Singapore Prepares for Mandatory Breach ReportingPDPC Issues Guidelines for How to Get Ready
Singapore's Personal Data Protection Commission is seeking feedback on the government's plan to amend the Personal Data Protection Act to create a tough breach notification mandate. The PDPC is accepting comments through July 3.
In the meantime, the PDPC has issued data breach management guidelines to help organizations prepare for the new requirements.
The Parliament is expected to vote soon on the proposed amendment, which would make it mandatory for organizations to report certain personal data breaches.
Under the amendment, organizations would be required to "notify the commission and affected individuals when a significant data breach occurs," he explains. "Organizations failing to do so face stiffer enforcement action if later found to have breached the data protection law."
The draft of the amendment says organizations should notify the PDPC and/or affected individuals of a breach that is likely to result in significant harm or impact to individuals to whom the information relates, or of a significant scale (i.e., a breach involving personal data of 500 or more individuals).
Organizations would have to notify the PDPC of a breach no later than 72 hours from the time of an assessment.
"Organizations must carry out their breach assessment expeditiously within 30 days from when they first become aware of a potential breach," the PDPC said.
Singapore-based Tom Wills, advisory board member at Evrensel Capital Partners, notes: "Depending on the nature of the breach, detecting it could take weeks or months, or it might never be detected at all. There have been cases where malware was sitting on a network for over a year before detection, a big challenge."
The PDPC's interim guidelines for managing data breaches outlines four essential steps:
- Contain the data breach;
- Assess the impact and implement remediation plans;
- Report the breach to the commission and notifying affected individuals;
- Evaluate the response and consider actions to prevent other breaches.
"The above encapsulated steps help organizations prepare for a breach notification regime, and we will work with the industry and can co-create a system that's practical to operate and effective in protecting our consumers' personal data," Kin says.
Singapore-based Ken Soh , CIO and director of e-strategies at BH Global, a supply chain management and design firm, says most organizations are ill-prepared to issue breach notifications because they focus first on detection - which can prove challenging in light of advanced threats.
Assessing Data Breaches
The guidelines say organizations should conduct an in-depth assessment of potential breaches by:
- Setting the context of the breach, considering the types of personal data involved, individuals whose personal data is compromised and whether any personal data was publicly available before the breach;
- Identifying individuals from the compromised dataset of customer records containing all credentials;
- Establishing circumstances of the breach, including whether data was illegally accessed and stolen by those with malicious intent, which is more likely to result in significant harm to affected individuals than situations where data was wrongly sent to recipients.
"It's important to understand that a data breach can be said to have occurred any time that confidential data is exposed to unauthorized parties, either deliberately or accidentally," Wills says. "An example of 'deliberately' is when the system holding the confidential data is hacked. An example of 'accidentally' is when a network admin leaves a thumb drive containing such data in a taxi."
Kin of the PDPC adds: "For companies detecting a breach early and demonstrating that they can respond to this quickly with established processes, what they need most is time to implement their remediation plan." Companies must be able to submit a plan that demonstrates they are "ready to implement it and resolve the breach which will make them more accountable," he says.
Reporting & Responding to Breaches
To prepare for the pending mandatory breach reporting requirement, it's important for organizations to document their breach response mechanisms, security experts say.
Soh also suggests organizations conduct simulated phishing campaigns as an important breach prevention step.
PDPC says appointing a qualified data breach incident response team is critical, along with a plan for engaging external resources when necessary. "Involving the senior management is important," Kin says.
Kin adds: "For contrite organizations, willing to admit to the PDPC that they have been breached, we are introducing a process to help them expedite the process of breach investigation."