Singapore’s Personal Data Protection Commission (PDPC) has announced that data breach notification will soon become mandatory in Singapore. However, not all breaches need to be reported. We have prepared this guide to aid businesses in understanding when, to whom and how to notify should they encounter a data breach.
As further guidance and details on the new requirements will be provided by PDPC in due course, we will follow up with an updated guide at the appropriate time.
What is a data breach?
A data breach refers to any unauthorized access, collection, use, disclosure, copying, modification or disposal of personal data in an organization’s possession or under its control.
Is a data breach the same thing as a breach of the Personal Data Protection Act (PDPA)?
Not necessarily. A data breach refers to any unauthorized access, use, disclosure, copying, modification or disposal of (or other similar risk to) personal data (i.e., data that identifies individuals) that is held by an organization. A data breach may or may not be a breach of the PDPA, depending on the exact circumstances. Conversely, a breach of the PDPA could arise regardless of whether or not there is a data breach; for instance, an organization may have failed to comply with its access obligation under the PDPA despite receiving a legitimate request from an individual.
When and to whom does an organization need to report a data breach?
- An organization needs to notify PDPC when the data breach is:
- likely to result in significant harm or impact to the individuals to whom the information relates; or
- of a significant scale (meaning, as a rule of thumb, that 500 or more individuals’ data is affected).
2. An organization needs to notify affected individuals (including parents and the legal guardians of minors whose personal data is compromised) when the data breach is likely to result in significant harm or impact to the individuals to whom the information relates.
Potential exceptions exist where:
- the personal data is encrypted and cannot be decrypted; or
- remedial actions were taken such that the breach is not likely to result in significant harm or impact to the individuals.
3. A data intermediary (i.e., an organization that processes personal data on behalf of another) need only notify that organization without undue delay (i.e., within 24 hours) upon its becoming aware of a data breach.
What is the timeline for reporting?
- As soon as practicable, but no later than 72 hours after determining that a breach is notifiable.
- Organizations must:
- assess, within 30 days of becoming aware of a suspected breach, whether the breach is notifiable;
- document the steps taken in assessing the breach; and
- document the reasons for any delay.
- Notifications made after 72 hours are a contravention of the PDPA.
- Organizations must:
To affected individuals:
- As soon as practicable.
What information should the notification(s) contain?
- extent of the data breach;
- type(s) and volume of personal data involved;
- cause or suspected cause of the data breach;
- whether the data breach has been rectified;
- measures and processes that the organization had in place at the time of the data breach;
- whether the organization notified or will notify affected individuals; and
- contact details of the organization’s representative(s) with whom PDPC can liaise for further information.
To affected individuals:
- how and when the data breach occurred;
- the type(s) of personal data involved;
- the type(s) of harm or impact to affected individuals, where applicable;
- steps the organization has taken or will take in response to the risks arising from the data breach;
- specific details on the data breach and relevant actions that affected individuals can take to prevent misuse of the data; and
- contact details on how affected individuals can reach the organization to obtain further information and assistance.
Are there any other reporting requirements in Singapore to take note of?
Yes. Significant ones include:
- If the organization is a regulated entity, it may be required to notify the regulator for the relevant sector. For instance, financial institutions in Singapore must notify the Monetary Authority of Singapore (MAS) within one hour of discovering a relevant incident (i.e., a system malfunction or IT security incident which has a severe and widespread impact on their operations or materially impacts their service to customers). They must also submit to MAS a root-cause and impact analysis report within 14 days from discovery of the incident.
- If the organization has been designated an owner of critical information infrastructure (CII) under the Cybersecurity Act, it must, within two hours of becoming aware of the occurrence of a prescribed cybersecurity incident, notify the Commissioner of Cybersecurity of the same. Such incidents include: (a) the unauthorized hacking of a CII; (b) the installation or execution of unauthorized software or code on a CII; (c) man-in-the-middle attacks, session hijacks or any other unauthorized interception of communications between a CII and an authorized user; and (d) denial-of-service attacks. It must submit the following details within 14 days of the initial notification: (i) the cause(s) of the cybersecurity incident; (b) any impact on the CII, interconnected computers or systems; and (c) any remedial measures that the organization took.
- While not mandatory, if an organization suspects any criminal activity (e.g., hacking, theft or unauthorized system access), it should notify the police. It can also contact the Singapore Computer Emergency Response Team (SingCERT) (an initiative of the Cyber Security Agency of Singapore) for technical assistance in response to computer security incidents.
- If the data breach involves personal data outside of Singapore, mandatory notification laws may apply depending on the jurisdiction(s). Jurisdictions that already have mandatory breach notification laws include the EU, California, the Philippines, China, Australia and South Korea.
What do I do now before the updated law kicks in?
It is likely that organizations will be given some time to prepare and put in place the necessary policies and practices to comply with the new notification requirements. However, businesses should start considering taking the following steps ahead of any implementation deadline:
- Ensuring that agreements are reviewed to provide adequate protection against data breaches. This may include the provision of undertakings from counterparties on data privacy and security, incident reporting, subcontracting restrictions, rights to audit and insurance requirements. It is helpful to engage external counsel to make sure contracts are robust and where arrangements or negotiations are more complex.
- Updating internal policies and procedures to cater for a data breach response plan. Such plan should guide stakeholders on how to identify a breach when it occurs, whom to inform, how to record/document relevant matters, and other specific actions to take in response to an incident.
- Conducting training to familiarize employees with relevant policies, procedures and plans and setting mock data breach exercises to test employees on the same.