Singapore watchdog urges businesses to create plan for handling data breach incidents

Out-Law News | 15 May 2015 | 1:01 pm | 2 min. read

Singapore's data protection authority has called on businesses to establish a plan for handling data breach incidents.

In new guidance the Personal Data Protection Commission (PDPC) said companies could use a "data breach management and response plan" (12-page / 718KB PDF) to set out measures enabling them to contain breaches once they are identified, assess the risks and impact a breach could have, and determine who to notify in the event of a breach and when and how notification should take place.

The PDPC said the plan could also include a post-breach review of the cause of the breach and could help businesses "evaluate if existing protection and prevention measures are sufficient to prevent similar breaches from occurring".

Businesses could also use their data breach plan to set out a "clear command and reporting structure" so that it is known who would be responsible for deciding what steps to take to contain a breach and manage an incident, the PDPC said.

"Managing data breaches is important to protect the personal data of individuals when a data breach occurs," the PDPC said. "The Commission encourages organisations to pro-actively prepare and implement a good data breach management and response plan. Organisations should continuously review the plan to ensure it remains effective and relevant as business operations evolve."

The data breach management guidance was one of a number of guides published by the PDPC earlier this month. The watchdog also issued new guidance to help businesses keep personal data secure when it is in electronic form (30-page / 824KB PDF).

Under the Personal Data Protection Act in Singapore, organisations are required to put in place reasonable security arrangements to protect personal data against unauthorised access, collect, use or disclosure, among other similar risks.

The new guidance explained that the security measures each business operating in Singapore needs to put in place to comply with the Act will vary depending on "their circumstances". The precise security measures businesses need to implement will depend on factors such as the type of personal data they hold, the risk and potential impact of that data being accessed by unauthorised people and whether the data is stored on physical documents or is in electronic form.

The PDPC said businesses need good governance over IT security to protect personal data appropriately, and that they should also ensure staff are sufficiently trained in "ICT security threats and protection measures for personal data". Companies should also carry out security audits and test the systems they have in place to detect attacks.

Businesses should also explore the use of complex "authentication and authorisation processes in ICT systems" to secure electronic personal data, the PDPC said.

"More secure authentication methods include two-factor or multi-factor authentication," the PDPC said in its guide. "These involve the use of a combination of information that the user knows, such as a password or PIN, and an object that only the user possesses, such as a digital key, token or smart card, or a unique physical trait, such as the use of fingerprints in biometric technology. The use of multi-factor authentication increases confidence in the identity of the user accessing the system."

The PDPC said businesses should set a "maximum number of attempts" that people can try and fail to authenticate their identity when seeking access to systems and the data stored on them. They should "lockout" people who try to access those systems beyond the maximum number of times, it said.

Expert in data protection law Bryan Tan of Pinsent Masons MPillay, the Singapore joint law venture partner of Pinsent Masons, the law firm behind Out-Law.com, said he welcomed the new guidance issued by the PDPC.

"We note in particular that there is now guidance on when notification of a data breach to consumers should be given and whether such notification should also be given to the regulators," Tan said. "Following the recent rise in number of data breach incidents, whether by intentional or unintentional means, there is now guidance on what actions are expected of businesses."