[BreachExchange] Organisations may receive lower fines if they admit role in data breaches: Privacy watchdog

Wed May 22 10:04:42 EDT 2019

https://www.straitstimes.com/singapore/organisations-may-receive-lower-fines-if-they-admit-role-in-data-breaches-privacy-watchdog

Organisations that expedite the privacy watchdog’s processes by
admitting their role in a data breach and pleading guilty to it, may
receive a lower financial penalty if the cause is a common breach.

Common breaches include URL manipulation, poor password management, or
printing errors resulting in incorrect recipients, the Personal Data
Protection Commission (PDPC) said in a statement on Wednesday (May
22).

The commission added that it is aware that even organisations that are
well prepared may not eliminate all risk of data breaches. They can
now avoid a full investigation by requesting for an undertaking option
from the PDPC, in the case of a data breach.

This may be granted if the organisations can prove they had in place
“proper accountability practices, monitoring and remediation plans” in
the case of a data breach, and if they deliver an undertaking to
execute a fully developed and prepared contingency plan to resolve a
data breach when it occurs.

The PDPC also has to assess that such an undertaking would achieve
similar or better enforcement outcomes, as opposed to a full
investigation before granting this option.

These steps are being taken to "bring investigations on clear-cut data
breaches to a conclusion quickly", the commission said.

Under the Personal Data Protection Act, organisations can be given a
financial penalty of $1 million for their role in breaches.

The law makes it clear that organisations have an obligation to make
reasonable security arrangements to protect the personal data that
they possess or control, and to prevent unauthorised access,
collection, use, disclosure or similar risks.

The commission on Wednesday also announced the launch of its updated
guide which contains, among other things, recommendations of how
organisations should handle breaches.

It also includes examples and clarifications to address common queries
from organisations, such as policy considerations by the PDPC when
deciding to initiate or discontinue an investigation, as well as
financial penalty assessment factors.

There are also recommendations for organisations on when to notify the
PDPC and individuals of a breach, as well as the timeliness of this
notification.

For example, organisations conducting internal investigations and
assessments of a potential data breach should take no more than 30
days from when they are aware of a potential breach.

And if more than 500 individuals are affected or if significant harm
or impact to the individuals is likely to occur due to a breach,
organisations are recommended to notify the PDPC no later than 72
hours from the time they have completed their assessment.

The Straits Times reported last week that the PDPC was investigating a
breach of the Singapore Red Cross website which compromised the
personal data of more than 4,200 people, including their full names,
contact numbers and e-mail addresses.

The PDPC was notified on the day the breach was discovered, but ST
understands that the people affected were informed only eight days
later, via e-mail and SMS.

Asked why they were not alerted earlier, a spokesman for the Singapore
Red Cross said it had first initiated an internal investigation to
"ascertain the extent to which our stakeholders could be affected".

The commission said it had engaged stakeholders in updating the guide,
which it will monitor and adjust as necessary.

The recommendations are in line with upcoming plans to implement
mandatory breach notification, which the PDPC will introduce in the
upcoming review of the Personal Data Protection Act.

The commission urged companies to adopt the recommendations "as this
will allow them to respond to data breaches confidently and prepare
for the PDPC's planned introduction of a mandatory breach notification
in its upcoming Act Amendment".