GEORGE TOWN, Cayman Islands — According to a joint statement released by the Cayman Islands Law Society and the Caymanian Bar Association regarding illegal data hacks, the Cayman Islands has modern, internationally accepted legislation providing for computer misuse offences and data protection.
Such legislation is modelled on UK and/or EU legislation to protect against such illegal acts, and to ensure that appropriate criminal, civil and regulatory remedies are available to counter them.
For many years the Cayman Islands has had robust legislative measures to enable the police to investigate, and the authorities to prosecute, computer hackers and others who seek unauthorised access to other people’s computer systems, the statement said.
The Computer Misuse Law (2015 Revision) (CML) is modelled on the UK’s Computer Misuse Act and creates a number of computer-hacking and related offences. The provisions of the CML are extra-territorial, such that a person who commits an offence from outside of the Cayman Islands in respect of computer systems in the Cayman Islands may be prosecuted there.
The Data Protection Law, 2017 (DPL) has been enacted and will come into force in January 2019, after EU’s General Data Protection Regulation (GDPR) comes into EU law. The DPL has drawn from various EU jurisdictions’ legislation, as well as the GDPR, to conform to the data protection standards set by the EU.
It will be an offence under the DPL to obtain or disclose personal data without the consent of the party controlling the data, and it will be separate offence to offer to sell data obtained illegally.
An offence under the CML or the DPL could also form a predicate offence under the Proceeds of Crime Law (2017 Revision) (POCL) where proceeds (e.g. fees for selling stolen information) derived from the criminal conduct. Third party acquirers of the information could also be subject to inchoate offences under POCL; e.g. aiding, abetting or conspiring with another to commit the offence.
Additionally, victims who have been subject to unauthorised access to their computer systems and misuse of information obtained are also able to bring civil actions in the Cayman Islands, including for breach of confidence. Victims may also obtain injunctions to restrain further unauthorised disclosures and seek appropriate damages.
The statement follows the leak of 6.8 million confidential records – now dubbed the “Paradise Papers” – from the global offshore law firm Appleby, involving the financial information of tens of thousands of people and businesses.
Appleby, which was founded in Bermuda, is one of the most prestigious offshore law firms, now with offices around the world, including the Isle of Man, the Cayman Islands, the British Virgin Islands, Bermuda, Hong Kong and London.
The leaked documents also revealed that, between 2005 and 2015, more than a dozen internal and regulatory examinations of Appleby found flaws that could have involved the firm in litigation and had financial and reputation implications.
After a 2005 review by a regulatory agency, the Bermuda Monetary Authority, Appleby’s trust company was ordered to improve 21 deficiencies in its performance and to obtain fresh, accurate records of its clients’ passports, addresses and sources of wealth.
The next year, an internal audit at the British Virgin Islands office looked at 45 client files and found that only one of them met Appleby’s standards. Of the five Appleby offices reviewed around that time, only the Hong Kong office kept its documents “in good order.”
An internal audit of the Cayman Islands’ trust office in 2008 found the risk of breaking laws and Appleby’s own protocols to be “high” in more than half of all the categories under review. The audit report noted a risk of fraudulent activities and said Appleby “may not be complying” with the law.
A 2012 review by regulators in the British Virgin Islands found holes in Appleby’s procedures for dealing with high-risk politicians and associates.
When the Bermuda Monetary Authority audited an Appleby subsidiary in October 2014, it found “key or highly significant” weaknesses in nine areas. Nearly half – 46 percent – of the files reviewed by the agency lacked information on the origin of the money Appleby managed for its clients. There was “no evidence” that Appleby identified risks of money laundering and terrorism financing, the agency said, and the firm had not adopted the recommendations from previous audits.
Jude Scott, the CEO of Cayman Finance, the private sector organisation established to promote the financial services industry in the Cayman Islands, later described such reports as “sensational”.