Directors liable for Pipa compliance failure
There are several aspects of an enterprise’s use of data that now must land on the boardroom table of Bermuda organisations, including cybersecurity oversight. Compliance with the island’s Personal Information Protection Act 2016 must be added to that list when it comes into full force on January 1, 2025.
For example, the various iterations of the Bermuda Monetary Authority’s published Codes of Conduct concerning the operational management of cyber-risk expressly establish the clear and fundamental principle that the board of directors must have governance oversight of cyber-risk.
Perhaps the Government’s “codes of practice” to be issued under Bermuda’s recent Cybersecurity Act 2024 may follow the BMA’s model of ultimate board responsibility.
Although Pipa does not expressly place an organisation’s compliance responsibility on the shoulders of the board, Pipa accomplishes the same objective by imposing certain potential liabilities on the directors in the event of their organisation’s compliance failure.
Pipa sets out various circumstances that may constitute a privacy offence. For example, Pipa makes it an offence to wilfully or negligently use (or authorise the use) of personal information in a manner that is inconsistent with any of the requirements of Part 2 of Pipa if that use is likely to harm an individual.
Such offences may include the failure to: protect personal information with adequate safeguards; keep personal information only for as long as is necessary for the use it was collected for; meet Pipa’s requirements to allow the transfer of personal information overseas; or, comply with Pipa’s breach of security and notice requirements, among other possible offences.
Of particular relevance to corporate directors, Pipa provides (in part) that where an offence has been committed by an organisation, and is proved to have been committed with the consent or convivence of, or to be attributable to, “any neglect” on the part of any director, that person (as well as the organisation) will also have committed that offence and is liable to be proceeded against and punished accordingly.
More poignantly, section 47 (3) of Pipa provides that a person who commits an offence, such as noted above, may be liable on summary conviction, in the case of an individual, to a fine not exceeding $25,000 or to imprisonment for a period of time not exceeding two years, or to both.
As attention grabbing as those possible offence penalties are for corporate directors, there are some important mitigating aspects of Pipa to keep in mind.
First, for any section 47 (2) offences that may be asserted against the organisation and any of its corporate directors, it is a defence for the organisation and an individual director who has been charged with any offence to prove that the organisation and the director acted reasonably in the circumstances that gave rise to the offence.
Second, in determining whether a person has committed an offence under Pipa, a court must also consider whether a person has followed any relevant code of practice which has, at the time the offence was committed, been issued by the Government. It remains to be seen if any such codes of conduct will be issued prior to January 1, 2025.
Third, to the extent that the privacy enforcement cases over the past decade in Canada may be instructive given Pipa’s correspondence to those privacy protection regimes, Canadian privacy regulators have consistently considered, as mitigating factors, whether the organisation — and their corporate directors — were otherwise diligent and active in ensuring that the organisation complied with all other aspects of their privacy protection obligations.
Some examples might include undertaking staff training; protecting personal information with adequate security measures; adopting the required administrative and operational measures and policies; and generally conducting reasonable governance oversight to promote privacy rights compliance.
Fourth, and perhaps more importantly, many provisions in Pipa promote internal compliance resolution and are designed to facilitate the amicable resolution of Pipa disputes as between an organisation, an individual and the Privacy Commissioner, which may minimise offence prosecutions.
In that regard, many public statements have been made by Bermuda’s Privacy Commissioner that have expressed his office’s immediate and pragmatic priority of focusing on promoting compliance awareness and preparedness, all in the wise and constructive recognition that it will take time for all organisations to become operationally comfortable with, to adjust to, and to also improve their compliance regimes even after Pipa’s go-live date.
For many regulated sectors in Bermuda, Pipa constitutes another genre of necessary governance oversight in the midst of converging corporate director duties that are related to IT security, data protection, and operational cyber-risk management – all of which requires corporate director vigilance.
• Duncan Card is a partner at Appleby who specialises in IT and outsourcing contracts, privacy law and cybersecurity compliance in Bermuda. He is on the executive board of the Institute of Directors (Bermuda). A copy of this column can be obtained on the Appleby website at www.applebyglobal.com. This column should not be used as a substitute for professional legal advice. Before proceeding with any matters discussed here, persons are advised to consult with a lawyer.