With reports of data breaches becoming as common as once every other month, it seems that these days the occurrence of a data breach is not a matter of if, but more a matter of when
Data protection in Singapore is mostly overseen by the Personal Data Protection Committee (PDPC), although the EU’s GDPR
is another set of legislation that has applicable to Singapore.
Prevention has always been better than cure, but what should businesses do in the unfortunate event that a cure
needs to be administered?
The PDPC has published a guide1
, which recommends the following steps to be taken in the event of an actual breach:
Containing the breach
As soon as an organisation is aware of a breach, it should quickly conduct an initial assessment on the breach, including identifying the following:
- Cause of the breach and whether it is ongoing
- Individuals affected
- Type(s) of data involved
- Systems or services affected
- Whether additional help e.g. from the Police or SingCERT are required to contain the breach.
The organisation should also contain the breach immediately by restricting access and stop further disclosure of personal data.
Assessing the scope of the breach
Organisations should assess the following:
- The type of compromised data (e.g. names, NRICs, passwords, financial/health records)
- How significant (sensitive) the data is
- The circumstances of the breach.
Following these steps can be useful in assisting the affected organisation to assess the degree of impact or harm the data breach can cause the affected individuals, and in turn formulate an appropriate response.
Reporting the breach
Organisations are required to notify the PDPC within 72 hours
upon establishing that the breach has significant potential for harm or impact. The PDPC also needs to be notified if the data of 500 or more individuals
Their communication should detail the facts of the breach, and the next course of action for them. Some examples include resetting passwords, adding two-factor authentication procedures, and providing a point of contact within the organisation.
Evaluating the company’s response to the breach and what could have been done to prevent it
At this stage, the organisation should implement and/or continue remedial actions, as well as measure the effectiveness of data breach response processes.
The organisation also needs to identify and work on areas of weaknesses that allowed the breach to occur in the first place.
Key Takeaways to Boost Data Protection
Data breaches in the past year have mostly been the result of cyberattacks. However, these cases, such as Learnholic’s data breach, were often preceded by a human-error nature to them that allowed for these attacks to succeed in the first place2
In the same news report, a travel agency was also fined by the PDPC for misplacing an unencrypted portable hard disk containing the personal data of customers, employees, and suppliers.2
This further cements the importance of having a holistic data security plan that encompasses both cyber security and physical media.
Aside from having proper access control and safe practices, organisations can also better protect their organisation's data by engaging in third-party data destruction providers like Shred-it, adopting a Clean Desk Policy, a Shred-it All Policy, and ensuring that the organisation has appointed a Data Protection Officer.
Find out whether your organisation is at risk of a data breach by taking Shred-it’s Data Security Plan & Security Risk Assessment
here, or get in touch with us.
This article is provided for your convenience and does not constitute legal advice. Readers should not take, or refrain from taking, actions based upon the content of this article. Prior results do not guarantee similar outcomes. Please seek professional legal advice.
Personal Data Protection Committee. (2019). GUIDE TO MANAGING DATA BREACHES 2.0.
[Online] Available at: https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/Guide-to-Managing-Data-Breaches-2-0.pdf
[Accessed 6 Jan 2020]
The Straits Times. (2019). Software company that works with schools here fined $60,000 after hackers stole data of nearly 48,000 people
. [Online] Available at: https://www.straitstimes.com/singapore/software-company-that-works-with-schools-here-fined-60000-after-hackers-stole-data-of-more
[Accessed 6 Jan 2020]