The threat of a cyber attack is real. In the past year, especially with remote working due to the COVID-19 pandemic, cyber attacks have risen significantly. On 8 July 2021, the Cyber Security Agency of Singapore released its 2020 report, highlighting a rise of 154 per cent in reported ransomware cases – a total of 89 cases as compared to the 35 in 2019.
The attacks mainly affected small and medium-sized enterprises (SMEs) from sectors spanning manufacturing, retail and healthcare as they are less equipped and prepared to protect themselves against cyber attacks. The rise of such attacks is a clear warning to organisations that they cannot put off expending resources to protect their systems and prepare themselves against cyber attacks.
Imagine the repercussions that a data breach can have on a business if there are no systems and procedures in place to manage a data breach.
If the data breach is a notifiable one¹, where the data is protected by the Personal Data Protection Act (PDPA), the organisation would have to file a report with the Personal Data Protection Commission (PDPC) and notify the affected individuals of the breach.
The PDPC would investigate the breach and report the outcome of the investigation on its website, including any penalties imposed. If the PDPC concludes that the organisation had intentionally or negligently contravened any provision of the PDPA, the PDPC may impose a financial penalty, which must not exceed the maximum amount prescribed for that offence, which in no case may be more than $1 million².
In addition to the financial penalties which may be imposed by PDPC, the organisation could be liable to its customers for the loss or damage they suffered as a result of the data breach³.
Besides pecuniary loss, think about the damage such a report would have on an organisation’s reputation, and how its customers and business partners will perceive the organisation after such an incident is published.
How should SMEs go about protecting their systems and preparing to respond to data breaches?
The first step is to develop a data breach management plan that ensures that the right personnel, and the right systems and procedures are put in place to effectively deal with cyber attacks. Without a well thought out plan, an organisation will be at a loss once a data breach actually occurs.
Setting up an incident response team and outlining an incident response plan
An incident response team should be constituted to manage data breaches. The team should not be made up of technical personnel alone, but also include management executives, communications personnel, and legal and compliance officers. Each member has a specific role to play to cover the different aspects involved in managing a data breach. It is important that the team stays up to date on the latest cybercriminal patterns, attack techniques and malware trends so that it can be more proactive, instead of merely reacting to a cyber attack.
This team should be able to refer to an incident response plan and a disaster recovery plan to guide in handling and containing the data breach. These plans help inform the team of the action to be taken when a breach occurs. The plan should specifically state how the team will address each type of incident, from garden-variety threats to full-on network compromise, as well as from initial detection all the way to post-mortem and lessons learnt. Companies should regularly test this plan and update it to meet changes in cybercriminal patterns and attack techniques.
It is important to install appropriate security systems to provide early warnings of potential breaches. To determine which security system is appropriate, an organisation needs to identify the types of data that it collects and how each kind of data is processed, used and stored. In addition, the organisation needs to identify any critical business processes and the assets that those processes handle. If any of the data is subject to regulatory requirements, the organisation needs to include official processes for documenting and reporting a breach to the relevant authorities in its incident response plan.
A disaster recovery plan must also be put in place to minimise the impact of a breach. Critical data should be regularly backed-up and stored off-network. Routine system and data recovery drills should be performed so that the systems can be quickly brought back online after an incident.
Once a data breach has been resolved, a post-mortem should be conducted to prevent the recurrence of other such incidents. If the breach was due to external malicious hackers, a review of the systems and mitigation measures would need to be undertaken. However, if the breach involved employees, appropriate security awareness training should be conducted for them. Lessons learnt should be incorporated into an updated incident response plan.
What are the legal ramifications to a company when a data breach happens?
In the event of a breach of personal data, the company, and not its employees, are liable to third parties – wherein customers can sue the company for the loss or damage of their data as a result of a cyber attack. The company can take action against its employees for data breaches should investigations prove negligence in his or her duties performed. However, should the employee have acted in good faith and in accordance to instructions given in the course of their employment, the employee is not liable to be held responsible and subjected to any internal disciplinary actions.
In conclusion, SMEs should incorporate the following four key steps in their data breach management plans, taking the C.A.R.E. approach outlined by the PDPC⁴:
- Contain the data breach to prevent further compromise of data and implement mitigating action(s) to minimise potential harms from the breach after an initial appraisal has been conducted to determine the extent of the breach.
- Assess the data breach to determine the root cause (where possible) and the effectiveness of containment action(s) taken thus far to contain the data breach. Where necessary, continuing efforts should be made to prevent further harm from the data breach.
- Report the data breach to:
1. The PDPC (mandatory if the breach is a notifiable data breach under the PDPA, but organisations may choose to voluntarily inform PDPC of any data breach); and/or
2. The affected individuals (if required under the Data Breach Notification Obligation of the PDPA).
- Evaluate the organisation’s response to the data breach and consider the actions that can be taken to prevent future data breaches. Where necessary, continuing efforts should be made to prevent further harm from the data breach.
The data protection laws in Singapore are comparable to those in other developed countries, such as the General Data Protection Regulation (GDPR) in Europe, which is often considered the most comprehensive in the world. Due to Singapore’s resolve in establishing itself as a global technology and data hub, the PDPC takes compliance of the PDPA seriously. Hence, companies should do well to take note of their PDPA obligations and implement the necessary cybersecurity measures to avoid not just reputational repercussions, but any negative business impacts.
¹The Personal Data Protection (Notification of Data Breaches) Regulations 2021 provides the personal data (or classes of personal data) that is deemed to result in significant harm to affected individuals if compromised in a data breach. Where a data breach involves any of the prescribed personal data, the organisation will be required to notify the affected individuals and the PDPC of the data breach.
²Section 48J of the PDPA
³Under section 48O(1) of the PDPA, any person who suffers loss or damage directly as a result of a contravention by:
-an organisation of any provisions in Parts 4 (collection, use and disclosure of PD), 5 (access to and correction of PD), 6 (care of personal data), 6A (notification of data breaches) or 6B (offences affecting personal data and anonymised information); or
-by any person of an any provision of Division 3 of Part 9 (Specified messages to a Singapore telephone number) or Part 9A (dictionary attacks and address-harvesting software) may commence civil proceedings in the courts against the organisation or person
⁴PDPC’s Guide on Managing and Notifying Data Breaches under the Personal Data Protection Act 2012 – Revised 15 March 2021
This article was first published here on ASME.