Impact of Data Breach Notification Violation

Around the world, data breach notification is part of a number of data protection regulations that affect companies and how they handle data breaches. In Singapore, the newest amendments to the Personal Data Protection Act (PDPA) in 2021 includes mandatory breach notification reporting within 72 hours. Similarly, the General Data Protection Regulation (GDPR) also requires companies who have been breached to notify the regulator within 72 hours.

In many cases, non-compliance with the regulations can lead to severe consequences, including costly fines, loss of customers and reputational damage. It is imperative that organisations have adequate breach response plans, along with instructions on how to carry out the plan's stages, in order to comply with the data protection regulations regarding data breach notification within the time limits specified.

Case Study #1: Twitter

In Ireland, the Data Protection Commission (DPC) fined Twitter €450,000 ($547,000) for failing to report an issue where some Android users' protected tweets became unprotected within the legally required timeframe per Europe's General Data Protection Regulation (GDPR).

The DPC made its final decision following an investigation that began in January 2019. When Twitter suffered a data breach during the 2018 holiday season, the DPC was notified, but the company had not given 72 hours’ notice under GDPR, as required by the regulation. Twitter breached Article 33(1) and 33(5) of the GDPR by failing to notify the DPC on time and failing to adequately document the data breach.

Source: Mashable India

Case Study #2: Booking.com

Similar to the first case study on Twitter, Booking.com was fined €475,000 ($560,000) after failing to report a data breach within the time period mandated by the GDPR. In 2018, 40 employees at various hotels in the United Arab Emirates (UAE) were the target of telephone scammers and Booking.com suffered a breach. The hackers obtained login credentials for the Booking.com system and accessed the personal information of over 4100 customers who had booked a hotel room in the UAE using the site.

Furthermore, the credit card information of 283 consumers was also exposed, and in 97 cases, the CVV code, as well. Using email and telephone, the hackers attempted to secure the credit card information of other victims by impersonating a Booking.com employee.

Headquartered in the Netherlands, Booking.com was notified of the breach on 13 January 2019 but failed to report to the Dutch Data Protection Authority (AP) until February 7. By failing to report the breach within 72 hours, the organisation has failed to comply with GDPR.

Source: Forbes.com

How could this have a similar impact on firms in Singapore or jurisdictions imposing this obligation?

As Singapore's PDPA requires a 72-hour notice period, Singaporean firms may also face a penalty if their response to a data breach exceeds the required notice period. This is applicable to all organisations including not-for-profit organisations. Therefore, it is crucial for businesses to be aware of the data protection regulations within the jurisdiction that they operate in and to comply with them.

Conclusion

The two case studies above illustrate the point that “just reporting” a data breach to the authorities is not adequate. Organisations that fail to adhere to timelines mandated by data protection regulations can suffer hefty penalties in the form of fines. Moreover, this penalty can exceed the penalty imposed under other obligations within the data protection laws as well. Hence, knowing how your organisation will react to a data breach is essential and will expedite your organisation's response.

To learn more about data protection principles, frameworks, standards and operational best practices, check out our Advanced Certificate in Data Protection Principles and Advanced Certificate in Data Protection Operational Excellence to deepen your understanding. These courses also cover operational aspects in data protection and information security, as well as delving into the practical application for Data Protection by Design and Data Protection Impact Assessment.

Article By: Aman Khajanchi

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEX Network.