Action Planning for Personal Data Breach

Data Breach Notification Obligation

Under the PDPA (Personal Data Protection Act), the Company has the Obligation to report a Personal Data Breach. 

If your organisation has suffered a data breach that has caused (or is likely to cause) significant harm to affected individuals, or that has affected at least 500 individuals, then it must inform the PDPC (Personal Data Protection Commission) and affected individuals of the breach. 

What is a Data Breach?

Under the PDPA, a data breach refers to one of the following situations:

· Unauthorised access, collection, use, disclosure, copying, modification or disposal of personal data

· Loss of any storage medium or device on which personal data is stored in circumstances where the unauthorised access, collection, use, disclosure, copying, modification or disposal of the personal data is likely to occur.

Instances that would be considered a “data breach” under the PDPA include:

· Unauthorised access to databases containing personal data, such as through hacking or the installation of ransomware

· Theft or loss of computer notebooks, data storage devices or paper records, especially if they are unsecured and can be easily read by the thief/finder

· Disclosing personal data to a wrong recipient, and the individual whose personal data had been disclosed had not consented so such disclosure

A Data Breach Action Plan

The Company should have a Critical Incident Response Team (led by it Data Protection Officer, and include IT Developers, HR Director as well as Senior Management) and a Breach Response Plan that is reviewed regularly and at least annually.

Below is a Step-by-Step Summary of the action protocol which the Company shall take in the event of a suspected data breach.

Step 1 – Incident Detection and Preliminary Assessment

· Employees, vendors and customers can report suspected operational and security breaches to the DPO via live chat, email or phone.

· The Company will take immediate steps to conduct a preliminary investigation, where we will identify and classify the suspected breach.

Step 2 – Contain the Breach

If the preliminary investigation confirms a suspected breach, we will take immediate steps to:

· Contain the breach (shutting down the compromised system if deemed warranted).

· Isolate the causes of the data breach.

· Where applicable, change the access rights to the compromised system.

· Reset passwords if accounts and passwords have been compromised.

· Remove external connections to the compromised system.

· Limit distribution of the affected personal information.

· Limit possible compromise of other information.

Step 3 – Assess Risks Associated with the Breach

The next step is to undertake a reasonable and expeditious assessment to:

· Gather all relevant information on the breach.

· Assess risk and impact on individuals:

• How many and who are affected (Employees? Customers? Children?)
• Types of personal data involved (Identity? Reputation? Safety? Financial?)
• Any factors to minimize impact of breach?

· Assess risk and impact to organisation:

• What caused the breach? (Theft? Accident? Unauthorised Access?)
• When and how the breach happened?
• Who might have gained access to the compromised personal data?
• Are transactions with third parties (who?) affected by breach? 

· Make a decision, based on factual information obtained during the investigation, about validity and nature the breach.

· Determine who needs to be made aware of the breach.

· Document everything at each step.

Step 4 – Reporting (Who? When? How? What?)

When a data breach involves sensitive personal data, the Company shall immediately notify the PDPC, affected organisations and users as soon as possible once the facts are known, if:

· There is a chance of serious harm, or if a notification would give the users or customer organisation the ability to avoid serious harm.

· An incident is likely to cause humiliation or embarrassment for the individual.

· Their medical data was lost or stolen or viewed by the wrong people.

· Notification of breach incidents should contain the following details (where available):

• Extent of the data breach
• Type and volume of personal data involved
• Cause or suspected cause of the breach
• Whether the breach has be rectified
• Existing measures and processes deployed for breach detection and prevention
• Whether individual affected have been notified, if not, by when
• Contact person for more information or clarification 

Notify the Police if criminal activity is suspected and preserve evidence for investigation.

If the user affected is identified, the Company will work with the organisation to decide on who communicates to the user. If the source of the breach originates from overseas, the Company shall inform relevant country authority of the data breaches, providing ongoing updates on key developments.

Provide the contact details and how the Company can be reached for further information or assistance (Helpline? Email? Website? WhatsApp? … etc.)

Step 5 – Evaluating response to prevent future breaches

In the event of a breach, the Company shall:

· Fully investigate the cause of the breach.

· Record an Incident Report.

· Report to the PDPC and relevant country authority relevant on outcomes and recommendations following the notifiable breach.

· Implement recommendations from the investigation to prevent future breaches.

· Continual monitoring of potential breaches.

Singapore takes a strict stance towards the collection, use, disclosure and protection of personal data.  The PDPC may therefore impose serious consequences for data breaches.

PDPC consequences for personal data breach range from fines to a ban on the collection of personal data, which would be detrimental to the conduct of business affairs.  Organisations and businesses must therefore plan for the known unexpected; take all the necessary steps to prevent data breaches from occurring, instead of scrambling after a breach event that could have been completely avoided.

Organisations and businesses should also keep up with the latest technological advancements in the cybersecurity field, refining their personal data collection and storage processes, and hire experts to monitor, check and review current protection mechanisms.

Please enjoy my recent Articles.