DATA BREACH MANAGEMENT
Responding To A Data Breach - The Dos and Don'ts & A Checklist
In today’s highly digitalised society, there is no guarantee that an organisation will not encounter some form of data breach, notwithstanding how secure its cybersecurity programme may be. With the alarming increase in data breaches, it is prudent for organisations to adopt a “not if but when” approach and be prepared to act swiftly when faced with a data breach.
Introduction
A data breach refers to the unauthorised access, collection, disclosure, copying, use or disposal of personal data. A data breach can occur in all or any of the following circumstances:
- Loss, theft or improper disposal of documents or devices containing personal information
- An employee disclosing personal data to third parties intentionally or accidentally
- Unauthorised disclosure of personal data by an employee
- Hacking/ illegal access to the organisation’s database containing personal data and/or login credentials through for instance, malware, ransomware, malicious code injections, scams and phishing
- Error, bugs or misconfigurations in the programming code of the organisation’s website, database or information systems which have been exploited to gain access to the stored personal data
It is essential for organisations to move swiftly to deal with the data breach by focusing their resources on the following steps.
Step 1: Contain the data breach
Any reasonable suspicions of data breach must be reported immediately to the relevant supervisors/ managers. The supervisors/ managers should proceed to work with the employee to collate further information about the breach and report to the DPO.
Management/DPO should mobilise the breach response team consisting of the internal IT personnel and (if the breach is of a serious nature) external forensic experts immediately to contain the breach and prevent more data loss. The response team should document the investigation and remediation process.
If criminal activity such as hacking or theft is suspected, the organisation should report and work together with the police.
Possible remedial actions that could be taken to contain the breach include:1
- Isolating the compromised system by disconnecting it from the network
- Re-routing network traffic and closing particular ports or mail servers
- Preventing further unauthorised access to the system by resetting passwords of compromised accounts
- Isolating the cause of the data breach by changing access rights to the compromised system
- Establishing whether steps can be taken to recover lost data and limit any damage caused by the breach (e.g. remotely disabling a lost computer containing personal data of individuals)
- If the stolen data has been posted online, quickly remove them and make sure that they have not been archived/ reposted on other websites.
Step 2: Assess the breach
Upon the containment of the breach, the organisation should conduct an assessment of the breach to determine if the breach is notifiable.
The breach is notifiable if it is likely to result in significant harm or if the data breach involves the personal data of 500 or more individuals.
A data breach is deemed by law to result in significant harm where the individual’s full name or full national identification number is disclosed in combination with personal data such as:2
- The income payable to the individual
- The credit card issued to the individual
- The account number the individual has with any bank or financial institutions
- The net worth of the individual
- Any deposit or withdrawal of moneys by the individual with any organisation
- The granting of an organization of advances, loans or other facilities by which the individual, being a customer of the organisation, has access to the funds
- The payment of any moneys or transfer of any property by any person to the individual
- The creditworthiness of the individual
A data breach is also deemed to result in significant harm if it involves the disclosure of an individual’s account identifier with the organisation such as account name or number along with any password, security code, response to a security question, biometric data or any other data that can be used to access the individual’s account.3
Step 3: Report the incident
Upon determining that the data breach is notifiable, the organisation must notify the Personal Data Protection Commission (“PDPC”) within three days.4 Details of the breach can be sent to the PDPC via email or through an online form.
Other than the PDPC, the organisation should also notify affected individuals to enable them to take appropriate measures to protect themselves and reduce the chances of their information being misused.
The organisation should adopt the most effective way (e.g. through medial release, social media posts, emails, telephone calls or letters) to reach out to the affected individuals, taking into account the urgency of the situation and the scale of the breach.
While organisation should refrain from making any misleading statements about the breach or withhold any important information which might help affected individuals better protect themselves, such statements should be crafted with utmost care. If necessary legal assistance should be sought.
“Following the [data breach], the Organisation took prompt and extensive remedial [action] both to mitigate the effects of the [data breach] and enhance the robustness of its security measures. This included increased frequency of staff phishing simulation trainings and security reviews as well as additional monitoring measures There was no evidence of exfiltration of the personal data or decryption of the personal data. The Organisation was also able to fully restore the personal data from its backups.”
–Giordano Originals (S) Pte Ltd (Case No. DP-2011-B7387)
Step 4: Evaluate the response to the data breach
After the resolution of the data breach, the organisation should review their data breach response to improve its personal data handling practices.
For instance, if third-party service providers are involved in the handling of personal data on behalf of the organisation, the organisation should ensure that such service providers implement proper measures to protect the personal data.5
If the network was segmented yet the breach occurred on multiple servers, the organisation can engage external IT vendors to analyse whether there were gaps in the network segmentation plan which resulted in the widespread breach.6
If encryption of data was enabled, the organisation can use the preserved data and review logs to conduct an in-depth analysis on the data breach. External IT vendors can also be engaged to assist in the generation of forensic reports.7
The table below contains what we consider to be a useful summary of the things to consider in the event of a data breach and/or the steps that can be taken to mitigate the effect of a data breach.
Dos | Don’ts |
Mobilise your cyber-security team immediately and engage legal and external IT help (if necessary) once a data breach is discovered. | Avoid delays in handling the breach as this may lead to more data loss and additional breaches. |
Isolate the breach by taking immediate remedial actions such as re-routing network servers, taking affected machines offline, and resetting passwords and accounts to prevent further unauthorised access | Do not switch off any machines until the forensic team has arrived to avoid deleting any valuable forensic data |
Report to the police if criminal activity such as hacking is suspected | Do not reset or re-install affected systems before the forensic team has arrived to prevent forensic evidence from being deleted or contaminated |
Document the breach, investigation and remediation process | Avoid delays in communicating the breach to the relevant stakeholders |
If the breach is one that is notifiable, notify the PDPC and affected individuals about the breach | Avoid making any misleading statements about the breach |
Analyse preserved data and review logs (if possible) to find out more about how the breach occurred | Do not withhold important details about the breach that might help affected individuals protect themselves |
If third-party vendors have been engaged to process personal data, ensure that these vendors have implemented necessary measures to protect personal data | Do not publicly share more information that might further put affected individuals at risk |
If your network has been segmented, ensure that there are no gaps in the segmentation plan | Do not close off the data breach incident hastily. Take time to review the pre-breach measures and the breach response |
“In addition to clearly stipulating the vendor’s scope of IT maintenance and/or development work, organisations are expected to exercise reasonable oversight over the vendor’s performance of the subcontracted services, including patching… There should be a clear meeting of minds as to the services the service provider has agreed to undertake and organisations must follow through with procedures to check that the outsourced provider is delivering the services.”
–The Law Society of Singapore [2023] SGPDPC 4
Data Breach Checklist
The following generic checklist may be referred to for the purpose of ensuring that relevant key matters are considered in the event of a data breach but please note that it is not intended to be exhaustive.
“Following the [data breach], the Organisation took prompt and extensive remedial action to mitigate the effects of the [data breach] and enhance the overall robustness of its security measures. This included notifying the affected individuals, layering access controls and introducing mandatory hardware key access authentication.”
–QCP Capital Pte Ltd [2022] SGPDPCS 16
Conclusion
A data breach can lead to disruptions in an organisation’s operations and even financial and reputational loss. Further, it can expose individuals who have disclosed to their personal data to the affected organisation to significant harm. Thus, it is critical for companies have in place a data breach response plan so as to be able to act swiftly in times of a data breach.
For PDF version of this article, please click here.
References
[1] Federal Trade Commission, “Data Breach Response: A Guide for Business” < https://www.ftc.gov/business-guidance/resources/data-breach-response-guide-business > (accessed on 6 May 2024)
[2] Personal Data Protection (Notification of Data Breaches) Regulations 2021, The Schedule
[3] Id, at s 3.
[4] Personal Data Protection Act, s 26D
[5] Supra n 1
[6] Supra n 1.
[7] Supra n 1.
At Infinity Legal LLC, we have assisted and provided legal representations to organisations and individuals in all matters relating to personal data protection, legal compliance and data breach management.
© Infinity Legal LLC 2024
The content of this article is for general information purposes only, and does not constitute legal advice and should not be relied on as such. Specific advice should be sought about your specific circumstances. Infinity Legal LLC does not accept any responsibility for any loss which may arise from reliance on information or materials published in this article. Copyright in this publication is owned by Infinity Legal LLC. This publication may not be reproduced or transmitted in any or by any means, in whole or in part, without prior written approval.
Infinity Legal LLC thanks and acknowledges Interns Valencia Wan and Carine Teo for their contribution to this article.
[Last Updated: 9 May 2024, 7:00 pm]