Lessons to be learnt in Victoria Mutual data breach


Lessons to be learnt in Victoria Mutual data breach


Tuesday, February 18, 2020

Print this page Email A Friend!

On February 14, 2020 there was a press release from Victoria Mutual Wealth Management saying: “Personal information of more than 5,000 clients was inadvertently sent out in an e-mail attachment to about 200 people on Thursday night. The e-mail detailed the names, addresses, telephone numbers, taxpayer registration numbers, investment account number, and e-mail addresses of the company's clients. Chief executive officer of Victoria Mutual Group of Companies Courtney Campbell says the breach was caused by human error and he does not believe the information released can be used to commit identity theft.”

This was after social media got wind of the breach and began to create a firestorm online.

International trends tell us that this has happened before to other companies and the incidence of this occurrence will increase if dramatic cultural changes and business practices are not adopted. In addition to the reputational damage, Victoria Mutual Wealth Management is now also exposed to criminal sanctions as, even in the absence of a Data Protection Act, financial institutions still have statutory and regulatory duties to protect the confidentiality of customer data and not divulge any information relevant to a customer's account.

According to the latest figures from the Information Commissioner's Office, in 2019, UK organisations had reported 1,357 data breaches that were caused by people e-mailing the incorrect recipients. Of this almost half (43 per cent) of all data breaches reported to the Information Commissioner Office in the first half of 2019 were the result of incorrect disclosure.

As far back as 2011, under the old UK Data Protection Act, Surrey County Council in the UK was served with a civil monetary penalty of 120,000 after three data breaches that involved misdirected e-mail:

• A member of staff e-mailed a file containing the sensitive personal data of 241 individuals to the wrong e-mail address. As the file was neither encrypted nor password-protected, every recipient of the e-mail could access the data. Subsequently, the council was unable to confirm whether the recipients had destroyed the data or not;

• Personal data was e-mailed to over 100 recipients on the council's newsletter mailing list; and

• The children's services department sent sensitive personal data to an incorrect internal group address. North Somerset Council was served with a civil monetary penalty of 60,000 after five e-mail, two of which contained details of a child's serious case review, were sent to the wrong National Health Service (NHS) employee.

A council employee selected the wrong e-mail address during the creation of a personal distribution list. The data itself had not been encrypted, and thus it was viewed by the unintended recipient.

The Jamaican Parliament, as part of one of the processing standards, amended the initial draft of the data protection Bill to include as part of its technical and organisational measure the requirement to employ encryption and pseudonymisation in keeping with the General Data Protection Regulation. If either the e-mail or the attachment in the e-mail was encrypted there would have been no damage done to the privacy rights of their customers.

The Information Commissioner's Office, as part of their education and awareness initiatives, in one of the documents they prepared stated that encrypted e-mail can provide the capability to encrypt the body and attachments of e-mails.

The sending and receiving of encrypted e-mail requires the use of compatible e-mail client software and requires configuration in advance.

A wide range of free and proprietary products are available for desktop, laptop, and mobile operating systems.

Encrypted e-mail use asymmetric encryption and requires a user to generate a key pair before they will be able to send an encrypted e-mail.

Users will also have to exchange public keys before an encrypted e-mail can be sent between them.

There are several technical and administrative issues that one will be faced with if this solution was to be employed.

Each business will be required to consider the risks and investment required, and whether there are alternative solutions for encrypted transfer of data to be considered.

E-mail can also send information by encrypted attachments.

The file is encrypted using software on the sender's device and added as an attachment to a standard e-mail.

Commonly the key is derived from a shorter, more-memorable password which can be transferred to the recipient; however the password must be sufficiently long and complex to prevent compromise.

Lessons to be learnt: The Jamaican populace care about keeping their personal data private.

The threat of data breaches and the damage that can follow affects all companies that now process personal data even in the absence of any specific legislation.

As it relates to financial institutions, there is already legislation in place that makes financial institutions fiduciaries of customers' financial data.

There are solutions available free of cost to prevent damage to customers as a result of a data breach that could arise from a misdirected e-mail.

Our Parliament demonstrated collective wisdom when they made it mandatory that encryption be adopted as part of the technical and organisational measures.

Victoria Mutual Wealth Management and all those who have eyes to see and ears to hear should move in earnest to secure their customers' personal data, as trust is now the currency of business in the digital age.

Chukwuemeka Cameron, LLM, is an attorney, trained data protection officer, and founder of Design Privacy, a consulting firm that helps you comply with privacy laws and and build trust with your customers. Send comments to the Observer or ccameron@designprivacy.io.

Now you can read the Jamaica Observer ePaper anytime, anywhere. The Jamaica Observer ePaper is available to you at home or at work, and is the same edition as the printed copy available at http://bit.ly/epaperlive




1. We welcome reader comments on the top stories of the day. Some comments may be republished on the website or in the newspaper � email addresses will not be published.

2. Please understand that comments are moderated and it is not always possible to publish all that have been submitted. We will, however, try to publish comments that are representative of all received.

3. We ask that comments are civil and free of libellous or hateful material. Also please stick to the topic under discussion.

4. Please do not write in block capitals since this makes your comment hard to read.

5. Please don't use the comments to advertise. However, our advertising department can be more than accommodating if emailed: advertising@jamaicaobserver.com.

6. If readers wish to report offensive comments, suggest a correction or share a story then please email: community@jamaicaobserver.com.

7. Lastly, read our Terms and Conditions and Privacy Policy

comments powered by Disqus



Today's Cartoon

Click image to view full size editorial cartoon