Call to mandate reporting of data breaches

All should follow countries that already have this law, says speaker at Data Privacy Asia

Countries that legally require companies and organisations to report data breaches to the authorities are doing the right thing and the rest of the world should do the same, reporters were told yesterday.

Singapore has yet to follow the lead of mature jurisdictions such as the United States and Canada that make it compulsory to notify customers and privacy commissions when personal information is compromised.

Mr Mikko Hypponen, chief research officer at Finnish security software maker F-Secure, said it was just pragmatism.

"If your credit-card number had been stolen, you would want to know... to look out for (unauthorised) transactions. Similarly, if your password had been stolen, you would want to change it .

"The United States and Canada are doing the right thing and should be followed by the rest of the world," Mr Hypponen noted.


The Act is still in the early phase of implementation and organisations require more guidance in achieving compliance.

MR LEONG KENG THAI, chairman of Personal Data Protection Commission

He was speaking at the opening of the inaugural Data Privacy Asia conference in Singapore.

More than 100 data privacy and cyber-security experts attended the first day of the three-day conference at the Grand Hyatt Hotel.

Privacy advocate and engineer Ngiam Shih Tung, 44, supported the notion, saying that the Singapore authorities should define the parameters for organisations to report a breach so consumers affected can take precautions.

Singapore's Personal Data Protection Act came fully into force only in July last year and does not require companies to report their data breaches.

Mr Wong Yu Han, director of strategy at Singapore's high-level Cyber Security Agency, said measures to counter data leaks are complex. "We are looking at... revising our laws," he told reporters at the event.

In his opening address, Mr Leong Keng Thai, chairman of Singapore privacy watchdog Personal Data Protection Commission, said: "The Act is still in the early phase of implementation and organisations require more guidance in achieving compliance."

But lawyer Gilbert Leong, a partner at Rodyk & Davidson, told The Straits Times: "It is only a natural, logical progression to mandate data breach reporting here."

The requirement may not be immediate as it would be "too much" for local organisations to get used to so soon.

Also in his keynote address, Mr Hypponen called for greater transparency among governments in law enforcement actions.

He added: "Governments should let citizens know how successful the (snooping) tools (they use on citizens) are in cracking crimes."

A version of this article appeared in the print edition of The Straits Times on August 26, 2015, with the headline 'Call to mandate reporting of data breaches'. Print Edition | Subscribe