Directors liable for PIPA compliance failure in Bermuda

Published: 22 Jul 2024
Type: Insight

There are several aspects of an enterprise’s use of data that now must land on the boardroom table of Bermuda organisations, including cybersecurity oversight. Compliance with the island’s Personal Information Protection Act 2016 must be added to that list when it comes into full force on 1 January, 2025.

For example, the various iterations of the Bermuda Monetary Authority’s published Codes of Conduct concerning the operational management of cyber-risk expressly establish the clear and fundamental principle that the board of directors must have governance oversight of cyber-risk.

Perhaps the Government’s “codes of practice” to be issued under Bermuda’s recent Cybersecurity Act 2024 may follow the BMA’s model of ultimate board responsibility.

Although PIPA does not expressly place an organisation’s compliance responsibility on the shoulders of the board, PIPA accomplishes the same objective by imposing certain potential liabilities on the directors in the event of their organisation’s compliance failure.

PIPA sets out various circumstances that may constitute a privacy offence. For example, PIPA makes it an offence to wilfully or negligently use (or authorise the use) of personal information in a manner that is inconsistent with any of the requirements of Part 2 of PIPA if that use is likely to harm an individual.

Such offences may include the failure to: protect personal information with adequate safeguards; keep personal information only for as long as is necessary for the use it was collected for; meet PIPA’s requirements to allow the transfer of personal information overseas; or, comply with PIPA’s breach of security and notice requirements, among other possible offences.

Of particular relevance to corporate directors, PIPA provides (in part) that where an offence has been committed by an organisation, and is proved to have been committed with the consent or convivence of, or to be attributable to, “any neglect” on the part of any director, that person (as well as the organisation) will also have committed that offence and is liable to be proceeded against and punished accordingly.

More poignantly, section 47 (3) of PIPA provides that a person who commits an offence, such as noted above, may be liable on summary conviction, in the case of an individual, to a fine not exceeding $25,000 or to imprisonment for a period of time not exceeding two years, or to both.

As attention grabbing as those possible offence penalties are for corporate directors, there are some important mitigating aspects of PIPA to keep in mind.

First, for any section 47 (2) offences that may be asserted against the organisation and any of its corporate directors, it is a defence for the organisation and an individual director who has been charged with any offence to prove that the organisation and the director acted reasonably in the circumstances that gave rise to the offence.

Second, in determining whether a person has committed an offence under PIPA, a court must also consider whether a person has followed any relevant code of practice which has, at the time the offence was committed, been issued by the Government. It remains to be seen if any such codes of conduct will be issued prior to 1 January, 2025.

Third, to the extent that the privacy enforcement cases over the past decade in Canada may be instructive given PIPA’s correspondence to those privacy protection regimes, Canadian privacy regulators have consistently considered, as mitigating factors, whether the organisation — and their corporate directors — were otherwise diligent and active in ensuring that the organisation complied with all other aspects of their privacy protection obligations.

Some examples might include undertaking staff training; protecting personal information with adequate security measures; adopting the required administrative and operational measures and policies; and generally conducting reasonable governance oversight to promote privacy rights compliance.

Fourth, and perhaps more importantly, many provisions in PIPA promote internal compliance resolution and are designed to facilitate the amicable resolution of PIPA disputes as between an organisation, an individual and the Privacy Commissioner, which may minimise offence prosecutions.

In that regard, many public statements have been made by Bermuda’s Privacy Commissioner that have expressed his office’s immediate and pragmatic priority of focusing on promoting compliance awareness and preparedness, all in the wise and constructive recognition that it will take time for all organisations to become operationally comfortable with, to adjust to, and to also improve their compliance regimes even after PIPA’s go-live date.

For many regulated sectors in Bermuda, PIPA constitutes another genre of necessary governance oversight in the midst of converging corporate director duties that are related to IT security, data protection, and operational cyber-risk management – all of which requires corporate director vigilance.

First Published in The Royal Gazette, Legally Speaking column, July 2024

Share
More publications
050-Insolvency-Restructuring-Grid-Image
13 Jul 2026

Bermuda: Restructuring & Insolvency

This country-specific Q&A provides an overview of Restructuring & Insolvency laws and regulations applicable in Bermuda.

Appleby-Website-Regulatory-Practice
10 Jul 2026

It’s healthy to sometimes disagree with regulators

At some point, almost every regulated business will disagree with its regulator.

Appleby-Website-Privacy-and-Data-Protection
8 Jul 2026

Bermuda Privacy Commissioner Signals Shift to Stronger PIPA Enforcement

The Office of the Privacy Commissioner (PrivCom) has issued its first annual report since Bermuda's Personal Information Protection Act 2016 (PIPA) came fully into force, with the reports content signaling a transition from education and implementation to a stronger focus on enforcement.

Bermuda-1024x576-1
1 Jul 2026

A Forest for the Future

A first since the blight, the airport cedar forest is growing tall and standing strong.

Appleby-Website-Regulatory-Practice
1 Jul 2026

Complied out of business

Firms are complying themselves out of business because compliance no longer matches the evolving sophistication of the Bermuda Monetary Authority (BMA).

Appleby-Website-Insurance-and-Reinsurance
1 Jul 2026

The long game: how Bermuda became the world’s life reinsurance capital

Ask a life insurer in New York, London or Tokyo where the liabilities behind their book ultimately sit and there is an increasingly good chance the answer is a 21-square-mile island in the North Atlantic.

Appleby-Website-Insurance-and-Reinsurance
1 Jul 2026

Record H1’26 Cat Bond Issuance Driven by Rising Sponsor Comfort and Diversified Risk

With H1 2026 officially breaking the record for the most catastrophe bond deals to come to market and settle in the first six months of the year, a key trend driving this momentum is how comfortable sponsors have become with the mechanics of the overall cat bond space. This familiarity has ultimately encouraged a wave of new sponsors to enter the market, according to Brad Adderley, Managing Partner at law firm Appleby.

Appleby-Website-Employment-and-Immigration
12 Jun 2026

The Cost of Getting Employee Departures Wrong: Five Common Pitfalls for Bermuda Employers

Employee departures are an inevitable part of running a business, but the way they are managed can have significant legal, financial and operational consequences. In Bermuda, employers who approach terminations without adequate preparation may expose themselves to unnecessary disputes, regulatory issues, and reputational harm. Whether an employee is being dismissed for performance reasons, made redundant or departing as part of a negotiated exit, by recognizing the following common mistakes and taking a proactive approach, organizations can manage departures more effectively and reduce risk.

Appleby-Website-Privacy-and-Data-Protection
8 Jun 2026

It’s time to bridge Pipa compliance gap

A review of 200 publicly available privacy notices of companies in Bermuda has revealed that just one in nine are fully compliant with the Personal Information Protection Act 2016.

Appleby-Website-Privacy-and-Data-Protection
26 May 2026

Transparency is a legal requirement under Pipa

Major companies across the European Union have faced substantial fines between 2019 and 2024, estimated at a total of €930 million (about $1.08 billion), not only for cyberattacks or data breaches, but also for issues such as noncompliant privacy notices. A common theme in many cases has been a lack of transparency.