According to the Singapore Personal Data Protection Commission (PDPC), a data breach refers to an incident exposing personal data in an organisation’s possession or under its control to unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
Data breaches can negatively impact businesses and consumers in a plethora of ways and can range from concerted attacks by either individuals or groups who hack for personal gain. It can lead to lost investor confidence, regulatory exposure, business losses, and loss of customer trust. In the case of individuals, it might involve exposure of bank account/s or credit card numbers, theft of NRIC / Social Security number, health records, passwords or email.
The 2019 Verizon Data Breach Investigations Report identifies nine “patterns” that criminals use. These are:
Management and crisis communication involvement is needed in cases of breach incidents involving hacking and malware. Notable updates should include details of the containment actions done, the investigation results, personal data involved that could cause significant harm to the data subjects, their bank account details or even employees’ personal details. In Singapore, the PDPC needs to be notified within three calendar days (72 hours) if the organisation has assessed it to be a “notifiable data breach” (as defined in the PDPA) after the recent amendments to the country’s Personal Data Protection Act (PDPA) effected in February 2021.
As the next step, an organisation’s crisis communications plan has to be activated as there will be a few parties an organisation will need to notify in such an event.
Parties that need to be identified can be broken down into two main categories:
Externally, the relevant stakeholders need to be notified:
For the regulators, the notification is typically done by the DPO or a designated department. For the affected individuals, the Public Relations/Corporate Communications department will release a press release on the website.
If the data breach is discovered by a third-party vendor or a data intermediary (under Singapore’s PDPA), they are required to notify the organisation of the data breach “without undue delay”.
Internally, there will be a need to inform employees of the incident through an internal circular, and this is usually done by HR. Where the data breach involves an information system or the infrastructure, IT may be called upon to activate or engage a team to conduct forensics of the system or lodge a report with the Cybersecurity Agency of Singapore and the finance department is required to activate cyber insurance.
Companies should conduct regular network vulnerability security scans to check for possible gaps within the organisation’s infrastructure and to ensure that these issues are fixed as quickly as possible. Active monitoring of security incidents would allow the organisation to learn from these incidents and create efficacious preventive measures to minimise the probability and impact of data breaches. As data breaches can occur in the most basic day-to-day operations such as sending an attachment containing personal data in an email. There is also the need to have internal policies and practices and where necessary, regular data protection briefings or training.
It is crucial for organisations to have a data breach response plan established before an actual data breach occurs to the organisation. In the event that a data breach occurs, the organisation may not be able to respond swiftly without an existing plan, causing further damage to the company’s business operations and reputation. Establishing a data breach response plan will help the organisation be better prepared to tide through the crisis.
The data breach management plan should include:
The team should practice doing simulated exercises (tabletop), in order for them to cultivate a clear understanding of their roles and tasks. During the simulated exercises, gaps could be identified unexpectedly and actions can be taken to resolve these issues. A crisis communications plan should also accompany the data breach management plan.
The PDPC also has a framework to describe a data breach management plan with the acronym - CARE. It is important to also note that having a data breach management plan is one of the assessment requirements for Singapore’s Data Protection Trustmark certification.
When a data breach occurs, the organisation should contain the situation and prevent any further compromise of personal data. At this stage, other important steps include convening an emergency meeting with the breach response team, isolating the damage by activating the IT forensics team (internal or outsourced), releasing a holding statement to the media and the public, and gathering the facts of the breach.
With the facts of the breach, the organisation must assess the risks and impact on the affected individuals, organisation and the crisis communications landscape. There should also be continued efforts to prevent more harm.
Simultaneously, the organisation must determine whether the data breach is a ‘notifiable’ data breach - that is, whether it must be notified to the local regulator and to the affected individuals. In addition, messaging and communication is critical and the affected individuals and other stakeholders e.g. employees, clients, partners, media must be kept informed of the situation at regular intervals wherever necessary.
After the incident has been handled, the organisation should evaluate the plan and their response and consider the actions that they should take to prevent future breaches. At this stage, the organisation should also refine their data breach response and crisis management plan.
Globally, data breaches and security incidents are incessantly appearing in the media, and organisations are getting hit hard at the bottom line. So, how can you make sure your organisation is not the next headline? The key is to be prepared before disaster strikes. Our crisis communications and data breach response course helps Data Protection Officer (DPOs) learn what they can do to reduce the impact on their organisation and stakeholders in the event of a data protection breach. As the old saying goes, prevention is better than the cure, so start planning your breach response plans now!
Article by: Aman Khajanchi, Steffi Tay
Edited by: Josiah Poh (CIPM, CIPP/A, CIPT, CIPP/E, FIP), Senior Manager (Consultancy & Legal), Data Protection Officer, Straits Interactive Pte Ltd. This article was originally published 17 May 2021.