Bahamas-based companies had “to provide adequate safeguards” for clients’ personal data.

Referring to her recent appearance on a radio show with host Ed Fields, she added: “One of the things I was stressing was that banks especially can be susceptible to hackers.

“Therefore, we are requiring them to upgrade the safeguards they have with regard to securing customers’ personal information, ensuring they can’t access personal information.

“We want them to be vigilant. We want to be sure that banks are constantly reviewing the security policies and plans they have.”

Mrs Farrington-Austin said her office was now investigating the Fidelity ‘hack’ using section 15 of the Data Protection (Privacy of Personal Information) Act.

“Our first priority and approach is to work with the relevant data controller to ensure that the breach is contained,” she explained. “We have within our Act the power to work with data controllers.

“We will obviously be working with the organisation concerned to see how best we can prevent further compromises. And we always try to stress to data controllers that once the hack has occurred, it’s very important to notify the individuals concerned so they can minimise the damage.”

The Data Protection Commissioner said this was not the first ‘hacking’ case her office had dealt with. She recalled how foreign nationals had been caught inserting skimming devices into Automatic Teller Machines (ATM) so they could read, then steal, people’s cash, debit and credit card information.

And several Bahamian-based banks had to reissue credit cards to clients after an overseas-based services processor, which held their data, was hacked and compromised.

The Fidelity ‘hack’, too, resulted from the compromising of the third party server that hosted the group’s website.

Mrs Farrington-Austin, though, warned: “Organisations (data controllers) that use third party data processors to process personal information on their behalf must take particular care, because under the Data Protection (Privacy of Personal Information) Act, ultimately the data controllers, not the data processors, will be held accountable under the Act for what the data processor does with the personal information.”

Mrs Farrington-Austin said the Bahamas had to “be extra vigilant” in protecting people’s personal data due to the economy’s reliance on financial services.

She emphasised that ever-advancing technology continued to impact personal and data privacy “to the extent it’s embedded in technology”.

“We have to make sure that as technology advances we keep pace to protect individuals’ data,” Mrs Farrington-Austin said. “We know that as technology advances, we will have data breaches.

“We have to be just as resolved that if a data breach occurs, people’s data is protected and they get appropriate remedies for any financial loss or damage.”

Mrs Farrington-Austin emphasised that the consequences of electronic data breaches can be “very, very, very far-reaching” both for the individuals and companies involved.

Criminals could employ that data in “fraudulent transactions across multiple jurisdictions”, while affected individuals were likely to bring court actions against the parties liable for their loss, resulting in multi-million dollar damages and management being held accountable.

Mrs Farrington-Austin unveiled a ‘four-point plan’ that all companies should employ when a data breach occurs.

The first step involved the development of a recovery plan and procedures for limiting the damage, which are to be followed by a risk assessment of the dangers for individuals whose data has potentially been compromised.

Those affected should then be notified, along with the Data Protection Commissioner, police and relevant regulators.

And, finally, the cause of the breach needs to be investigated and the company’s response evaluated. Corrective measures then need to be taken to ensure it never happens again.