Experienced a Data Breach? Here's What You Can Do Next.

Posted  March 03, 2020  by  Jenny Green

With reports of data breaches becoming as common as once every other month, it seems that these days the occurrence of a data breach is not a matter of if, but more a matter of when.
Data protection in Singapore is mostly overseen by the Personal Data Protection Committee (PDPC), although the EU’s GDPR is another set of legislation that has applicable to Singapore.

Prevention has always been better than cure, but what should businesses do in the unfortunate event that a cure needs to be administered?

The PDPC has published a guide1, which recommends the following steps to be taken in the event of an actual breach:

Containing the breach

As soon as an organisation is aware of a breach, it should quickly conduct an initial assessment on the breach, including identifying the following:
  • Cause of the breach and whether it is ongoing
  • Individuals affected
  • Type(s) of data involved
  • Systems or services affected
  • Whether additional help e.g. from the Police or SingCERT are required to contain the breach.
The organisation should also contain the breach immediately by restricting access and stop further disclosure of personal data.

Assessing the scope of the breach

Organisations should assess the following:
  • The type of compromised data (e.g. names, NRICs, passwords, financial/health records)
  • How significant (sensitive) the data is
  • The circumstances of the breach.
Following these steps can be useful in assisting the affected organisation to assess the degree of impact or harm the data breach can cause the affected individuals, and in turn formulate an appropriate response.

Reporting the breach

Organisations are required to notify the PDPC within 72 hours upon establishing that the breach has significant potential for harm or impact. The PDPC also needs to be notified if the data of 500 or more individuals is involved.
Their communication should detail the facts of the breach, and the next course of action for them. Some examples include resetting passwords, adding two-factor authentication procedures, and providing a point of contact within the organisation.

Evaluating the company’s response to the breach and what could have been done to prevent it 

At this stage, the organisation should implement and/or continue remedial actions, as well as measure the effectiveness of data breach response processes. 
The organisation also needs to identify and work on areas of weaknesses that allowed the breach to occur in the first place.

Key Takeaways to Boost Data Protection

Data breaches in the past year have mostly been the result of cyberattacks. However, these cases, such as Learnholic’s data breach, were often preceded by a human-error nature to them that allowed for these attacks to succeed in the first place2.
In the same news report, a travel agency was also fined by the PDPC for misplacing an unencrypted portable hard disk containing the personal data of customers, employees, and suppliers.2 This further cements the importance of having a holistic data security plan that encompasses both cyber security and physical media.
Aside from having proper access control and safe practices, organisations can also better protect their organisation's data by engaging in third-party data destruction providers like Shred-it, adopting a Clean Desk Policy, a Shred-it All Policy, and ensuring that the organisation has appointed a Data Protection Officer.
Find out whether your organisation is at risk of a data breach by taking Shred-it’s Data Security Plan & Security Risk Assessment here, or get in touch with us.
This article is provided for your convenience and does not constitute legal advice. Readers should not take, or refrain from taking, actions based upon the content of this article. Prior results do not guarantee similar outcomes. Please seek professional legal advice.

1Personal Data Protection Committee. (2019). GUIDE TO MANAGING DATA BREACHES 2.0. [Online] Available at: https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/Guide-to-Managing-Data-Breaches-2-0.pdf [Accessed 6 Jan 2020]
The Straits Times. (2019). Software company that works with schools here fined $60,000 after hackers stole data of nearly 48,000 people. [Online] Available at: https://www.straitstimes.com/singapore/software-company-that-works-with-schools-here-fined-60000-after-hackers-stole-data-of-more [Accessed 6 Jan 2020]

Request a Quote and Start Protecting Your Business Today!

Fill out the form or call 6787 7777 to start protecting your business today! 

Select Service

Company info

Your info

Additional Info