Geo Focus: Asia , Geo-Specific , Incident & Breach Response

Singapore Prepares for Mandatory Breach Reporting

PDPC Issues Guidelines for How to Get Ready
Singapore Prepares for Mandatory Breach Reporting

Singapore's Personal Data Protection Commission is seeking feedback on the government's plan to amend the Personal Data Protection Act to create a tough breach notification mandate. The PDPC is accepting comments through July 3.

In the meantime, the PDPC has issued data breach management guidelines to help organizations prepare for the new requirements.

See Also: 451 Research Report: Tackling the Visibility Gap in Information Security

The Parliament is expected to vote soon on the proposed amendment, which would make it mandatory for organizations to report certain personal data breaches.

The change in the law would "convert the voluntary breach notification system we have today into a mandatory data breach notification regime," says Yeong Zee Kin, the PDPC's deputy commissioner.

Under the amendment, organizations would be required to "notify the commission and affected individuals when a significant data breach occurs," he explains. "Organizations failing to do so face stiffer enforcement action if later found to have breached the data protection law."

The draft of the amendment says organizations should notify the PDPC and/or affected individuals of a breach that is likely to result in significant harm or impact to individuals to whom the information relates, or of a significant scale (i.e., a breach involving personal data of 500 or more individuals).

Organizations would have to notify the PDPC of a breach no later than 72 hours from the time of an assessment.

"Organizations must carry out their breach assessment expeditiously within 30 days from when they first become aware of a potential breach," the PDPC said.

Singapore-based Tom Wills, advisory board member at Evrensel Capital Partners, notes: "Depending on the nature of the breach, detecting it could take weeks or months, or it might never be detected at all. There have been cases where malware was sitting on a network for over a year before detection, a big challenge."

Organizational Preparedness

The PDPC's interim guidelines for managing data breaches outlines four essential steps:

  • Contain the data breach;
  • Assess the impact and implement remediation plans;
  • Report the breach to the commission and notifying affected individuals;
  • Evaluate the response and consider actions to prevent other breaches.

"The above encapsulated steps help organizations prepare for a breach notification regime, and we will work with the industry and can co-create a system that's practical to operate and effective in protecting our consumers' personal data," Kin says.

Singapore-based Ken Soh , CIO and director of e-strategies at BH Global, a supply chain management and design firm, says most organizations are ill-prepared to issue breach notifications because they focus first on detection - which can prove challenging in light of advanced threats.

Assessing Data Breaches

The guidelines say organizations should conduct an in-depth assessment of potential breaches by:

  • Setting the context of the breach, considering the types of personal data involved, individuals whose personal data is compromised and whether any personal data was publicly available before the breach;
  • Identifying individuals from the compromised dataset of customer records containing all credentials;
  • Establishing circumstances of the breach, including whether data was illegally accessed and stolen by those with malicious intent, which is more likely to result in significant harm to affected individuals than situations where data was wrongly sent to recipients.

"It's important to understand that a data breach can be said to have occurred any time that confidential data is exposed to unauthorized parties, either deliberately or accidentally," Wills says. "An example of 'deliberately' is when the system holding the confidential data is hacked. An example of 'accidentally' is when a network admin leaves a thumb drive containing such data in a taxi."

Kin of the PDPC adds: "For companies detecting a breach early and demonstrating that they can respond to this quickly with established processes, what they need most is time to implement their remediation plan." Companies must be able to submit a plan that demonstrates they are "ready to implement it and resolve the breach which will make them more accountable," he says.

Reporting & Responding to Breaches

To prepare for the pending mandatory breach reporting requirement, it's important for organizations to document their breach response mechanisms, security experts say.

Soh also suggests organizations conduct simulated phishing campaigns as an important breach prevention step.

PDPC says appointing a qualified data breach incident response team is critical, along with a plan for engaging external resources when necessary. "Involving the senior management is important," Kin says.

Kin adds: "For contrite organizations, willing to admit to the PDPC that they have been breached, we are introducing a process to help them expedite the process of breach investigation."

About the Author

Geetha Nandikotkur

Geetha Nandikotkur

Managing Editor, Asia & the Middle East, ISMG

Nandikotkur is an award-winning journalist with over 20 years' experience in newspapers, audio-visual media, magazines and research. She has an understanding of technology and business journalism, and has moderated several roundtables and conferences, in addition to leading mentoring programs for the IT community. Prior to joining ISMG, Nandikotkur worked for 9.9 Media as a Group Editor for CIO & Leader, IT Next and CSO Forum.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.