The recent trend of large-scale personal data breaches illustrates that no organisation, wherever it is in the world, that collects or processes personal data, is immune from data security risks, especially in cyber space. This article seeks to describe some recent trends and developments in Asia, with a focus on the position in Singapore.
A reasonable expectation of data security
The first, most pertinent thing to note is that the development of cyber security measures in Asia appears to stem from the notion that protection of personal data is linked predominantly to objectively assessed reasonable expectations.
In Singapore, Section 24 of the Personal Data Protection Act 2012 (PDPA) requires organisations to protect personal data in their possession or control by making "reasonable" security arrangements. There are no standards specified as to what security arrangements are considered "reasonable" and there is no special treatment for sensitive personal data.
Non-binding Advisory Guidelines to the PDPA (Advisory Guidelines) issued by the Personal Data Protection Commission (PDPC) recognise that there is no 'one size fits all' solution to comply with this obligation, and provide examples of security arrangements such as administrative measures, physical measures, technical measures or a combination of these.
This lack of an absolute standard of protection in the PDPA means that, in theory, even a breach or data leak resulting in unauthorised loss or disclosure of data might not amount to a contravention of the provisions of the PDPA, if the organisation in question can satisfy the PDPC that it has reasonable security arrangements in place.
Not subject to intense media glare
Only the more significant cases of data breaches have been reported and, even then, only the salient aspects rather than the full details. The tendency is for the regulatory authority to take action behind closed doors and only reveal the breach (and the sanction) in the aftermath of action taken, sometimes long after the event has taken place. Some of the more recent examples include:
- in January 2014, prosecutors in South Korea alleged that an employee of a third party contractor engaged by KB Kookmin Card, Lotte Card and NH NongHyup Card used a portable hard drive device to steal credit card data. The Financial Services Commission of Korea then suspended the operations of the three credit card firms for three months. About 20 million customers were said to be affected by the firms' data breach.
- In April 2014, a Monetary Authority of Singapore (MAS) spokesperson announced that the MAS had taken "appropriate supervisory actions" against Standard Chartered Bank (SCB) as a result of 647 private banking clients' data being stolen through a server of the bank's third-party service provider, Fuji Xerox.
- In September 2014, there were two reported incidents of significant data breaches in Singapore. M1 is one of the telecoms service providers in Singapore, and it was alleged that when M1 started taking in online pre-orders for the new Apple iPhone 6, a postgraduate student in Computer Sciences used a cookie modifier plug-in to access forms showing data from other customers, including personal data, prompting M1 to shut down the pre-order web page for 12 hours.
- At the same time, it was also alleged that K Box Entertainment Group, a private company which offers karaoke entertainment in Singapore, suffered a serious data security breach, in which the personal data of its customers in its database (numbering more than 300,000 customers) was leaked, as part of a threat by some "hacktivists" protesting against new toll charges.
The PDPC is investigating the incidents in Singapore but beyond that, nothing official has yet been announced.
Protection might be secured through compliance with regulatory standards.
Singapore, Malaysia, the Philippines, South Korea and Taiwan have, in the last five years, introduced comprehensive data protection regimes in their respective jurisdictions. These follow the long-standing data protection regimes in Australia and Hong Kong.
Some of these jurisdictions have in place fairly detailed provisions governing data security but most of them, including Singapore, do not. In fact, in Singapore at least, the standard of security and protection for data does not take into account the rights and interests of the individual and liability is dependent on an objective assessment of the efforts taken by the organisation holding the data.
Having said that, the role of specific regulators, especially in heavily regulated industries like in the banking and medical industries, cannot be underestimated, and most regulators take a very strict view of the standards taken by banks and financial institutions to protect their customer data. The recent case of SCB in Singapore, detailed above, is an example of regulatory action taken swiftly and decisively.
Another deterrent is the criminalisation of the acts of "hacking". In Singapore, the Computer Misuse Act outlaws any unauthorised access to any computer system and is used to prevent and reduce instances of data breaches.
Implementing adequate technical measures would present the greatest challenge
Some are of the view that the best protection is through the use of technology. Technical measures, however, are arguably the most challenging aspects of security arrangements to implement. The Advisory Guidelines suggest a slew of technical measures such as ensuring that computer networks are secure, adopting appropriate access controls, encrypting personal data and installing appropriate computer security software. These readily available measures serve to address current vulnerabilities and threats.
It becomes even more challenging to implement security arrangements to address ever-changing threats and vulnerabilities in a dynamic cyber-environment. The Advisory Guidelines recommend that regular updates on computer security and IT equipment should be made.
Most major organisations in Asia are aware of this and invest heavily in IT infrastructure to build and maintain adequate security measures.
Managing outsourced third party service providers
With regulatory standards providing the main impetus for compliance, the other practical preventive measures lie with managing the performance of the service providers. The right choice of service provider is the first important step. Following that, there must be proper risk management practices, crisis protocols and regular assessments on the threats and vulnerabilities of the system. The Advisory Guidelines reiterate this point.
Organisations in Asia are waking up to the fact that they need to have in place measures to ensure business continuity, and the right to regularly review, audit and perhaps even change the service provider's systems, policies, procedures and controls, or even the service provider itself, where necessary.
The main challenge will centre upon the ability to enforce these rights and duties in each of the jurisdictions.
The Asia-Pacific region has recently seen rapid development of data protection laws which include requirements to maintain data security. The obligations, expectations and consequences that flow from the changes in the law present an ongoing challenge. The advent of the ASEAN Economic Community in 2015, will bring further challenges as more countries in ASEAN (and by extension in Asia) seek trade opportunities in the region. Cross–border transactions, and, therefore, international transfers of data, will inevitably increase. The likelihood is that data protection regulatory regimes throughout ASEAN will become more harmonised and that changes will happen to reconcile and streamline industry practices concerning data security among the ASEAN nations.