Financial Crime World

Singapore Firms Must Have Data Breach Response Plan in Place

In today’s digital age, organisations in Singapore must be proactive in protecting personal data from breaches. A data breach can have severe consequences, including reputational damage and financial losses. In this article, we will explore the importance of having a comprehensive data breach response plan in place.

What is a Data Breach?

A data breach refers to the unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks of personal data in an organisation’s possession or under its control. This can include sensitive information such as names, addresses, and financial details.

Why Do You Need a Data Breach Response Plan?

According to the Personal Data Protection Commission (PDPC), having a data breach management plan enables organisations to respond swiftly and systematically in managing any data breaches. The plan should include:

  • Assessing risks and impact
  • Containing the breach
  • Reporting the incident
  • Evaluating the response
  • Taking actions to prevent future breaches

How to Respond to a Data Breach?

When a suspected or confirmed data breach occurs, staff are expected to report it immediately to the data breach management team. The team will conduct an initial assessment to determine the severity of the data breach, including:

  • Cause of the breach
  • Number of individuals affected
  • Types of personal data disclosed
  • Systems and/or services affected
  • Whether external help is required

To contain the breach, organisations must take immediate steps to limit any further access or disclosure of the personal data. An Incident Record Log should be maintained to record the data breach and the organisation’s response(s).

Responsibilities of Data Intermediaries

Data intermediaries are also expected to report data breaches to the main organisation without undue delay, no later than 24 hours from the time they first become aware of the breach.

Evaluating Risks and Notifying Authorities

When evaluating risks posed by the data breach, organisations must consider factors such as:

  • Sensitivity of the data involved
  • Presence of mitigating factors (e.g. encryption)
  • What happened to the data
  • Nature of harm to affected individuals

Organisations are required to notify PDPC as soon as practicable, no later than 72 hours from the time they have made their assessment. Notifications should include specific facts on the data breach, actions individuals can take, and organisation’s contact details.

In addition, organisations must also notify affected individuals as soon as practicable, including information on the data breach, actions to be taken, and organisation’s contact details. The PDPC has set out a comprehensive guide for managing data breaches, which includes detailed steps and timelines for reporting and notification.

Conclusion

Organisations in Singapore are advised to refer to this guide to ensure compliance with data protection regulations and to protect their customers’ personal data from unauthorised access or disclosure. By having a comprehensive data breach response plan in place, organisations can respond swiftly and effectively in the event of a data breach, minimising harm to affected individuals and protecting their reputation.