For example, the various iterations of the Bermuda Monetary Authority’s published Codes of Conduct concerning the operational management of cyber-risk expressly establish the clear and fundamental principle that the board of directors must have governance oversight of cyber-risk.

Perhaps the Government’s “codes of practice” to be issued under Bermuda’s recent Cybersecurity Act 2024 may follow the BMA’s model of ultimate board responsibility.

Although PIPA does not expressly place an organisation’s compliance responsibility on the shoulders of the board, PIPA accomplishes the same objective by imposing certain potential liabilities on the directors in the event of their organisation’s compliance failure.

PIPA sets out various circumstances that may constitute a privacy offence. For example, PIPA makes it an offence to wilfully or negligently use (or authorise the use) of personal information in a manner that is inconsistent with any of the requirements of Part 2 of PIPA if that use is likely to harm an individual.

Such offences may include the failure to: protect personal information with adequate safeguards; keep personal information only for as long as is necessary for the use it was collected for; meet PIPA’s requirements to allow the transfer of personal information overseas; or, comply with PIPA’s breach of security and notice requirements, among other possible offences.

Of particular relevance to corporate directors, PIPA provides (in part) that where an offence has been committed by an organisation, and is proved to have been committed with the consent or convivence of, or to be attributable to, “any neglect” on the part of any director, that person (as well as the organisation) will also have committed that offence and is liable to be proceeded against and punished accordingly.

More poignantly, section 47 (3) of PIPA provides that a person who commits an offence, such as noted above, may be liable on summary conviction, in the case of an individual, to a fine not exceeding $25,000 or to imprisonment for a period of time not exceeding two years, or to both.

As attention grabbing as those possible offence penalties are for corporate directors, there are some important mitigating aspects of PIPA to keep in mind.

First, for any section 47 (2) offences that may be asserted against the organisation and any of its corporate directors, it is a defence for the organisation and an individual director who has been charged with any offence to prove that the organisation and the director acted reasonably in the circumstances that gave rise to the offence.

Second, in determining whether a person has committed an offence under PIPA, a court must also consider whether a person has followed any relevant code of practice which has, at the time the offence was committed, been issued by the Government. It remains to be seen if any such codes of conduct will be issued prior to 1 January, 2025.

Third, to the extent that the privacy enforcement cases over the past decade in Canada may be instructive given PIPA’s correspondence to those privacy protection regimes, Canadian privacy regulators have consistently considered, as mitigating factors, whether the organisation — and their corporate directors — were otherwise diligent and active in ensuring that the organisation complied with all other aspects of their privacy protection obligations.

Some examples might include undertaking staff training; protecting personal information with adequate security measures; adopting the required administrative and operational measures and policies; and generally conducting reasonable governance oversight to promote privacy rights compliance.

Fourth, and perhaps more importantly, many provisions in PIPA promote internal compliance resolution and are designed to facilitate the amicable resolution of PIPA disputes as between an organisation, an individual and the Privacy Commissioner, which may minimise offence prosecutions.

In that regard, many public statements have been made by Bermuda’s Privacy Commissioner that have expressed his office’s immediate and pragmatic priority of focusing on promoting compliance awareness and preparedness, all in the wise and constructive recognition that it will take time for all organisations to become operationally comfortable with, to adjust to, and to also improve their compliance regimes even after PIPA’s go-live date.

For many regulated sectors in Bermuda, PIPA constitutes another genre of necessary governance oversight in the midst of converging corporate director duties that are related to IT security, data protection, and operational cyber-risk management – all of which requires corporate director vigilance.

First Published in The Royal Gazette, Legally Speaking column, July 2024

Share
X.com LinkedIn Email Save as PDF
More Publications
Appleby-Website-Privacy-and-Data-Protection
28 Nov 2024

Augmented Advocacy Series (Bermuda): Copyright infringement in the age of AI

Artificial intelligence is revolutionising the way that humans solve problems and create.

Appleby-Website-Employment-and-Immigration
19 Nov 2024

When and how to vary a Bermuda contract of employment

A contract of employment is a legal agreement that sets out the terms and conditions of an employee�...

Technology and Innovation
8 Nov 2024

When non-tech companies buy IT

Generally, there are three categories of information technology buyers: non-technology enterprises, ...

050-Insolvency-Restructuring-Grid-Image
15 Oct 2024

Insolvency: Bermuda

In-Depth: Insolvency (formerly The Insolvency Review) offers an incisive review of the most conseque...

Appleby-Website-Insurance-and-Reinsurance
10 Oct 2024

Recovery planning for commercial insurers

New rules released by the Bermuda Monetary Authority aim to equip certain insurers with a structured...

The Global Website header
7 Oct 2024

The Global – your offshore corporate law questions answered: October 2024

The Global is a quarterly collection of corporate expert insights and analysis across Appleby's glob...

Brad Adderley, Bermuda Managing Partner at Appleby, will speak at the 2022 Society of Actuaries (SOA) Life Meeting on 23-26 August in Chicago.
2 Oct 2024

Bermuda: It’s Impressive How Mainstream Cat Bonds Have Become

Although Brad Adderley, Bermuda Managing partner at Appleby, doesn’t expect 2024 to be another rec...

Appleby-Website-Private-Client-and-Trusts-Practice
26 Sep 2024

Private Wealth and Private Client: Bermuda

In-Depth: Private Wealth and Private Client (formerly The Private Wealth & Private Client Review) pr...

Technology and Innovation
26 Sep 2024

Augmented Advocacy Series (Bermuda): The Practice of Law in the Age of AI

As the world enters the age of artificial intelligence, the legal profession is once again faced wit...