Singapore’s Personal Data Protection Commission (PDPC) defines a data breach as an incident that exposes personal data in the possession or under the control of an organisation to unauthorised access, use, disclosure, modification, copying, collection, disposal or similar risks.

Data breaches can negatively impact consumers and businesses in various ways. A data breach can lead to regulatory exposure, business losses, and loss of both consumer and investor trust. That said, it’s not surprising that data protection officers or DPOs have become valued members of many organisations nowadays.

To ensure they can do their jobs effectively and easily, DPOs take a DPO course. In Singapore, it is common for organisations to appoint one (or more) DPOs to ensure they can comply with the Personal Data Protection Act (PDPA). A PDPA course is also available for those who want to gain a better understanding of the PDPA.

Data Breach: Nine Patterns Criminals Use

The 2019 Verizon data breach investigations report revealed there are nine patterns that criminals use. The nine patterns include:

1. Insider and privilege misuse
2. Physical theft and loss
3. Denial of service
4. Crimeware (includes ransomware, SQL injection, and phishing attempts)
5. Web application attacks
6. Payment card skimmers
7. Cyber-espionage
8. Point-of-sale intrusions
9. Human errors

What a Reportable Data Breach Is

In breach incidents that involve malware and hacking, management and crisis communication are required. Details of the investigation results, containment actions done, bank account and personal details of employees, and personal data that can cause significant harm to data subjects should be included in the updates provided to the concerned parties.

In Singapore, the PDPC has to be notified within 72 hours (three calendar days) if it is considered a “notifiable data breach” (as defined in the PDPA). The crisis communication plan of the organisation needs to be activated as well. There are also other parties organisations need to notify in similar scenarios. For instance, internal and external stakeholders.

Responding to Data Breaches

It is vital that an organisation has a data breach plan in place before a data breach occurs. Without a data breach plan, the organisation may not be able to respond quickly and properly. This might lead to further damage to the organisation’s operations and reputation.

A robust data breach management plan should include:

• Members of the breach response team and the roles they play
• Details of the breach
• How the internal and external reporting to the relevant stakeholders will be done
• How to respond to the incident

It is recommended that the team carries out simulated exercises (tabletop) for them to have a clear understanding of the tasks and roles each member plays. During the simulated exercises, gaps can be identified and addressed. A data breach management plan should also be accompanied by a crisis communication plan.

The PDPC has also created a framework to describe a data breach management plan and it is summed up by the acronym CARE (contain, assess, respond, and evaluate). It is also crucial to note that a data breach management plan is a requirement for those who would like to apply for Singapore’s Data Protection Trustmark certification.

How to Mitigate Risks of Data Breaches

Organisations need to conduct regular network vulnerability security scans to identify gaps within the organisation’s infrastructure and to ensure issues are addressed as soon as possible.

Monitoring security incidents actively can also help warrant the organisation can create efficacious preventive measures that can minimise the impact of data breaches.

Data breaches can occur in the course of day-to-day operations, so it is ideal to have internal data protection guidelines and policies, and when necessary, to conduct regular data protection training and briefings.

Francisco Butler