VM Wealth at risk of civil suit over data breach, says lawyer
A leading data-protection legal expert has warned financial institutions to encrypt customer information to safeguard against privacy breaches like last week’s leaking of 5,000 client records at VM Wealth.
Chief executive officer of the investment house, Rez Burchenson, told The Gleaner yesterday that its human resource department had already commenced an “appropriate investigation” into the dispatch of the email attachment by a staff member, reportedly in error, to under 200 people.
VM Wealth said that none of the information disclosed was of a financial nature.
The Gleaner has seen an email sent from an adviser to a VM Wealth client containing tax registration numbers, addresses, contact numbers, and Jamaica Central Securities Depository numbers of thousands of other clients.
Pressed on whether VM Wealth could be liable to legal action for the data breach, Burchenson was evasive, reiterating that the information was shared inadvertently through human error and asserting that customers’ financial data were not disclosed.
He suggested, however, that the scope of customer vulnerability was “limited”.
“There would be limited circumstances in which such data may be misused. The attributes of the personal data disclosed were limited,” Burchenson said.
However, Chukwuemeka Cameron, an attorney and trained data-protection officer and the founder of a consulting firm that specialises in privacy laws, argues that the absence of data-protection legislation in Jamaica does not absolve VM Wealth of liability.
“In addition to the reputational damage, VMWM is now also exposed to criminal sanctions, as even in the absence of a Data Protection Act, financial institutions still have statutory and regulatory duties to protect the confidentiality of customer data and not divulge any information relevant to a customer’s account,” Cameron said in a letter to The Gleaner on Saturday.
The attorney charges that VM Wealth was found wanting for failing to take note of the Jamaican Parliament’s amendment to the initial draft of the Data Protection Bill “to employ encryption and pseudonymisation”.
“If either the email or the attachment in the email was encrypted, there would have been no damage done to the privacy rights of their customers,” he added.
While refraining from comment on the specific VM Wealth data breach, Andrea Martin-Swaby, deputy director of public prosecutions and head of the Cybercrime Unit, said there was no legislation governing cybersecurity in Jamaica beyond cybercrime laws dealing with hacking.
However, Martin-Swaby believes that the absence of a legislative framework on data privacy may not insulate Jamaican firms from blame and penalty.
“By virtue of the contractual arrangement between parties, there may be duty of care to manage the data carefully and there could be civil liability which arises for breach of this duty of care.
“Therefore, businesses and corporations must carefully assess their security mechanisms to safeguard the business processes against cyberattacks. Where such data is managed, there is the possibility of a court finding that the data controller is liable for any damage caused by the mismanagement of data,” the deputy DPP told The Gleaner.
The Data Protection Bill is currently before a joint select committee of Parliament.
VM Wealth said yesterday that it has put immediate steps in place “including significantly fortifying” its internal processes to prevent “something like this happening again”.
“In addition, we have enhanced our comprehensive Information Security Awareness Training Programme, which will raise the awareness level of our team members about matters of information and cybersecurity,” Burchenson said.