TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Singapore PDPC Advises on Breach Aftermaths Related reading: The Regulators’ View of the Singapore Privacy Law

rss_feed

""

""

The privacy regulator in Singapore has recently provided a useful how-to guide for organizations in managing data breaches. The guide sets out some practical steps that organizations may choose to follow when personal data has been compromised. While the guide is not legally binding, it does identify the regulator’s expectations about who should be notified when a data breach occurs and how this might impact any enforcement proceedings that arise from a breach.

Overview of the Guide

Singapore’s privacy law, the Personal Data Protection Act (PDPA), has only been in force since July 2014. Accordingly, the privacy landscape is still relatively new, with the focus of both the regulator and organizations in Singapore squarely on understanding and implementing the requirements of the law and—save for a few cases relating to the country’s new Do-Not-Call Registry—not on enforcement. However, as the PDPA becomes a more established law, investigations of contravention of the PDPA are inevitable. The release of the guide is therefore timely as it provides some helpful insight into the expectations of the regulator, the Personal Data Protection Commission (PDPC) as to how organizations should respond to and manage data breaches.

In summary, the guide suggests that each organization’s data breach management and response plan should include the following sets of activities, using the acronym CARE:


C

ontaining the data breach

A

ssessing risks and impact

R

eporting the incident

E

valuating the response and recovery to prevent future breaches

 

Containing the Data Breach

The guide recommends that an organization should take certain key actions as soon as it becomes aware of a data breach so that it contains the breach quickly. Some suggestions on steps to take in the event of a data breach include:

  • Shutting down the compromised system that led to the data breach;
  • Isolating the causes of the data breach in the compromised system and changing access rights and removing connections to the system;
  • Establishing whether steps can be taken to recover lost data to limit the damage caused by the breach, and
  • Notifying the police if criminal activity is suspected, e.g., hacking or data theft by an employee, and preserving evidence for investigation.

The guide suggests that whether an organization has an adequate recovery procedure in place will affect the PDPC’s decision whether that organization has contravened its requirements under Singapore’s privacy law.

Assessing Risks and Impact

The guide recommends that an organization conduct an assessment of the risk and impact of the data breach on individuals and the organization itself so that it is able to determine whether there could be serious consequences as well as the particular steps necessary to address these consequences.

When assessing the risks and impact on the affected individuals, organizations should consider the number of people affected, the types of personal data involved (this will help to ascertain if there is a risk to reputation, identity theft, financial loss, etc.) and the class of persons affected (different people will face varying levels of risk as a result of a loss of personal data).

As for the risk and impact assessment on the organization itself, the guide recommends that organizations consider what caused the breach; whether the breach is a recurring incident (this will help to determine if it is malicious or accidental); who might gain access to the compromised data and how this data may be used, and whether the compromised data will affect transactions with any other third parties (this will help the organization determine if other organizations need to be notified).

Reporting the Incident

The guide generally recommends that it is good practice to notify individuals affected by a data breach. Some key guidelines on the who, when, how and what of data breach notifications include the following:

  • There are several stakeholders organizations may need to notify in the event of a data breach, namely: the affected individuals, including parents or guardians of young children; other third parties where relevant, e.g., banks, credit card companies, the police or regulators, and the PDPC.
  • The affected individuals should be notified immediately if the data breach involves sensitive personal data. The PDPC should be notified as soon as possible if the breach might cause public concern or harm to a group of affected individuals.
  • Organizations should take into consideration the urgency of the situation and the number of individuals affected when determining how it should make notification of the breach, e.g., social media, e-mails, telephone calls, letters.
  • Notifications should be simple to understand, and should state the details of the data breach, including how and when the data breach occurred, the types of personal data involved in the breach and what the organization has done or will be doing in response to the risks brought about by the data breach.
  • The guide also provides guidance on the how an organization can notify the PDPC of the data breach, setting out the specific types of information that the PDPC expects to receive.

The guide suggests that any notifications made by an organization (or lack of notifications) will have an impact on future findings of the PDPC. This effectively means that, while there is no mandatory breach notification in Singapore, it is strongly encouraged by the PDPC.

Evaluating the Response and Recovery To Prevent Future Breaches

After the breach has been resolved, organizations should conduct a post-action review of the cause of the breach and to evaluate if existing protection and prevention measures are sufficient to prevent similar breaches from occurring. This evaluation can focus on the following key areas:

  • Operational- and policy-related issues: Whether audits were regularly conducted on both physical and IT-related security measures; whether support services from external parties should be enhanced; whether the responsibilities of vendors and partners are clearly defined in relation to the handling of personal data, and whether there are weaknesses in existing security measures;
  • Resource-related issues: Whether there were enough resources to manage the data breach and whether key personnel were given sufficient resources to manage the incident;
  • Employee-related issues: Whether employees were aware of security-related issues and whether training was provided on personal data protection matters and incident management skills, and
  • Management-related issues: How management was involved in managing the data breach effectively and whether there was a clear line of responsibility and communication during the management of the data breach.

A full copy of the guide can be accessed here.

Comments

If you want to comment on this post, you need to login.