Breaking Down Singapore’s PDPA: What to Know For Incident Response

Singapore’s hallmark privacy legislation, the Personal Data Protection Act (PDPA), has been around since 2012. The country established the Personal Data Protection Commission (PDPC) one year later to administer and enforce the law. They have made several notable changes in the years that followed, most recently a set of updates to strengthen the PDPA in a way that puts Singapore’s privacy legislation on par with laws like the EU’s GDPR and Brazil’s LGPD.

Specifically, amendments to Singapore’s PDPA passed in November 2020 and began to take effect in February 2021. These amendments introduced new categories for consent for businesses to collect consumer data, introduced mandatory data breach notifications to the PDPC in cases where a breach causes harm to consumers, established new criminal offenses and a private right to action for violations of the PDPA, and increased the authority of the PDPC.

These recent amendments make it essential for organizations worldwide to understand what’s required under Singapore’s PDPA and the potential consequences for violating the law.

Who Must Comply with the PDPA?

Like most privacy laws worldwide, PDPA compliance is extra-territorial. This means that any organization that collects and maintains data on Singapore residents must comply with the law, regardless of where their business is actually located. 

The PDPA does grant exceptions for:

• Individuals acting on a personal or domestic basis
• Individuals acting in their capacity as an employee (the organization takes on the liability)
• Any public agency (defined as government body such as a ministry, department, agency, or organ of state or a tribunal appointed under written law) in relation to the collection, use, or disclosure of personal data

The PDPA covers personal data stored in both electronic and non-electronic formats. The law defines personal data as any data (whether or not it’s accurate) that can be used to identify an individual. The PDPA also calls out specific types of data that, if subject to a breach, are likely to result in significant harm to individuals:

• An individual’s full name, alias, or identification number in combination with any of the following information:
  • Financial information that is not publicly disclosed
  • Personal data that would lead to the identification of vulnerable individuals
  • Life, accident, and health insurance information that is not publicly disclosed
  • Specified medical information, including the assessment and diagnosis of HIV infections
  • Information related to adoption matters
  • A private key used to authenticate any individual or to digitally sign an electronic record or transaction
• Information relating to an individual’s account with the organization, including:
  • An account identifier, such as account name or number
  • Any password, security code, access code, response to a security question, biometric data, or other data that allows access to or use of the account

On the other side, the PDPA does not apply to personal data that is over 100 years old, personal data about an individual who has been deceased for more than 10 years, or business contact information (e.g. position or title, business telephone number, business email). 

How is the PDPA Enforced?

The PDPC is responsible for enforcing the PDPA. The 2020 amendment to the law increases the authority of the PDPC and introduces new enforcement mechanisms. 

Under the latest version of the law, violating organizations can be fined up to 10% of annual gross turnover or S$1 million, whichever is higher. This represents an increase in potential fines from the previous version of the law and will take effect no earlier than February 1, 2022.

Violating organizations can be fined up to 10% of annual gross turnover or S$1 million, whichever is higher.

Another update to enforcement, which allows for criminal prosecution in certain cases, is already in effect as of February 1, 2021. This update allows for criminal prosecution with a potential fine of up to S$5,000 or imprisonment up to two years based on egregious mishandling of personal data, including: 

• The knowing or reckless unauthorized disclosure of personal data
• The knowing or reckless unauthorized use of personal data for a gain or to cause a harm or loss to another person
• The knowing or reckless unauthorized re-identification of anonymized information

Finally, the PDPA grants individuals a private right to action by filing a civil lawsuit if they are harmed by a violation of the law. In these cases, courts can grant any form of relief they see fit, including an injunction or declaration as well as damages.

What Incident Response Measures Does the PDPA Require?

Organizations must investigate any data breach to determine the scope of the incident and potential harm to consumers. Importantly, the PDPA urges organizations to do so “expeditiously, as the likelihood of significant harm to affected individuals may increase with time.” 

Any data breach that is likely to result in harm to individuals based on the personal data noted above or that compromises the personal information of more than 500 Singapore residents requires incident response in the form of a data breach notification under the latest amendment to the PDPA. When issuing a data breach notification, organizations must adhere to strict timing and content requirements set forth in the law.

Who to Notify

Organizations that experience a data breach relating to the designated personal data must issue a notification to both the PDPC and all affected Singapore residents. Organizations that experience a data breach not relating to the designated personal data but that affects more than 500 individuals must only notify the PDPC.

When to Issue the Notification

Organizations should complete their investigation about the data breach as quickly as possible, with guidelines suggesting this should take no more than 30 calendar days. Once organizations determine a data breach meets the requirements for notification, they should notify the PDPC in no more than three calendar days and notify affected individuals at the same time or immediately after notifying the commission.

In some cases, if organizations take remedial action to correct the issue, the PDPC may determine the risk of harm has been reduced and organizations no longer need to notify affected individuals.

How to Issue the Notification

Organizations can issue the notification to the PDPC through the commission’s website at www.pdpc.gov.sg. The notification should include all of the following information:

• The date when the organization first became aware of the breach and the circumstances that made them aware of the situation
• A chronological account of the steps taken once the organization became aware of the breach, including their assessment of whether or not the breach required a notification
• Details on how the breach occurred
• The number of individuals affected
• The personal data or classes of personal data affected
• The potential harm to the affected individuals as a result of the breach
• Information on any remedial actions the organization has already taken or will take in the future to (1) eliminate or mitigate any potential harm to affected individuals and (2) address any shortcomings believed to have caused or facilitated the breach
• Information on the organization’s plans (if any) to notify affected individuals or the public about the breach and how anyone affected can eliminate or mitigate potential harm
• Business contact information for at least one authorized representative of the organization
• If the notification is later than 3 calendar days after the investigation: Reasons for the late notification and any supporting evidence
• If the organization does not intend to notify affected individuals: Specifics on the grounds for not issuing a notification to these individuals

Organizations can issue the notification to affected individuals using their regular mode of communication, as long as that is appropriate and effective in reaching people in a timely manner. Additionally, they do not need to send a copy of this notification to the PDPC. This notification should include the following information:

• The circumstances that made the organization aware a breach occurred
• The personal data or classes of personal data affected
• The potential harm to the affected individuals as a result of the breach
• Information on any remedial actions the organization has already taken or will take in the future to (1) eliminate or mitigate any potential harm to affected individuals and (2) address any shortcomings believed to have caused or facilitated the breach
• Steps affected individuals can take to eliminate or mitigate any potential harm, including preventing the misuse of their personal data involved in the breach
• Business contact information for at least one authorized representative of the organization

What Types of Incidents Can Trigger a Notification Under the PDPA?

Although not all privacy incidents require a data breach notification under the PDPA (for example, those involving internal organizational data on employees), a variety of incidents still qualify. This is especially the case since the 2020 amendment to the law strengthened requirements around how organizations can collect, use, and store personal data.

Some of the most common examples of privacy incidents that can trigger a notification under the PDPA include:

Exfiltration

Exfiltration is a set of techniques for stealing data. Most cyber attacks include some sort of data exfiltration in which a third party gains unauthorized access to data and transfers it to their own devices or servers. Depending on the information involved, this type of data theft can pose serious harm to individuals and therefore trigger a notification under the PDPA.

Ransomware

A ransomware attack is when a third party holds data hostage, usually in exchange for money. The attacker typically gains access through a weak security point and then installs malware on a device or server that can steal the data and hold it hostage until the ransom demands are met. Even if the data gets returned and no signs of exfiltration exist, a ransomware attack still qualifies as a privacy incident that requires notification under the PDPA.

Mistakenly or Wrongly Exposed Data

Exposing personal data to the wrong person or leaving it unsecured can lead to a data breach notification under the PDPA. An accidental exposure, for instance by mistakenly sending the wrong person a set of data, sharing data through an unsecured channel, or leaving data unencrypted, can trigger a notification if the resulting investigation shows the incident could lead to harm for the affected individuals. This situation could also result in fines from the PDPC. A case of an employee knowingly exposing data could also trigger a notification and lead to criminal charges per the latest updates to the PDPA.

How Can Organizations Prepare for the PDPA?

Even the most secure organizations will experience a privacy incident at some point or another, and this requires organizations to be prepared to jump into response mode. The ability to potentially avoid issuing a notification under the PDPA if remedial actions properly correct an issue make this preparation all the more important for any organization that’s subject to Singapore’s law.

Specifically, this preparation requires visibility, responsibility, and planning: 

• Visibility: Keep close track of how data gets collected and used to maintain compliance with the PDPA’s data collection requirements and more easily determine if an incident occurs. Under the PDPA, organizations must also be able to produce data about protection policies and practices upon request, which makes this visibility critical.
• Responsibility: Assign responsibility to a team or person who can own security protocols and incident response for the company. The PDPA requires every organization to do this through the appointment of a data protection officer.
• Planning: Lead proactive planning for clear incident response measures that can get used whenever needed. This should also include training for employees on the organization’s policies and practices, which is required under the PDPA.

Along the way, automation will empower organizations to plan for three essential phases of incident response:

1) Readiness

The readiness phase is all about having a response plan developed so that when an incident does occur, the organization can jump into action immediately. Having a plan ready allows for a quick and confident response, which is essential if organizations want to meet Singapore’s strict timelines of 30 days for investigation and three days for notification, not to mention taking any remedial actions during that time. Being able to meet these deadlines effectively can help reduce the costs associated with the breach.

Meeting this goal requires organizations to review requirements based on relevant laws, including but not limited to the PDPA, and any customer or partner contracts. Organizations can then develop incident response plans that match all of their obligations based on these requirements.

2) Response

The response phase kicks in when an incident actually does occur, and the measure of success here is whether or not organizations can meet all of the necessary requirements in the allotted time frame. A swift and complete response not only allows organizations to maintain compliance, but it can also leave time to move into remediation mode to fix the issue and stem the fallout from the issue (both in terms of potential fines and consumer trust).

Effectively responding to an incident starts by determining what happened through an investigation that looks at what data was accessed, who was affected, when it happened, and what is the potential harm to individuals. Next, organizations should decide if a notification needs to be issued based on the outcome of the investigation and the PDPA requirements (and then issue that notification as needed). Finally, this is also the time to jump into remediation mode to fix the issue and avoid it happening on a recurring basis. 

3) Ongoing Management

The ongoing management phase is a long term effort that requires organizations to regularly revisit their incident response plans. This ongoing effort is important because plans will inevitably need to evolve over time as regulations, contracts, and even security threats change. For example, the PDPA has already evolved a few times since it first went into effect in 2013.

The best way to manage this ongoing effort is to establish a centralized dashboard that can house all reporting, monitoring, and incident response plans. Giving stakeholders access to this dashboard provides visibility into that information and promotes alignment on everything from security measures to responsibilities in the case of an incident.

What Happens When Organizations Fail to Comply? 3 High Profile PDPA Cases

Several high profile cases around the PDPA have surfaced over the past few years, one of which was the first lawsuit that tested the regulation’s private right to action. Here’s a look at some of the most notable cases:

1) HMI Institute of Health Sciences

HMI Institute of Health Sciences, a leading private healthcare education provider based in Singapore, experienced a privacy incident in December 2019. The organization was subject to a ransomware attack on a server that stored personal data. They left one port on the server open for easy access for their team, and this port ultimately fell victim to the attack.

The attack compromised data including name, NRIC number, address, race, gender, course details, past employment history, citizenship, vehicle license plate number, and financial information (salaries and bank account numbers), affecting a total 110,080 program participants and 253 employees. The organization retrieved the files upon discovering the ransom note and an investigation yielded no signs of data exfiltration.

The organization responded by decommissioning the server, notifying the PDPC, and issuing a media advisory. They also adopted several remediation efforts, like introducing internet separation measures for all devices containing personal data.

The PDPC fined the organization S$35,000 for the incident, citing several PDPA violations and even taking into account mitigating factors around the organization’s response.

2) Webcada

Webcada, a web design company based in Singapore, experienced a privacy incident in August 2020. The organization fell victim to a ransomware attack that affected three of the company’s database servers.

The attack affected 522,722 individuals, compromising personal data including names, phone numbers, birthdates, addresses, and order histories. Upon identifying the incident, the organization hired an independent consultant to investigate. This investigation showed no evidence of data exfiltration and the company was able to restore all of the affected data via backups.

In response, the organization permanently disabled the entry point for the attack, adjusted server access, introduced end-point protection software, and implemented a written data security policy.

The PDPC fined the organization S$25,000 for a failure to introduce reasonable measures to protect personal data on its database servers and for a failure to have written policies and practices necessary to ensure its compliance with the PDPA.

3) Reed vs. Bellingham

Reed vs. Bellingham was the first private lawsuit brought about under the PDPA and was decided in 2021. However, it’s important to note the court made its decision based on how the law stood in 2018, at the time when the events of the lawsuit took place.

Michael Reed brought the lawsuit after Alex Bellingham targeted him (Reed) with marketing based on Reed’s personal data. Bellingham obtained the personal data on Reed (including his name and previous investment information) from Bellingham’s former employer. After learning the source of the data, Reed sought to prevent Bellingham from using or disclosing his personal data under the PDPA.

Ultimately, the court found that Bellingham was in violation of the PDPA for not obtaining consent from Reed to use his personal data for marketing purposes. However, the court declined to award Reed any kind of relief for emotional distress or loss of control over his data, since they found there was no instance of “loss or damages” — the threshold required by the law as it stood in 2018.

Making Proactive Incident Response a Priority

Singapore is no newcomer in the world of privacy legislation, however the latest updates to the PDPA significantly strengthen the law’s requirements for how businesses can collect, use, and store personal data and how they need to prepare for and respond to a privacy incident. They also increase the power of the PDPC to enforce the law. And as we’ve seen from recent violations, the PDPC takes this enforcement very seriously. Of course Singapore is just one of many countries instituting measures like this at a time when privacy incidents are more a matter of “when” than “if.”

This situation makes proactive incident response essential for any organization in order to stay ahead of privacy incidents and the resulting fallout, whether that’s fines, reputational hits, or anything else. Overall, proactively preparing for incident response measures can help organizations stay compliant with laws like the PDPA and recover faster from any incidents.

Proactively preparing for incident response in this way requires organizations to keep updated on regulations worldwide, assign responsibility for security and privacy policies, develop response plans before they’re ever needed, and regularly revisit those plans to make adjustments as both internal and external factors evolve over time.