Lower fines for firms that admit role in data breach

Watchdog offers undertaking option in common breaches, updates guide for lapses

Organisations that admit their role in a data breach and plead guilty to it may get a lower financial penalty from the privacy watchdog if the cause is a common breach.

Common breaches include URL manipulation, poor password management or printing errors resulting in incorrect recipients.

The Personal Data Protection Commission (PDPC) said in a statement yesterday that it is aware that even well-prepared organisations may not eliminate all risk of data breaches.

They can now avoid a full investigation by requesting an undertaking option from the PDPC in the event of a data breach.

This may be granted if the organisations can prove they had in place "proper accountability practices, monitoring and remediation plans" in the case of a data breach.

The organisations must also deliver an undertaking to execute a fully developed and prepared contingency plan to resolve a data breach when it occurs.

Before granting this option, the PDPC also has to assess that such an undertaking would achieve similar or better enforcement outcomes compared with a full investigation.

These steps are being taken to "bring investigations on clear-cut data breaches to a conclusion quickly", the commission said.

Under the Personal Data Protection Act, organisations can be given a financial penalty of $1 million for their role in breaches.

The law makes it clear that organisations have an obligation to make reasonable security arrangements to protect the personal data that they possess or control, and to prevent unauthorised access, collection, use, disclosure or similar risks.

The commission yesterday also announced the launch of its updated guide which contains, among other things, recommendations on how organisations should handle breaches.

The guide also includes examples and clarifications to address common queries from organisations, such as policy considerations by the PDPC when deciding to initiate or discontinue an investigation, as well as financial penalty assessment factors.

There are also recommendations for organisations on when to notify the PDPC and individuals of a breach, as well as the timeliness of this notification.

For example, organisations conducting internal investigations and assessments of a potential data breach should take no more than 30 days from when they are made aware of a potential breach.

And if more than 500 individuals are affected, or if significant harm or impact to the individuals is likely to occur due to a breach, organisations are recommended to notify the PDPC no later than 72 hours from the time they have completed their assessment.

The commission said it had engaged stakeholders in updating the guide, which it will monitor and adjust as necessary.

The recommendations are in line with upcoming plans to implement mandatory breach notification, which the PDPC will introduce in the upcoming review of the Personal Data Protection Act.

The commission has urged companies to adopt the recommendations "as this will allow them to respond to data breaches confidently and prepare for the PDPC's planned introduction of a mandatory breach notification in its upcoming Act Amendment".

Join ST's Telegram channel and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Straits Times on May 23, 2019, with the headline Lower fines for firms that admit role in data breach. Subscribe