As cybercrime rises, data breach fines may exceed $1 million

In the wake of the pandemic, cybersecurity risks have risen dramatically. Not only has the number of reported data breaches gone up, but the size of the breaches has also increased.

This is the assessment of Ng Quan Cheng, who is Manager, IT InfoSec, and the Data Protection Officer (DPO) at Straits Interactive, which set up and supports the Data Protection Excellence (DPEX) Network community.

In recent years, both firms and individuals in Singapore have faced increasing cyber threats and online scams such as phishing and ransomware attacks. In fact, an August report by the Cyber Security Agency of Singapore (CSA) highlighted a 54 percent jump in ransomware cases and a 17 percent increase in phishing cases.

This followed an April announcement by the CSA that a recurring tech support scam had tricked at least 154 victims since January of at least SGD7.1 million.

2020 PDPA amendments take effect 1 Oct

In March this year, Ms Josephine Teo, Minister for Communications and Information and Minister-in-charge of the CSA and Smart Nation Initiative, confirmed that amendments to Singapore’s Personal Data Protection Act (PDPA) would Fa.

The most notable of the amendments, which were passed in parliament in November 2020, but held back from implementation until now due to pandemic-induced economic uncertainty, is the raising of maximum financial penalties for data breaches to SGD1 million, or 10% of local annual turnover for organisations with turnover exceeding SGD10 million, whichever is higher.

In other words, if your organisation’s local annual turnover is above SGD10 million, the maximum financial penalty is now 10% of that turnover and hence possibly above SGD1 million.

This increase in fines, the Minister said, is to uphold public trust in organisations that handle personal data in their business operations, and to ensure that they continue to take ownership and be held accountable for protecting such data.

Expect larger fines for upcoming data breaches

Straits Interactive’s DPO Ng noted that recent data breaches might have potentially incurred fines in excess of SGD1 million, had the amendments been implemented earlier.

Last year, hotel booking platform RedDoorz was found to have compromised the security of 5.9 million customer records in the largest data breach incident in Singapore since the PDPA was enacted in 2012. The company was assessed an SGD74,000 fine.

Currently, the Personal Data Protection Commission has imposed the largest fines on Secur Solutions Group ($120,000), SingHealth ($250,000), and IHiS ($750,000) for the breach of the protection obligation, the most commonly breached obligation among organisations.

“If such cases had happened after 1st October, the penalties could have been even higher,” said Ng. “We can expect to see greater fines imposed on organisations that breach PDPA obligations once the amendments to the maximum fines take effect.”

To start or progress on your organisation’s data protection journey, consider establishing a Data Protection Management Programme (DPMP) and attaining the Data Protection Trustmark (DPTM) certification. Set up a free 20-minute strategy call or contact sales@straitsinteractive.com to have your queries answered.

Steps to take to comply with the amended PDPA

According to Ng, with Russia’s reported cyberattacks on Ukraine, there may be the possibility of a spillover effect onto infrastructure networks around the world.

His opinion is that it is thus vital for organisations and individuals alike to:

• Ensure that your computer software is up-to-date so that known vulnerabilities can be patched
• Have effective antivirus and malware detection software, so as to safeguard against threats such as zero-click malware

Organisations can also consider attaining the following cybersecurity certifications, introduced by the CSA in March 2022, which recognise enterprises with good cybersecurity practices:

• The Cyber Essentials mark identifies enterprises that have implemented cyber hygiene measures

• The Cyber Trust mark is a mark of distinction for enterprises with comprehensive cybersecurity measures and practices.

Sign up for a free Data Protection Excellence (DPEX) Network membership and be part of a professional community with access to fellow DPOs and data protection practitioners, industry experts, exclusive webinars, research, articles and videos.