Warning that liability will rest at the feet of companies under the Data Protection Act, Information commissioner Celia Barclay has intensified calls for businesses to take added steps in ensuring greater protection of customer data.

Speaking at the just concluded Anti-Money Laundering/ Counter Financing of Terrorism conference hosted by the Jamaica Institute of financial services (JIFS) and the Jamaica Bankers Association (JBA), the commissioner implored companies to get serious about how they protect client data, especially in the wake of rising data breaches now seen across various organisations.

Following the passing of the Act in 2020, it has become incumbent on businesses to carefully examine how well they handle the personal data of customers and how they respond during times of breach. Barclay stressed that under the legislation, every entity or individual that collect, process, store, transfer or even analyse information on data subjects, the act will hold them responsible.

“The important thing that financial institutions and every data controllers under the Act needs to realise, is that the responsibility is belongs to them. While many companies outsource to data processors or even assign data officers, at the end of the day if there is a breach you can’t blame these persons. What the Act says is that you as the controller, institution or individual can be held responsible.

“Your data protection officer is there to help you or advise you about the best ways to protect your data, but that’s the full extent of their responsibility—to aid, assist and guide you but they will not assume your liability,” she told participants during her key note address at the start of the conference last Tuesday.

“The legislation is called the Data protection Act for a reason, we did not pass the Data Security Act and we could have, but it’s not just about how well you secure the information that you have. Data protection is where security meets privacy and then proceeds to intermingle with governance. So on the one hand you need a secure system, and it’s great if you have the safest servers in the world— but since no security system or programme is perfect, we also have to look at privacy and this is where the Act comes in,” she added.

Barclay said that that following a two year implementation timeframe, companies which have not yet become compliant under the legislation will now have until November 2023 to do so or thereafter run the risk of facing serious penalties.

Amid growing threats from cyber and other malware attacks, including a number of phishing, smishing and vishing schemes, companies are being urged to take on a new form of self-defense as they engage better practices to protect the personal data of clients archived to their systems.

“We are now called upon to protect our personal data, that of family and friends both offline and online as there is now a push for you and me to become super heroes to save ourselves and others from predators,” Barclay said.

A recent attack on Massy Distribution, one of the country’s largest supplier of consumer and pharmaceutical goods again exposed the vulnerabilities of systems, especially now when hackers hunt new ways of hijacking company data with the intention of using it as ransomware. Through these types of attacks, hackers often threaten to publish the victim’s personal data or permanently block access to it unless a ransom is paid.

While Massy indicated that the incident has since been resolved, investigations are still ongoing to determine whether any customer data was impacted.

Prior to the Massy incident, several other cases were uncovered across some financial institutions, e-commerce and other online platforms.

JBA president Septimus ‘Bob’ Blake addressing the conference said that through the conference the financial sector in seeking to partner with overseas stakeholders is aiming to develop sound and institutional strategies geared towards combating breaches especially those around money laundering.

“We are cognisant that our sustained existence and viability will be dependent on how we keep pace with everything happening to us and around us. The JBA and JIFS do hope that through participation in this conference, our perception will lead to improvement in compliance and anti-money laundering regulations right across the sector and also contribute to our mission of maintaining a safe and secure and vibrant industry,” he said.