SINGAPORE - Organisations that expedite the privacy watchdog’s processes by admitting their role in a data breach and pleading guilty to it, may receive a lower financial penalty if the cause is a common breach.
Common breaches include URL manipulation, poor password management, or printing errors resulting in incorrect recipients, the Personal Data Protection Commission (PDPC) said in a statement on Wednesday (May 22).
The commission added that it is aware that even organisations that are well prepared may not eliminate all risk of data breaches. They can now avoid a full investigation by requesting for an undertaking option from the PDPC, in the case of a data breach.
This may be granted if the organisations can prove they had in place “proper accountability practices, monitoring and remediation plans” in the case of a data breach, and if they deliver an undertaking to execute a fully developed and prepared contingency plan to resolve a data breach when it occurs.
The PDPC also has to assess that such an undertaking would achieve similar or better enforcement outcomes, as opposed to a full investigation before granting this option.
These steps are being taken to "bring investigations on clear-cut data breaches to a conclusion quickly", the commission said.
Under the Personal Data Protection Act, organisations can be given a financial penalty of $1 million for their role in breaches.
The law makes it clear that organisations have an obligation to make reasonable security arrangements to protect the personal data that they possess or control, and to prevent unauthorised access, collection, use, disclosure or similar risks.
The commission on Wednesday also announced the launch of its updated guide which contains, among other things, recommendations of how organisations should handle breaches.
It also includes examples and clarifications to address common queries from organisations, such as policy considerations by the PDPC when deciding to initiate or discontinue an investigation, as well as financial penalty assessment factors.
There are also recommendations for organisations on when to notify the PDPC and individuals of a breach, as well as the timeliness of this notification.
For example, organisations conducting internal investigations and assessments of a potential data breach should take no more than 30 days from when they are aware of a potential breach.
And if more than 500 individuals are affected or if significant harm or impact to the individuals is likely to occur due to a breach, organisations are recommended to notify the PDPC no later than 72 hours from the time they have completed their assessment.
The Straits Times reported last week that the PDPC was investigating a breach of the Singapore Red Cross website which compromised the personal data of more than 4,200 people, including their full names, contact numbers and e-mail addresses.
The PDPC was notified on the day the breach was discovered, but ST understands that the people affected were informed only eight days later, via e-mail and SMS.
Asked why they were not alerted earlier, a spokesman for the Singapore Red Cross said it had first initiated an internal investigation to "ascertain the extent to which our stakeholders could be affected".
The commission said it had engaged stakeholders in updating the guide, which it will monitor and adjust as necessary.
The recommendations are in line with upcoming plans to implement mandatory breach notification, which the PDPC will introduce in the upcoming review of the Personal Data Protection Act.
The commission urged companies to adopt the recommendations "as this will allow them to respond to data breaches confidently and prepare for the PDPC's planned introduction of a mandatory breach notification in its upcoming Act Amendment".