July 12, 2018

Lessons Learnt from Recent Data Breach Enforcement Cases

Lessons Learnt from Recent Data Breach Enforcement Cases

With Singapore having one of the lowest crime rates in the world, it might not strike most people as a country at risk of data breaches. However, the mounting recent data breach cases indicate otherwise. Even in the safest of countries, such as Singapore, data breaches can and do happen. When they do, they should serve as lessons for us to learn from and minimise the possibility of future breaches. We’ve outlined some key findings below:

Data breaches do occur in Singapore[1]

Singaporeans tend to share their personal data, such as NRICs, e-mails, residential addresses and contact numbers, liberally with different organisations every day. However, we hardly consider where our information ends up or what it may be used for after we’ve handed it over.

The recent data breach enforcement cases serve as a reminder that we should not take the sharing of our information lightly. As the people who ultimately suffer from the unlawful activities that occur once our information is compromised, we should be wary, know our rights and hold organisations who gather our data to account.

Under part III of the Compliance with Act[2] of the Personal Data Protection Act (PDPA), organisations are responsible for personal data in its possession or under its control. Organisations must also follow when it comes to collecting and using our personal information. It also provides baseline protection for your personal data by implementing laws and regulatory guidelines across all organisations.

Big or small, all organisations need to adhere to the PDPA

Even though the PDPA serves to protect personal data, some data breaches reported were due to an organisation’s lack of sufficient security measures as well as lack of training or enforcement within the organisation to carry out the security procedures. Many organisations, especially small and medium enterprises, may have overlooked the appropriate steps to incorporate protection measures in their business operations architecture.

It is hence important for all organisations in Singapore to abide by the Personal Data Protection Commission (PDPC) rulings. No matter how big or small your organisation, all are equally vulnerable to data breaches when proper security measures are not put in place. Experience

paired with an absence of incidents often breeds complacency. Sound policies should be established to provide for additional layers of checks and balances specifically to watch for and prevent human error during normal operational workflows. These additional checks should ensure the strict adherence to standard operating procedures and serves as an additional line of defence.

Both physical and digital data matter

Most of the organisations charged for data breaches were fined due to flaws in their management of digital data. However, we should not forget about physical data, such as data stored on hard-drives and printed documents containing sensitive information. When disposed of improperly, this data is up for grabs and can become accessible to anyone who comes across it, including criminals.

The consequences of a physical data breach can be just as severe as a cyber data breach and are often more difficult to trace. The easiest and safest way to reduce the risk of a physical data breach is to adopt and educate employees on information security policies such as a Shred-it All Policy and a Clean Desk Policy. This not only ensures the secure disposal of sensitive hardcopy documents, but also reduces the risk of an information leak during the transport of paper trash.

Start Protecting Your Business

To learn more about how Shred-it can protect your documents and hard-drives, please contact us for a free quote and security risk assessment.

[1]The Straits Times. 2018. Privacy watchdog fines 22 in past to years over security breaches. [ONLINE] Available at: http://www.straitstimes.com/tech/privacy-watchdog-fines-22-in-past-two-years-over-breaches. [Accessed 31 January 2018]

[2]Singapore Statutes Online. 2012. PERSONAL DATA PROTECTION ACT 2012. [ONLINE] Available at: https://sso.agc.gov.sg/Act/PDPA2012#pr11-. [Accessed 31 January 2018]