Managing Data Breaches - A Quick Guide

The threat of data breaches looms larger than ever. It has become a risk to both vulnerable individuals and organisations as a whole, making effective data breach management critical across all sectors. With increasing regulatory scrutiny and the potential for significant financial and reputational damage, it is essential for businesses to adopt a proactive approach to data breach management.

What is a data breach?

According to the Singapore Personal Data Protection Commission (PDPC), a data breach refers to an incident exposing personal data in an organisation's possession or under its control to unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. Managing data breaches effectively is crucial to ensure the protection of sensitive information and to mitigate the potential harm caused by such incidents.

Data breaches can negatively impact businesses and consumers in a plethora of ways and can range from concerted attacks by either individuals or groups who hack for personal gain. It can lead to lost investor confidence, regulatory exposure, business losses, and loss of customer trust. In the case of individuals, it might involve exposure of bank account/s or credit card numbers, theft of NRIC/Social Security Number, health records, passwords or email.

The Nine Patterns

Data breaches come in a variety of shapes and sizes, but they can be categorised according to similar characteristics. 2019 Verizon Data Breach Investigations Report identifies nine “patterns” most commonly associated with the reported data breaches, in an effort to "communicate that the majority of incidents/breaches, even targeted, sophisticated attacks, generally share enough commonalities to categorise them."

The nine patterns are:

1. Insider and privilege misuse

2. Physical theft and loss

3. Denial of service

4. Crimeware - Ransomware, SQL injection, Phishing attempts

5. Web application attacks

6. Payment card skimmers

7. Cyber-espionage

8. Point-of-sale intrusions

9. Human Error

What constitutes a reportable data breach?

A data breach occurs when personal data is accessed, collected, used, disclosed, or disposed of without authorization, potentially putting individuals at risk. In cases involving hacking or malware, management and crisis communication are essential. Under Singapore’s Personal Data Protection Act (PDPA), a reportable data breach is one that involves personal data or categories of data that could pose a significant risk of harm to individuals if compromised. This includes sensitive information such as financial details, health records, or any data that could lead to identity theft or other forms of harm. 

Notifying Regulatory Authorities In Case Of A Breach

If a data breach is deemed notifiable, the organisation must report the breach to the PDPC within three calendar days (72 hours) and notify the affected individuals. This obligation arises under the Data Breach Notification Obligation of the PDPA. Notable updates should include details of the containment actions done, the investigation results, personal data involved that could cause significant harm to the data subjects, their bank account details or even employees' personal details.

As the next step, an organisation's crisis communications plan has to be activated as there will be a few parties an organisation will need to notify in such an event, in line with privacy laws. According to the PDPC Data Breach Notification requirement, this supervisory authority may investigate the breach, and if it concludes that the organisation contravened provisions of the PDPA deliberately or negligently, it may impose financial penalties or disciplinary actions.

Who Needs To Be Notified?

In addition to the PDPC, other parties need to be notified as part of a company's data breach response plan, according to regulatory requirements.

These parties can be broken down into two main categories:

External notification

Externally, the relevant stakeholders need to be notified:

1. Regulator (PDPC)

2. Sectoral regulator, if prescribed by sectoral legislation to do so e.g. healthcare, financial or electricity retailer industry

3. Affected individuals whose personal data was compromised

For the regulators, the notification is typically done by the DPO or a designated department. For the affected individuals, the Public Relations/Corporate Communications department will release a press release on the website.

If the data breach is discovered by a third-party vendor or a data intermediary (under Singapore's PDPA), they are required to notify the organisation of the data breach “without undue delay”.

Internal notification

Internally, there will be a need to inform employees of the incident through an internal circular, and this is usually done by HR. Where the data breach involves an information system or the infrastructure, IT may be called upon to activate or engage a team to conduct forensics of the system or lodge a report with the Cybersecurity Agency of Singapore and the finance department is required to activate cyber insurance. The legal counsel may likewise be notified in case of a large-scale breach. Organisations may also opt to include their data breach management plan in the circular to assure employees that necessary action steps are being taken.

Can You Mitigate The Risk Of Data Breaches?

Companies should conduct regular network vulnerability security scans to check for possible gaps within the organisation's infrastructure and to ensure that these issues are fixed as quickly as possible. With risk assessment coupled with active monitoring of security incidents, organisations can learn from these incidents and create efficacious preventive security measures to minimise the probability and impact of future data breaches. As data breaches can occur in the most basic day-to-day operations, especially from human error, such as sending an attachment containing personal data in an email. Detailed guidance for all persons within an organisation is a must. There is also the need to have internal policies and practices and where necessary, regular data protection briefings or training.

Responding To Data Breaches When They Happen

Potential risks loom every day. It is crucial for organisations to have a data breach response plan established before actual breaches occur to the organisation. In the event of a data breach occurring, the organisation may not be able to respond swiftly without an existing plan, causing further damage to the company's business operations and reputation. Establishing a data breach response plan will help the organisation be better prepared to tide through the crisis.

The data breach management plan should include:

1. The breach response team and the roles that they play,

2. Explanation of the nature of the breach,

3. Process of reporting to relevant stakeholders, both internal and external business partners,

4. Key steps involved in responding to the situation

Both the senior management and teams should practice doing simulated exercises (tabletop), in order for them to cultivate a clear understanding of their roles and tasks during a data breach response. Through simulated exercises, gaps could be identified unexpectedly and actions can be taken to resolve these issues. A crisis communications plan should also accompany the data breach management plan.

The PDPC also has a framework under its data breach policy to describe a data breach management plan with the acronym 'CARE.' It is important to also note that having a data breach management plan is one of the assessment requirements for Singapore's Data Protection Trustmark certification.

1. Contain: When a data breach occurs, the organisation should contain the situation and prevent any further compromise of personal data. At this stage, other important steps include convening an emergency meeting with the breach response team, isolating the damage by activating the IT forensics team (internal or outsourced), releasing a holding statement to the media and the public, and gathering the facts of the breach.

2. Assess: With the facts of the breach, the organisation must assess the risks and impact on the affected individuals, organisation and the crisis communications landscape. There should also be continued efforts to prevent more harm.

3. Respond Simultaneously, the organisation must determine whether the data breach is a ‘notifiable' data breach - that is, whether it must be notified to the local regulator and to the affected individuals. In addition, messaging and communication is critical and the affected individuals and other stakeholders e.g. employees, clients, partners, media must be kept informed of the situation at regular intervals wherever necessary.

4. Evaluate: After the incident has been handled, the organisation should evaluate the incident response plan and their recent action, and consider the changes that they should take to prevent future potential breaches. At this stage, the organisation should also refine their data breach response and crisis management plan.

Globally, data breaches and security incidents are incessantly appearing in the media, and organisations are getting hit hard at the bottom line. The imperative to respond effectively to data breaches cannot be overstated. Whether a small business or a multinational corporation, every organization is a potential target.

So, how can you make sure your organisation is not the next headline because of potential data breaches? The key is to be prepared before disaster strikes. Our crisis communications and data breach response course helps Data Protection Officer (DPOs) make informed decisions after learning what they can do to reduce the impact on their organisation and stakeholders in the event of future breaches. As the old saying goes, prevention is better than the cure, so start building an effective data breach response plan now!

Article by: Aman Khajanchi, Steffi Tay
Edited by: Josiah Poh (CIPM, CIPP/A, CIPT, CIPP/E, FIP), Senior Manager (Consultancy & Legal), Data Protection Officer, Straits Interactive Pte Ltd. This article was originally published 17 May 2021.

Related Articles:
www.dpexnetwork.org/articles/covid-19-crisis-management-various-stages-pandemic/
www.dpexnetwork.org/articles/how-social-media-makes-or-breaks-company-crisis/
www.dpexnetwork.org/articles/no-surprises-data-breach-reporting-becomes-mandatory/

News Articles:
www.straitstimes.com/singapore/what-can-i-do-if-my-personal-information-has-been-leaked

Data Protection Trustmark certification