Outcomes - Selected Case Summaries



Overseas fund administrator suffers ransomware attack

Informal Resolution | 16 September 2021

An overseas fund administrator, who is also the data processor for over one hundred Cayman Islands-based funds, suffered a data breach after one of its third-party vendors was the target of a ransomware attack. The attack resulted in simple personal data ultimately belonging to the Cayman Funds being made public by the malicious actors.

All of the data controllers had data processing agreements in place with the data processor in compliance with the seventh data protection principle. However, the data processing agreements were lacking additional provisions that contemplated data breach reporting and personal data processing matters. We recommended that the data controllers implement appropriate mechanisms to ensure all obligations in regard to data breach notification under the DPA are observed in the future. We also recommended that the data controllers consider introducing assurance mechanisms, such as the auditing of processors' data processing activities, in order to ensure personal data is processed securely.

We considered the likelihood of the affected data subjects’ rights and freedoms being adversely impacted as low.