Leonie Tear
Partner
Bermuda
Key takeaways
Cyber-attacks continue to be on the increase. Bermuda's new Personal Information Protection Act 2016 ("PIPA") has been in effect for less than one month and yet the Privacy Commissioner ("Commissioner") has already received the first data breach notification report.
The first reported incident relates to a data attack on PowerSchool, a vendor to the Department of Education, that took place in late December. PowerSchool has reported theft of personal information relating to teachers, students and parents. Whilst not infected with ransomware, PowerSchool has reportedly made a ransom payment to the threat actor in exchange for a promise that the stolen data will not be sold.
In this advisory, we set out practical guidance on how to prepare for a cyber-attack, how to put in place a cyber-attack response plan and the key legal considerations regarding ransom payments.
1. Response team. It will save significant time and provide for a well-executed response to have a pre-determined team identified that will convene in the event of a cyber-attack and manage all aspects of the response. As a minimum, this should include the Chief Information Security Officer, General Counsel, Chief Compliance Officer, and Head of Human Resources (in case of internal involvement) and media relations (if available). Time zone coverage should be considered for global organisations establishing such teams. A timely report should be made to the Board to allow for effective governance.
2. Disaster recovery plan. This should include how to: switch off the systems, nodes and servers that are contaminated; identify required decryption tools; switch off backup systems likely to be targeted; and start an investigation into whether any internal threat actor was involved to enable swift suspension or dismissal.
3. External providers. You will require a team of legal, consultant and specialist service providers that can advise on legal requirements and risks of payment, monitor dark web activity, advise on who the threat actor appears to be and explain the extent of the breach.
4. Regulatory reporting requirements. In Bermuda, PIPA requires that in the case of a breach of security leading to the loss, unlawful destruction, unauthorised disclosure of, or access to, personal information which is likely to adversely affect an individual, the organisation responsible for that personal information must "without undue delay" notify the Commissioner of the breach. Further, PIPA requires the organisation to then notify any individual affected by the breach.
There is no specified time that amounts to undue delay. In an announcement made following the PowerSchool incident, released on 20 January 2025, the Commissioner provided the following guidance on the purpose and meaning of the phrase "undue delay":
"A breach of security can take time to investigate and resolve. Notification of a breach should occur as soon as possible, or in other words without undue delay. Once an organisation is aware of a breach, they are permitted to assess the situation and validate details before notification. An example of undue delay before notification would be if the time spent assessing the situation would increase the likelihood or severity of the harm to an individual."
There are also reporting requirements for reports relating to cyber incidents to be made to the Bermuda Monetary Authority ("BMA") for those in regulated sectors. For example, under the Digital Assets Business Act 2018, the Senior Representative of a regulated entity is required to disclose to the BMA any "cyber reporting event".
For any entity with a global footprint, it will be important to understand not only local reporting obligations to all relevant regulators, but also applicable laws and reporting obligations in each jurisdiction where the company has a presence. This should be contained in a cyber-attack response plan that details whether reporting is mandatory, the timeframe within which to report and what triggers the countdown timer for that timeframe.
This is where the pre-determined response team also helps, each area has a set role and responsibilities. Whilst legal are busy determining reporting requirements (under law or contractual obligations) and ensuring legal privilege extends to response efforts to the extent possible, IT security can be locking down the spread of the malware and consultants can be monitoring the dark web to see if the breached information is already up for sale.
5. Insurance. It is important to know what insurance applies, the extent of that insurance and whether there is a requirement to notify insurers within specified notification periods.
6. Remediate. Equally important to response, is remediation. At the same time as managing the attack, a team should be focused on understanding how it occurred and how to stop it reoccurring in future. A general cybersecurity audit should be considered.
Contact us for support in establishing a cyber-attack policy and procedures to ensure your organisation is in the best possible position it can be to respond in the event of an attack. Should an attack occur, contact our experienced team and we can guide you through the response.
Authors
Key contacts