Must You Notify PDPC About a Data Breach in Your Business?
Data is often considered the “new oil” in today’s day and age, with businesses needing to collect, store and use the personal data of users to deliver to them the appropriate services. But hackers are constantly on the lookout for security vulnerabilities to exploit, so they can illegally obtain such personal data for their own nefarious purposes.
If you are a business owner in Singapore, the Personal Data Protection Act (PDPA) requires that certain actions be taken should your business suffer a data breach. This article will explain:
What is a Data Breach?
Under the PDPA, a data breach refers to one of the following situations:
- Unauthorised access, collection, use, disclosure, copying, modification or disposal of personal data
- Loss of any storage medium or device on which personal data is stored in circumstances where the unauthorised access, collection, use, disclosure, copying, modification or disposal of the personal data is likely to occur.
Instances that would be considered a “data breach” under the PDPA include:
- Unauthorised access to databases containing personal data, such as through hacking or the installation of ransomware
- Theft or loss of computer notebooks, data storage devices or paper records, especially if they are unsecured and can be easily read by the thief/finder
- Disclosing personal data to a wrong recipient, and the individual whose personal data had been disclosed had not consented so such disclosure
What Should You Do If You Suspect a Data Breach?
The business should act quickly upon even a suspicion of a data breach. The relevant persons (whether executive directors, IT department, or a pre-constituted data breach management team) should be activated to take immediate containment action.
Containment actions are actions to stop the ongoing breach and to minimise potential harm from it. In deciding the appropriate actions to take, the relevant persons/team should consider the cause of the breach, whether the breach is still ongoing and the extent of the breach.
Possible containment actions include isolating the compromised system, resetting passwords and restricting access. The specific actions will depend on the type of breach, and it is best to defer to the expertise of the data breach management team, legal counsel or technical specialists.
Is the Data Breach Notifiable?
Once the (suspected) breach has been contained, the business must assess, in detail, the following:
- Whether there had been a data breach and the cause for it
- The success of the containment actions taken
- The effectiveness of the employed technological protection
If there had indeed been a data breach, it is notifiable under the PDPA if it falls within one of the following situations:
- The breach results in, or is likely to result in, significant harm to the affected individuals
- The breach is, or is likely to be, of a significant scale
Significant harm to affected individuals
Physical, psychological, emotional, economic and financial harm are all relevant forms of harm to consider.
Data breaches that relate to the following personal data of an individual, among others, are notifiable:
- Full name, alias or identification number
- Account name or number with the business, or password, responses to security questions, or biometric data of such accounts
- Wage, remuneration, income or net worth
- Credit card or debit card number, or bank account number
- Monetary deposits with any organisation, withdrawals, investments, or debts
- Accident, health or life insurance policy, including the terms, the premiums and the benefits payable.
However, data breaches relating to the following personal data are not notifiable:
- Personal data that had been publicly available, before the data breach had occurred
- Personal data that is required or permitted to be disclosed under any written law
Data breaches that affect 500 or more individuals are also notifiable.
Who Do I have to Notify and How Do I Notify Them?
You will have to notify both the Personal Data Protection Commission (PDPC) and the affected individuals if a notifiable data breach has occurred.
Notifying the PDPC
Upon determining that a data breach is notifiable, the business should notify the PDPC as soon as practicable, and within 3 calendar days of determining that the breach is notifiable.
For urgent notifications, businesses may call the PDPC at +65 6377 3131 during work hours.
Notifying the affected individuals
The affected individuals should be notified as soon as practicable as well, at the same time or after notifying the PDPC, in any manner reasonable in the circumstances.
If however, the data breach involves information related to adoption matters or the identification of vulnerable individuals, the business should wait for directions from the PDPC as to how to notify such individuals.
In addition, if the data breach is not likely to result in significant harm to the affected individuals, whether due to successful containment actions or prior technological protection, then these individuals do not have to be notified.
Content of the notification
|Notifying the PDPC||Notifying the affected individuals|
|Facts of the data breach||
|Data breach handling||
(Need not be the business’ data protection officer, or the same representative as the one provided to the PDPC.)
What Happens If I Do Not Notify or Make a Late Notification of a Data Breach?
If you or your business fails to notify the PDPC or the affected individuals of a notifiable data breach as required, the PDPC may make orders to require that your business to destroy any collected personal data and/or stop collecting personal data.
The PDPC may also impose financial sanctions of up to $200,000 or $1 million for non-compliant individuals and organisations respectively.
If you or your business makes the notification late, you may face the same sanctions stated above. You should therefore try to justify any delays within the notification to the PDPC. The penalties meted out, if any, may be reduced if there are well-supported reasons for the delayed notification.
The PDPC may also investigate a possible data breach by your business, even if you do not notify the PDPC. This may be conducted on the PDPC’s own motion, or as a result of a complaint lodged against your business.
Potential Penalties for the Data Breach Itself
Failure to protect personal data
The PDPA provides for rules on the access and care of personal data. If the data breach had been a result of security arrangements falling below a reasonable standard, then the poor security can by itself be a breach of the PDPA.
What is considered a reasonable standard depends on the specific circumstances and business operations. Clearly unreasonable standards of protection of personal data include not securing databases with a password.
In these situations, even if you had complied with all the notification requirements, you or your business may nevertheless be subject to the same orders and sanctions, as stated above, by the PDPC.
Potential civil liability
You may also face lawsuits by affected parties that have suffered loss or damage due to data breaches that have occurred in contravention of the PDPA.
Whether you or your business has contravened the PDPA depends on findings made by the PDPC. Contraventions include not notifying a notifiable breach, delayed notification of a notifiable breach, and unreasonably low standards of security arrangements for the protection of personal data.
Singapore takes a strict stance towards the collection, use, disclosure and protection of personal data. Because of this, the PDPC may impose serious consequences for data breaches.
These consequences lie anywhere from fines to a ban on the collection of personal data, which can be detrimental to the conduct of business affairs. Thus, businesses are encouraged to take all the necessary steps to prevent data breaches from occurring, rather than scrambling later to solve one that could have been completely avoided.
Businesses can consider keeping up with the latest technological advancements in the cybersecurity field, refining their personal data collection and storage processes, and hiring specialists to check on current protection mechanisms.
If you require advice on your obligations under the PDPA, whether as a preventative measure or dealing with the aftermath of a data breach, it is recommended that you seek legal advice from a data protection lawyer.
A data protection lawyer will be able to advise you on how the general rules under the PDPA relate specifically to your business, your customers and the personal data that you store. He/she will also be able to advise you, step-by-step, on the procedures under the PDPA to ensure proper compliance. Finally, if your business has unfortunately suffered a data breach, he/she can also assist you with the notification, and its preparation.
- Appointing Company Directors in Singapore: Eligibility, Process etc.
- Managing Director vs CEO in Singapore: Roles and Obligations
- Guide to Directors' Remuneration in Singapore
- Directors' Duties in Singapore
- Shadow Directors: Who are They and What Duties Do They Owe to the Company?
- How to Remove a Director from a Company in Singapore
- Removal and Resignation of Company Auditor in Singapore
- Appointing a Company Secretary: Roles and Responsibilities
- Appointing an Authorised Representative for Foreign Companies in Singapore
- Process Agents in Singapore
- 2 Ways to Remove a Singapore Company Shareholder ASAP
- Guide to Paid-Up Capital in Singapore (Is $1 Enough?)
- Preparing a Register of Shareholders for a Singapore Company
- How to Issue Shares in a Singapore Private Company
- Guide to Transferring Shares in a Singapore Private Company
- Your Guide to Share Certificates in Singapore: Usage and How to Prepare
- Shareholder Rights in Singapore Private Companies
- Shareholder Roles and Obligations in Singapore Companies
- Dividend Payments Guide for Singapore Business Owners
- Share Transmission: What Happens If a Shareholder Dies in Singapore?
- How to Reduce the Share Capital of Your Singapore Company
- Buy-Sell Agreements: How to Write & Fund Them in Singapore
- Oppression of Minority Shareholders
- Essential Regulatory Compliance Guide for Singapore Companies
- Dormant Companies and Their Filing Obligations in Singapore
- Anti-Money Laundering Regulations and Your Business: What You Need to Know
- Price-Fixing, Bid-Rigging and Other Anti-Competitive Practices to Avoid
- Legally Conducting Lucky Draws for Singapore Businesses
- Restaurant Inspection and Food Safety Rules in Singapore
- Does Your Company Need a Legal Team (In-House Counsel)?
- How to Change the Name of Your Singapore Company
- Can Directors be Liable for Company Debts in Singapore?
- Company Loans to Directors/Shareholders in Singapore
- 3 Types of Insurance Every Singapore Business Needs
- Creating and Registering Charges in Singapore: Guide for Companies
- Guide to Effective Business Continuity Planning in Singapore
- Business Asset Sale & Disposal in Singapore: How Do They Work?
- Business Partnership Disputes in Singapore: How to Resolve
- How to Commence a Derivative Action on Behalf of a Company in Singapore
- Business Will: How to Pass on Your Business to Your Successors in Singapore
- Record-Keeping Requirements for Singapore Companies
- Company Constitutions in Singapore and How to Draft One
- Company Memorandum and Articles of Association
- Company Resolutions: What are They?
- Board Resolutions in Singapore
- Minutes of Company Meeting in Singapore: How to Record
- How to Set Up a Register of Controllers
- How to Set Up a Register of Nominee Directors
- Guide to Filing Financial Statements for Singapore Business Owners
- Filing Annual Returns For Your Business
- Singapore Corporate Tax: How to Pay, Tax Rate, Exemptions
- Start-Up Tax Exemption Guide for New Singapore Companies
- GST Registration: Requirements and Procedure in Singapore
- What is Withholding Tax and When to Pay It in Singapore
- Singapore Influencers: Here's How to Calculate Your Income Tax
- Tax Investigation of Tax-Evading Business Owners in Singapore
- Small Business Accounting Services in Singapore
- Company Audits in Singapore: Requirements and Exemptions
- Suspect a PDPA Data Breach? Here's What to Do Next
- Must You Notify PDPC About a Data Breach in Your Business?
- Summary: Your Organisation's 10 Main PDPA Obligations
- Essential PDPA Compliance Guide for Singapore Businesses
- PDPA Consent Requirements: How Can Your Business Comply?
- Is It Legal for Businesses to Ask for Your NRIC in Singapore?
- Here's a 7-Step Plan for Companies to Prevent Unauthorised Disclosure When Processing and Sending Personal Data
- Cloud Storage of Personal Data: Your Business’ Data Protection Obligations
- GDPR Compliance in Singapore: Is it Required and How to Comply
- Appointing a Data Protection Officer For Your Business: All You Need to Know
- How Can Companies Dispose of Documents Containing Personal Data?
- Check the Do-Not-Call Registry Before Marketing to Singapore Phone Numbers
- How to Legally Install CCTVs for Home/Business Use in Singapore
- Is Web Scraping or Crawling Legal in Singapore?
- Legal Options If Employees Breach Confidentiality in Singapore
- Dealing with Defamation of Your Business: Can You Sue?
- Sending Email Newsletters That Comply With Singapore Law
- A legal guide to drafting a social media policy for your company
- Your Guide to a Media Release Form in Singapore
- Your Guide to an Influencer Marketing Agreement in Singapore
- Outdoor Advertising: How to Legally Display Public Ads in Singapore
- Voluntary Suspension of Business in Singapore: How to Handle
- Winding Up a Singapore Company: Grounds and Procedure
- Closing Your Singapore Business: What You Need to Settle
- Striking Off a Company
- Can a Company that Struck Itself Off the Register Later Apply to Restore Itself?
- Dissolution of partnerships in Singapore
- What Should a Creditor Do When a Company Becomes Insolvent?
- How to File a Proof of Debt Against a Company in Liquidation
- Insolvency: Claw-Back of Assets From Unfair Preference and Undervalued Transactions
- Validation of Payments Made by Companies Being Wound Up