Data Protection Commissioner Lisa Greaves.
BRIDGETOWN, Barbados--Organisations remain dangerously unprepared to communicate data breaches to the public, raising the risk of reputational crises and increased consumer distrust, the Data Protection Commissioner, Lisa Greaves, warned on Tuesday.
Public and private sector bodies must become far more transparent and proactive when handling cyber security breaches, she said at a workshop, Human-Driven AI: Powering Communication Excellence, hosted by the International Association of Business Communicators (IABC) Barbados Chapter at Courtyard by Marriott.
Despite a growing number of data breaches, response strategies remain weak and inconsistent, according to the data chief.
She said: “In Barbados, thus far in this area, the transparency’s been a little lacking… the transparency in letting customers and clients know what has happened in the face of a breach and communicating that effectively.”
Cyber breaches can occur even through trusted third-party vendors, Greaves noted, citing the 2012 data breach of the Target retail chain in the United States.
She said: “Target had a breach from the person who they got their heating, ventilation and [air conditioning] from, so the breach came through that vendor and took down Target. Their communication of that breach was godawful, and it caused loads of problems for Target because you’re managing reputational risk.”
Greaves warned that the same reputational consequences apply to government agencies, several of which have suffered cyber incidents in recent years.
“Somebody said to me, so really what’s the risk to government? It’s still reputational risk,” she noted. “Ask yourself… we’ve had three, four, and then we have six, seven… what starts to happen other than people going on Brass Tacks? People start asking, ‘what’s going on?’ and then decisions are made.”
Greaves underscored the importance of training employees to recognise and handle security incidents and urged organisations to learn from past failures. She cited the City of Bridgetown Credit Union breach in 2023, and others in recent months, as a turning point in public awareness.
Under the Data Protection Act, breaches must be reported to the commissioner within 72 hours of discovery. Greaves stressed that organisations should have clear, pre-planned communication strategies in place, long before a breach occurs.
In addition to COB, the Barbados Revenue Authority, Barbados Statistical Service, Queen Elizabeth Hospital and other institutions, have had similar cyber incidents.
“It has to be a well-thought-out plan, and you make this decision before the breach,” said Greaves. “Your communications specialists should be part of that plan because they are the effective part,” she suggested, warning that the absence of clear messaging often leaves room for speculation and misinformation online.
“Customers are reading all kinds of things on social media… people who are harbingers of chaos are hyping everybody. You need your communications expert to effectively communicate what is going on, to dispel rumours and make people feel that something is being done.”
Greaves stressed that public and private sector entities must understand the immense value of data, and the need to safeguard it accordingly by making necessary investments in infrastructure.
“Data makes people billions of dollars a day,” she said. “That’s the kind of security that has to be around data, because data is that powerful.”
