DATA & PRIVACY ARTICLE - CYBERSECURITY IN THE PROTECTION OF PERSONAL DATA
Cybersecurity in the Protection of Personal Data
- If the use of portable storage devices to store or transfer personal data cannot be avoided, more stringent physical controls for such devices should be considered.
- To identify if there is malice in the unauthorised disclosure of personal data, it is critical to retain logs related to the access of personal data.
- On top of technical controls, awareness training for office staff is also necessary to reduce the probability of human errors.
A Cybersecurity breach can jeopardise credibility and be incredibly costly for small businesses in terms of damages. Photo:Canva Pro
Since the second half of 2020, there have been numerous reported cases of personal data breaches
of
Singapore-based entities, with the latest being from Singtel.
Coincidentally, from 1 February 2021, new amendments to the Personal Data Protection Act (PDPA)
have
come into force. With the new amendments, there is an increased emphasis for organisations to
better
protect personal data that is under their care.
This article seeks to share some salient points for cybersecurity protection in relation to the
newly amended PDPA.
1. Mandatory requirement of reasonable security arrangements to prevent the loss of any storage medium or device on which personal data is present
Section 24(b) is a newly added protection sub-clause in the PDPA. This clause applies to storage
media, such as storage drives, that contain personal data.
There are typically two types of storage media - immovable or portable storage media. For
immovable
storage media, such as those found in your stationary servers or personal computers (PCs), the
risk
of loss is minuscule, hence they will not be the focus of this article. Proper storage media
disposal procedures can address the risks of loss of storage media from immovable devices.
Instead,
let us focus our attention on portable storage media or devices, such as laptops, external USB
drives and USB thumb drives.
Laptops
The cost for CTI implementation depends on the organisation's purpose for such information. For companies that wish to disseminate the threat insights to their subsidiaries and as a way to audit their critical vendors, it pays to invest in information collation from credible data points. CIT personnel should ideally have some understanding in risk assessment, to ascertain if the information gathered is valid and useful for their organisation's cybersecurity posture and identified vulnerabilities. There would be a need to connect the dots across during information analysis, to make sense if there could be any hidden spots that are not immediately apparent. Such information may not be limited to system issues or software performance, as breaches can be caused by both external and internal actors. For instance, are we relying on key suppliers handling our business data, that are using on systems that require regular patching? Has there been organisational-wide retrenchment in one of our supply-chain partners?
External USB drives and USB thumb drives
The best option is to avoid the use of such storage devices for storage or transfer of personal
data. Possible alternatives include internal file transfer services, such as internal network
shared
folders, or cloud-based file sharing services. Do note that for cloud-based file sharing
services,
it is important that the service provider provides a level of protection that satisfies the
requirements of the PDPA. It is also preferable that the location of the service be physically
located in Singapore for data sovereignty purposes and to avoid additional cross-border data
transfer requirements. Password protection of files containing personal data is highly
recommended
when such documents are stored in cloud-based file sharing services.
If the use of portable storage devices to store or transfer personal data cannot be avoided,
more
stringent physical controls for such devices should be considered. Possible measures include
restricting to a permitted list of USB storage devices and restricting such permitted devices
from
leaving the office premises. The latter could be enforced by requiring daily end-of-day return
of
every permitted USB storage media to a designated custodian.
Awareness Training
Controls placed on storage devices alone are insufficient in preventing data breaches. Photo: Canva Pro
Notwithstanding the above technical controls, adequate awareness training for office staff is
required to reduce the likelihood of human errors negating the benefits of the above-mentioned
technical controls.
2. More explicit personal liability for malicious and reckless behaviour resulting in unauthorised disclosure of personal data
In the newly added Section 48D, it is an offence for an individual to disclose or cause the
disclosure of personal data where the disclosure is not authorised, and the individual either
knows
the disclosure is not authorised, or is reckless as to whether the disclosure is authorised or
not.
The penalty is a fine not exceeding $5,000 and/or imprisonment for a term, not exceeding two
years
or both.
To identify if there is malice in the unauthorised disclosure of personal data, it is critical
to
retain logs related to the access of personal data. Information such as source IP addresses,
time of
access, type and amount of personal data access etc. can help to gauge whether the access is
with or
without malice. To achieve this, it is important to monitor and log all access to personal data,
such as from websites, databases and shared folders.
Another type of unauthorised disclosure is related to recklessness. In simple layman terms,
recklessness is defined as "gross negligence", which sets a higher bar when compared to
"negligence"
in the earlier version of the PDPA. Hence, the new amendments actually raise the bar for an
individual to be found guilty of breaching the PDPA, specifically Section 48D.
Just as we are personally responsible for getting our cars inspected every eighteen months to
ensure
that they are fit for our local roads, it is also imperative that IT environments be inspected
on a
regular basis to ensure that they are adequate in protecting personal data. If you have been
ignoring reports of critical vulnerabilities from your IT or IT Security colleagues, you could
also
be deemed reckless for operating in an environment that is "unfit" for protecting personal data.
Another example of recklessness is the continual use of IT products in which support has
expired,
such as the use of Windows XP. This is akin to driving a car that has reached its lifespan here
in
Singapore (more than 10 years) without any official extension of its Certificate of Entitlement
(COE).
3. Mandatory data breach notification to regulators and/or customers.
Companies have to be held accountable if their customer data becomes compromised. Photo: Canva Pro
The new Part VIA of the PDPA contains new clauses related to new mandatory data breach
notification
requirements.
- result or likely to result in significant harm to an individual; or
- result or likely to result in insignificant harm to individuals exceeding 500 individuals.
For the former, both the affected individuals and the Personal Data Protection Committee (PDPC) must be notified. For the latter, the PDPC must be notified but it is not mandatory to notify the affected individuals. Nevertheless, notification to affected individuals in the latter case may be viewed favourably by the PDPC.
Do note that a data breach that relates to the unauthorised access, collection, use, disclosure, copying or modification of personal data within an organisation is deemed not to be a notifiable data breach.
Subsequent sub-sections under Section 26 covers the following areas:
- The need to assess whether a breach is notifiable in a reasonable and expeditious manner;
- Duty of a data intermediary to notify their customers immediately; and
- Notification period of 3 calendar days or 72 hours after you have ascertained it is a notifiable breach.
- Establish a pre-approved panel of forensic investigators to help you assess whether a breach is notifiable in a reasonable and expeditious manner.
- Establish a pre-approved panel of forensic investigators to help you assess whether a breach is notifiable in a reasonable and expeditious manner.
- Conduct regular data breach simulation exercises based on your plans and playbooks.
As we enter into 2021, let us look forward to a safer year, both in health and cybersecurity.
About the Author
Wong Onn Chee | Data & Privacy SIG Lead, MAISP | Association of Information Security Professionals (AiSP)
Wong Onn Chee is currently the Chief Executive Officer at Rajah & Tann Cybersecurity and
Technical
Director at Rajah & Tann Technologies. His areas of expertise include information leakage
protection, web/cloud security and security strategy. Onn Chee is also one of the co-inventors
for
at least six international PCT patent rights, besides several US, EU and Singapore patents. He
volunteers at the Association of Information Security Professionals (AiSP) and is involved in a
wide
range of AiSP initiatives such as the Data & Privacy Special Interest Group.
This article is first published on ASME Website: CLICK
HERE