Singapore Debates Breach DisclosureExperts Call for Government to Push Mandatory Breach Reporting
Data privacy experts in Singapore call for mandatory reporting of data breaches, similar to the guidelines issued by some U.S. and Canadian government entities, and making the measure binding on enterprises and citizens alike.
It is critical for Singapore regulatory authorities to determine the type of breaches that need reporting, these leaders say.
"It is important for customers or enterprises to notify the breach to the privacy commissions depending on the severity for the organisation's benefit," says Bill Taylor-Mountford, VP and GM, Asia Pacific and Japan, at LogRhythm, a security intelligence and analytics firm.
Singapore-based Ken Soh, CIO and Director of e-strategies at BH Global, supply chain management and design firm, agrees with Taylor-Mountford. "While it is critical for the customers to notify the commission when there is a data breach, their regulatory body also needs to clearly articulate the legal procedures and its implications on the notifying organisation to encourage a reporting culture."
Mandate Reporting of Data Breaches
The discussions come in the wake of the data privacy experts debating the reporting mandate at the recent Data Privacy Asia Conference in Singapore. The experts argued that it would be a pragmatic move to mandate organisations to notify customers and privacy commissions when data is put at risk.
Agencies within the U,S, and Canada are doing the right thing and should be followed, the proponents argued. Singapore must define the parameters for organisations to report a breach for consumers to take precautions, they say.
Speaking to the media after the event, Wong Yu Han, director of strategy at Singapore's Cyber Security Agency, said measures to counter data leaks are complex, and "We are looking at revising our laws to incorporate this aspect."
Singapore's Personal Data Protection Act, which came into force in 2014, contains new rules on collection, use or disclosure of individuals' personal data and imposes a number of additional requirements on businesses, including an obligation to provide individuals with access to their own data upon request. However, it does not mandate entities to report breaches.
"The Act is still in the early phase of implementation and organisations require more guidance in achieving compliance," says Leong Keng Thai, chairman of Singapore's Personal Data Protection Commission.
Regulatory Changes Sought
Security leaders say that government needs to lay down certain parameters for organisations to report breaches and rope in some of the best practices from the U.S. and UK. There should be specific details of the nature of breaches to be reported.
Singapore-based Anthony Lim, vice chairman, Application Security Advisor Council, (ISC)Â² says, "Singapore government can emulate best practices from California SB 1386, which pioneered the practice of creating mandates for reporting data breaches."
To notify a breach, the Act should specify:
- Organisations should ensure there are some auditable and certifiable mechanisms of data leakage discovery and incident response management.
- These laws, in harmony with the PDPA, should involve third-party personal data (staff, customers, contractors, interns, students, members, SCM/CRM, etc) that are to be kept discreet.
- There must be some process of reporting when a breach occurs - to the authorities in charge of incident management.
Taylor-Mountford says that the government authorities, along with the private sector, need to sit down and discuss what kind of breaches should be reported and what information the enterprises need to share with each other.
"While it is not possible to stop all breaches, a concerted effort by all parties will help to reduce the time to detect such breaches and ensure that minimal damage is done," Taylor-Mountford says.
According to Soh, the government needs to segregate clause around personal and corporate data.
"The Act should clearly define the severity of data loss that could trigger a reporting, as at this point in time there is no clarity on what kind of data loss or leakage needs to get notified," Soh says.
Bridging the Gap
While the guidelines issued by PDPC indicate it is good practice to notify individuals affected, stating that it will encourage individuals to take preventive measures, and it will help an organisation rebuild consumer trust, experts argue that since reporting is not legally binding, organisations would not report. Enterprises need to be disciplined to make it natural and logical to report breaches or prevent them by using best practices.
While the corporates need not formally report the breaches, Koh says, they cab have an information sharing mechanism to discuss with peers and other leaders what needs to be done to handle the situation.
"One way to be cautious about the breaches is to have a clear understanding of how they occur and observe the pattern when one doesn't have the adequate capabilities to handle," Lim says.
Enterprises that do not have the adequate technical capability, resource or interest to pro-actively monitor any data leaks, need to understand that:
- A hacker would be careful not to trigger alarms when stealing data;
- Unintended accidental data leakage by poor staff practice will go unnoticed;
- Most of the time, nobody knows a breach is happening until it already occurred - i.e. Target, Sony and the Ashley Madison cases.
However, the greatest challenge, Lim says, is that organisations are unable to detect breaches and are not aware of the fact that they are the victims.
The best possible way to address such a scenario is to use emerging security controls to improve monitoring and analysis, says Taylor-Mountford. "Enterprises should be in a position to filter the relevant information with so much data being consumed and transmitted on a daily basis and have best technologies in place to have a holistic view of threats and intrusions across the board."