For example, the various iterations of the Bermuda Monetary Authority’s published Codes of Conduct concerning the operational management of cyber-risk expressly establish the clear and fundamental principle that the board of directors must have governance oversight of cyber-risk.

Perhaps the Government’s “codes of practice” to be issued under Bermuda’s recent Cybersecurity Act 2024 may follow the BMA’s model of ultimate board responsibility.

Although PIPA does not expressly place an organisation’s compliance responsibility on the shoulders of the board, PIPA accomplishes the same objective by imposing certain potential liabilities on the directors in the event of their organisation’s compliance failure.

PIPA sets out various circumstances that may constitute a privacy offence. For example, PIPA makes it an offence to wilfully or negligently use (or authorise the use) of personal information in a manner that is inconsistent with any of the requirements of Part 2 of PIPA if that use is likely to harm an individual.

Such offences may include the failure to: protect personal information with adequate safeguards; keep personal information only for as long as is necessary for the use it was collected for; meet PIPA’s requirements to allow the transfer of personal information overseas; or, comply with PIPA’s breach of security and notice requirements, among other possible offences.

Of particular relevance to corporate directors, PIPA provides (in part) that where an offence has been committed by an organisation, and is proved to have been committed with the consent or convivence of, or to be attributable to, “any neglect” on the part of any director, that person (as well as the organisation) will also have committed that offence and is liable to be proceeded against and punished accordingly.

More poignantly, section 47 (3) of PIPA provides that a person who commits an offence, such as noted above, may be liable on summary conviction, in the case of an individual, to a fine not exceeding $25,000 or to imprisonment for a period of time not exceeding two years, or to both.

As attention grabbing as those possible offence penalties are for corporate directors, there are some important mitigating aspects of PIPA to keep in mind.

First, for any section 47 (2) offences that may be asserted against the organisation and any of its corporate directors, it is a defence for the organisation and an individual director who has been charged with any offence to prove that the organisation and the director acted reasonably in the circumstances that gave rise to the offence.

Second, in determining whether a person has committed an offence under PIPA, a court must also consider whether a person has followed any relevant code of practice which has, at the time the offence was committed, been issued by the Government. It remains to be seen if any such codes of conduct will be issued prior to 1 January, 2025.

Third, to the extent that the privacy enforcement cases over the past decade in Canada may be instructive given PIPA’s correspondence to those privacy protection regimes, Canadian privacy regulators have consistently considered, as mitigating factors, whether the organisation — and their corporate directors — were otherwise diligent and active in ensuring that the organisation complied with all other aspects of their privacy protection obligations.

Some examples might include undertaking staff training; protecting personal information with adequate security measures; adopting the required administrative and operational measures and policies; and generally conducting reasonable governance oversight to promote privacy rights compliance.

Fourth, and perhaps more importantly, many provisions in PIPA promote internal compliance resolution and are designed to facilitate the amicable resolution of PIPA disputes as between an organisation, an individual and the Privacy Commissioner, which may minimise offence prosecutions.

In that regard, many public statements have been made by Bermuda’s Privacy Commissioner that have expressed his office’s immediate and pragmatic priority of focusing on promoting compliance awareness and preparedness, all in the wise and constructive recognition that it will take time for all organisations to become operationally comfortable with, to adjust to, and to also improve their compliance regimes even after PIPA’s go-live date.

For many regulated sectors in Bermuda, PIPA constitutes another genre of necessary governance oversight in the midst of converging corporate director duties that are related to IT security, data protection, and operational cyber-risk management – all of which requires corporate director vigilance.

First Published in The Royal Gazette, Legally Speaking column, July 2024

Share
X.com LinkedIn Email Save as PDF
More Publications
Appleby-Website-Privacy-and-Data-Protection
28 Jul 2025

Insights from the BMA’s Second Consultation Paper on Digital Identity Service Providers

As jurisdictions around the world grapple with the complexities of authenticating digital identities...

Technology and Innovation
24 Jul 2025

Contracts to Manage AI Risk: Part Two (Bermuda)

In part one of this two-part series about artificial intelligence contracts, I discussed the ways th...

Technology and Innovation
22 Jul 2025

Contracts to Manage AI Risk (Bermuda)

This is the first of a two-part article on how artificial intelligence contracts can be used to mana...

Appleby-Website-Insurance-and-Reinsurance
15 Jul 2025

Captives are the grass roots of Bermuda risk

Bermuda has seen tremendous growth in the life reinsurance and insurance-linked securities markets i...

050-Insolvency-Restructuring-Grid-Image
10 Jul 2025

Bermuda: Restructuring & Insolvency

This country-specific Q&A provides an overview of Restructuring & Insolvency laws and regulations ap...

050-Insolvency-Restructuring-Grid-Image
3 Jul 2025

Insolvency law: secured creditors take note (Bermuda)

The recent judgment delivered by the Supreme Court of Bermuda in the matter of Harold J. Darrell hig...

Appleby-Website-Insurance-and-Reinsurance
2 Jul 2025

Bermuda: Education has helped investors get more comfortable as ILS continues to grow

It’s been an exceptionally busy and record first half of the year for the catastrophe bond sector,...

Appleby-Website-Privacy-and-Data-Protection
25 Jun 2025

Impact of Privacy Law on Bermuda Business

On 1st January 2025, Bermuda’s Personal Information Protection Act 2016 (PIPA) came into full forc...

Appleby-Website-Regulatory-Practice
25 Jun 2025

Simplified Due Diligence in Bermuda

Simplified Due Diligence (SDD) and Reduced Due Diligence (RDD) are critical features of a modern, ri...

Appleby-Website-Employment-and-Immigration
23 Jun 2025

Practical Tips for Conducting Workplace Investigations

Allegations of harassment, bullying or other misconduct in the workplace can create a legal mine fie...