Key learning points from recent data breach cases

2018 has been the year of data breaches for Singapore. Ask any person on the street about the SingHealth[1] data breach and they will give you a lengthy account of it. In summary, hackers made their way into Singapore’s healthcare records and compromised the personal data of 1.5 million patients, including Prime Minister Lee Hsien Loong. Findings from the ongoing court hearings revealed many details, including an alleged security flaw in SingHealth's electronic medical records (EMR) system that was discovered months ago but never rectified.

Lessons learnt from data breaches

One thing the SingHealth case teaches us is that organisations can have the best infrastructure to detect security breaches, but such sophisticated systems are of limited use when breaches are not properly identified by staff and communicated in a timely manner to relevant parties.

Establishing clear communication channels and response protocols among teams working to protect the country’s healthcare database would have helped to reduce the damage that hackers inflicted. Staff should also feel that they are empowered to raise security issues in a timely-manner to senior management, who can then decide on the right course of action to deal with the matter. Regular training and reviews of security protocols are also crucial for ongoing protection. As employees in SingHealth were not trained adequately, they did not understand the severity of the situation and failed to respond with a robust strategy quickly. In other words, while the IT system did its job in flagging up the breach, the people who were supposed to address the situation were slow to realise the severity of the threat and therefore failed to respond with urgency.

Negative consequences for non-compliance

Organisations found to have breached regulations under the Personal Data Protection Act (PDPA) can face detrimental consequences. For instance, the PDPA allows for the imposition of a maximum fine of S$1 million. In October 2017, a financial penalty of S$7,000 was imposed on [2]Club the Chambers for failing to make reasonable security arrangements to prevent the unauthorised disclosure of the identity documents of 11 individuals in a LAN gaming centre.

In addition to receiving fines by the Personal Data Protection Commission (PDPC), an organisation’s reputation is likely to be tarnished if they are found to be on the wrong side of the law. In addition, the organisation’s ability to stay in business may be affected in the long run due to the negative publicity garnered from a data breach. Ultimately, customers and in the case of the SingHealth breach, patients, lose confidence in the organisation for failing to take the necessary measures to protect customer data.

Taking a holistic approach towards data security

To adequately protect customer data, an organisation needs to think about both cyber as well as physical data security. Cyber security is often the first aspect that organisations consider when thinking about an overall approach towards protecting customer data. However, a common source for security breaches is via staff, either deliberately or accidentally (like in the SingHealth case).

Organisations still use paper to collect and process customer data, and such information needs to be shredded and disposed of securely to avoid a data breach from happening. It is vital for an organisation’s Data Protection Officer (DPO) to have a holistic approach in mind in order to design sound policies for the organisation. The DPO can take the lead in inculcating a culture of data security in the organisation, holding training workshops to educate employees on good data protection habits. Encouraging a clean desk policy, a Shred-it all policy and taking great care to dispose of hard drives properly are some other examples of how organisations can continue to safeguard the various forms of data which they store.

Start Protecting Your Business           

An organisation that integrates personal data protection into its business processes can help reduce the risk of a data breach. Learn more about how Shred-it can protect your documents and hard-drives by contacting us for a free quote and a security risk assessment.

[1] The Straits Times. 2018. COI on SingHealth cyber attack: Hackers searched for PM Lee's records using his NRIC number. [ONLINE] Available at: https://www.straitstimes.com/singapore/coi-on-singhealth-cyber-attack-hackers-searched-for-pm-lees-records-using-his-nric-number. [Accessed 13 October 2018]

[2] Personal Data Protection Commission. 2018. Breach of Protection Obligation by Chambers. [ONLINE] Available at: https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds_of_Decision_Club_the_Chamber_041018.pdf. [Accessed 13 October 2018]