Barbados has come in for high praise from cybersecurity experts for putting data protection legislation in place along with a Data Commissioner as authorities continue to place emphasis on digitalisation of the economy.
But the experts have indicated that the country should expect several challenges from ransomware attacks to data privacy issues.
Kerry-Ann Barrett, Cyber Security Specialist at the Organisation of American States (OAS), cautioned that while governments are now being forced to digitise their processes, the businesses offering cyber services to governments now have to think how best to utilise data for maximum benefit of the society while ensuring confidentiality and integrity.
Of the 35 countries in the Americas, 24 of them have data protection legislation in place, four have legislation in draft and seven have no such laws.
The experts were participating in the InSecure Barbados 2021 online forum on Thursday, which formed part of national cybersecurity awareness month.
“Barbados is actually one of the leading ones in terms of addressing this aggressively, because Jamaica and Barbados in December last year started to say ‘we need a data commissioner, I think it is significant for us to recognise that Barbados takes this seriously,” said Barrett.
“You have countries like Trinidad and Tobago that had theirs in 2011. You have Bermuda [and] Cayman Islands who actually began to do this as well. So data privacy is not just a local regulatory concept. It is something that is actually taking over the region based on that global impact that is happening.”
The online forum was hosted by the Barbados ICT Professionals Association (BIPA) in collaboration with the Information Systems Security Association (ISSA) Barbados Chapter.
As countries roll out their data protection laws, they should stay on top of the challenges, Barrett suggested, explaining that regulators across the globe had the difficult task of finding that balance between access to data and privacy.
“We also have cross-border transfers because of all the global relationships we have,” she said. “Now there is a natural intersection that is happening with cybercrime where because of all of those data flows, we now have to think about safeguarding data, safeguarding our interest and then law enforcement officers are also faced with how do you balance public good and public safety and the need for persons to have privacy and their data protected.”
She said countries including Barbados were also faced with the challenge of figuring out how best to make the rollout of a digital infrastructure benefit the nation while ensuring the country was a major player globally and that the data was being managed “properly”.
The cybersecurity specialist cautioned that as Barbados embarked on the full rollout of its digitalisation “it is important to start recognising that the legislation itself is not a one-stop-shop”, as she indicated the importance of good governance, adequate controls and clear communication as critical to the process of protecting people’s information.
“Even when you put this [legislation] in place it does not guarantee compliance it does not guarantee that you will be able to protect data completely but it is a good start,” said Barrett.
Attorney at law Bartlett Morgan also praised Barbados for its efforts in ensuring that data protection laws were in place.
The Barbados Data Protection Act, which carries some hefty fines for breaches reaching up to $100,000, was passed by lawmakers in 2019 but was only proclaimed in the first quarter of this year.
Morgan told the online forum: “I think it is fairly apparent that Barbados has been doing quite a bit of work in the last few years to more or less put a kind of firm regulatory framework in place. I think kudos for the government for having finally pushed things forward.”
Morgan warned companies and individuals to take the issue of data protection seriously.
“I think it is going to require a more sobering kind of reflection for persons, certainly within the business community, about how you treat to issues around the security of personal data and quite frankly, just the general cybersecurity posture,” he said.
“It is going to be important in the event of a breach to think really clearly about the size, the scope, the severity of the breach and what that means for reporting the breach, because not all breaches are necessary reportable.”
Adding that it was “not technically illegal” for a company to make a ransomware payment to regain control of data that have been taken over by individuals, Morgan cautioned: “When you do find yourself in a ransomware situation it might not just be a case anymore of simply saying ‘let’s just pay it and get it over with’, you may still need to do some amount of meaningful due diligence in that kind of situation to cover off some of the potential legal risks that may arise.”
The experts agreed that a common framework of data protection laws in CARICOM could prove to be beneficial, but said this would require the political will of each government to want it. There currently exist model policy guidelines for privacy and data protection in CARICOM.