In an update to the 2015 version, the Personal Data Protection Commission (PDPC) issued the “Guide to Managing Data Breaches 2.0” (Updated Guide) on 22 May 2019.  The Updated Guide aims to help organisations effectively manage data breaches by setting out what measures they should implement to prepare for, respond to and remedy data breaches.  It also introduces a mandatory data breach notification requirement[1] which is to be included in the proposed amended Personal Data Protection Act 2019 (PDPA).    

Preparing for Data Breaches

To prepare for data breaches, the PDPC suggests that each organisation should:

• Implement monitoring measures and tools to detect and warn of breaches, such as use of real-time intrusion detection software and security cameras.

• Develop a robust data breach management plan, which is suited to the organisation’s business processes and should at least include guidance on:

• what constitutes a data breach;
• how to report a data breach internally;
• how to respond to a data breach; and
• the roles and responsibilities of each data breach management team member.

Responding to Data Breaches

If a data breach occurs, the PDPC recommends that an organisation should implement the C.A.R.E. steps:

• Contain the data breach: The data breach management team should be immediately activated to reduce potential harm arising from the breach.  An initial assessment of the cause of the breach, the type of personal data involved and the affected individuals and systems/services should be conducted to enable the organisation to determine how the breach can be contained and how damage can be mitigated.  The police, the Cyber Security Agency of Singapore and/or other government authorities should be alerted if necessary or required by law.  All actions taken during this stage should be recorded for further reference (for example, in case of an investigation).

• Assess the data breach: Within 30 days from becoming aware of the data breach, the organisation should conduct a more thorough assessment to determine its extent and impact and the appropriate actions to take.[2]  In conducting its assessment, the organisation should consider whether the types of data and individuals affected may lead to more significant harm, whether the compromised data can be easily used to identify individuals and whether the breach was due to error or malicious activities.

• Report the data breach: If the data breach (a) will likely result in significant harm to the affected individuals or (b) is of a significant scale (for example, affecting at least 500 individuals), organisations should notify:

• the PDPC as soon as practicable (but within 72 hours after data notification is determined as required), by email or telephone; and
• the affected individuals as soon as practicable (but within any applicable contractually stipulated period), using the most effect means.  If data of minors are compromised, their parents or guardians should be notified.

The Updated Guide specifies what a data breach notification should contain.

A data intermediary need not inform the PDPC or affected individuals of a data breach.  However, they should inform their appointing organisation within 24 of a potential or confirmed data breach.

• Evaluate the response to the data breach: The organisation should assess whether its existing data breach management plan and processes need to be improved to prevent recurrence of further data breaches.

[1] The giving of data breach notifications were recommended, but not required, in the 2015 version of the Guide to Managing Breaches (2015 Guide).

[2] The 2015 Guide enumerates some guide questions that an organisation might consider useful in conducting its thorough assessment.

‍