Cybersecurity in the Protection of Personal Data

• If the use of portable storage devices to store or transfer personal data cannot be avoided, more stringent physical controls for such devices should be considered.


• To identify if there is malice in the unauthorised disclosure of personal data, it is critical to retain logs related to the access of personal data.


• On top of technical controls, awareness training for office staff is also necessary to reduce the probability of human errors.

_{A Cybersecurity breach can jeopardise credibility and be incredibly costly for small businesses in terms of damages. Photo:Canva Pro}

Since the second half of 2020, there have been numerous reported cases of personal data breaches of Singapore-based entities, with the latest being from Singtel.

Coincidentally, from 1 February 2021, new amendments to the Personal Data Protection Act (PDPA) have come into force. With the new amendments, there is an increased emphasis for organisations to better protect personal data that is under their care.

This article seeks to share some salient points for cybersecurity protection in relation to the newly amended PDPA.

1. Mandatory requirement of reasonable security arrangements to prevent the loss of any storage medium or device on which personal data is present

Section 24(b) is a newly added protection sub-clause in the PDPA. This clause applies to storage media, such as storage drives, that contain personal data.

There are typically two types of storage media - immovable or portable storage media. For immovable storage media, such as those found in your stationary servers or personal computers (PCs), the risk of loss is minuscule, hence they will not be the focus of this article. Proper storage media disposal procedures can address the risks of loss of storage media from immovable devices. Instead, let us focus our attention on portable storage media or devices, such as laptops, external USB drives and USB thumb drives.

Laptops

The cost for CTI implementation depends on the organisation's purpose for such information. For companies that wish to disseminate the threat insights to their subsidiaries and as a way to audit their critical vendors, it pays to invest in information collation from credible data points. CIT personnel should ideally have some understanding in risk assessment, to ascertain if the information gathered is valid and useful for their organisation's cybersecurity posture and identified vulnerabilities. There would be a need to connect the dots across during information analysis, to make sense if there could be any hidden spots that are not immediately apparent. Such information may not be limited to system issues or software performance, as breaches can be caused by both external and internal actors. For instance, are we relying on key suppliers handling our business data, that are using on systems that require regular patching? Has there been organisational-wide retrenchment in one of our supply-chain partners?

External USB drives and USB thumb drives

The best option is to avoid the use of such storage devices for storage or transfer of personal data. Possible alternatives include internal file transfer services, such as internal network shared folders, or cloud-based file sharing services. Do note that for cloud-based file sharing services, it is important that the service provider provides a level of protection that satisfies the requirements of the PDPA. It is also preferable that the location of the service be physically located in Singapore for data sovereignty purposes and to avoid additional cross-border data transfer requirements. Password protection of files containing personal data is highly recommended when such documents are stored in cloud-based file sharing services.

If the use of portable storage devices to store or transfer personal data cannot be avoided, more stringent physical controls for such devices should be considered. Possible measures include restricting to a permitted list of USB storage devices and restricting such permitted devices from leaving the office premises. The latter could be enforced by requiring daily end-of-day return of every permitted USB storage media to a designated custodian.

Awareness Training

_{Controls placed on storage devices alone are insufficient in preventing data breaches. Photo: Canva Pro}

Notwithstanding the above technical controls, adequate awareness training for office staff is required to reduce the likelihood of human errors negating the benefits of the above-mentioned technical controls.

2. More explicit personal liability for malicious and reckless behaviour resulting in unauthorised disclosure of personal data

In the newly added Section 48D, it is an offence for an individual to disclose or cause the disclosure of personal data where the disclosure is not authorised, and the individual either knows the disclosure is not authorised, or is reckless as to whether the disclosure is authorised or not. The penalty is a fine not exceeding $5,000 and/or imprisonment for a term, not exceeding two years or both.
To identify if there is malice in the unauthorised disclosure of personal data, it is critical to retain logs related to the access of personal data. Information such as source IP addresses, time of access, type and amount of personal data access etc. can help to gauge whether the access is with or without malice. To achieve this, it is important to monitor and log all access to personal data, such as from websites, databases and shared folders.
Another type of unauthorised disclosure is related to recklessness. In simple layman terms, recklessness is defined as "gross negligence", which sets a higher bar when compared to "negligence" in the earlier version of the PDPA. Hence, the new amendments actually raise the bar for an individual to be found guilty of breaching the PDPA, specifically Section 48D.
Just as we are personally responsible for getting our cars inspected every eighteen months to ensure that they are fit for our local roads, it is also imperative that IT environments be inspected on a regular basis to ensure that they are adequate in protecting personal data. If you have been ignoring reports of critical vulnerabilities from your IT or IT Security colleagues, you could also be deemed reckless for operating in an environment that is "unfit" for protecting personal data.
Another example of recklessness is the continual use of IT products in which support has expired, such as the use of Windows XP. This is akin to driving a car that has reached its lifespan here in Singapore (more than 10 years) without any official extension of its Certificate of Entitlement (COE).

3. Mandatory data breach notification to regulators and/or customers.

_{Companies have to be held accountable if their customer data becomes compromised. Photo: Canva Pro}

The new Part VIA of the PDPA contains new clauses related to new mandatory data breach notification requirements.

1. result or likely to result in significant harm to an individual; or


2. result or likely to result in insignificant harm to individuals exceeding 500 individuals.

For the former, both the affected individuals and the Personal Data Protection Committee (PDPC) must be notified. For the latter, the PDPC must be notified but it is not mandatory to notify the affected individuals. Nevertheless, notification to affected individuals in the latter case may be viewed favourably by the PDPC.

Do note that a data breach that relates to the unauthorised access, collection, use, disclosure, copying or modification of personal data within an organisation is deemed not to be a notifiable data breach.

Subsequent sub-sections under Section 26 covers the following areas:

1. The need to assess whether a breach is notifiable in a reasonable and expeditious manner;


2. Duty of a data intermediary to notify their customers immediately; and


3. Notification period of 3 calendar days or 72 hours after you have ascertained it is a notifiable breach.

In order to comply with the new requirements in Part VIA, it is important for an organisation to have the following controls in place before a data breach occurs:

1. Establish a pre-approved panel of forensic investigators to help you assess whether a breach is notifiable in a reasonable and expeditious manner.

As most SMEs are not suited to build and maintain an internal team of forensic investigators, it is preferable for SMEs to engage a panel of pre-approved forensic investigators. By doing so, SMEs can be assured of a faster response time from the forensic experts and better clarity on the expected costs of assessment.

2. Establish a pre-approved panel of forensic investigators to help you assess whether a breach is notifiable in a reasonable and expeditious manner.

Formulating a plan for what should be done during a data breach is important as you do not want to be clueless when faced with one. More detailed incident response playbooks can also be valuable references for staff when responding to data breaches. In addition, such plans and playbooks provide assurance that the company can assess any breach in a reasonable and expeditious manner, as well as notify the PDPC and relevant stakeholders in a timely manner.

3. Conduct regular data breach simulation exercises based on your plans and playbooks.

The plans and playbooks mentioned in the previous paragraph will be futile if staff are not aware of, or are not familiar with them. Hence, regular communication of such plans and playbooks is important. An excellent way to ensure that these plans and playbooks are comprehended by staff is to conduct regular data breach simulation exercises. Such exercises also provide excellent opportunities for the fine-tuning and refinement of relevant plans and playbooks. In addition, these exercises can provide assurance that the processes, procedures and, most importantly, staff, are ready to handle any potential data breaches in the future.

As we enter into 2021, let us look forward to a safer year, both in health and cybersecurity.

About the Author

Wong Onn Chee | Data & Privacy SIG Lead, MAISP | Association of Information Security Professionals (AiSP)

Wong Onn Chee is currently the Chief Executive Officer at Rajah & Tann Cybersecurity and Technical Director at Rajah & Tann Technologies. His areas of expertise include information leakage protection, web/cloud security and security strategy. Onn Chee is also one of the co-inventors for at least six international PCT patent rights, besides several US, EU and Singapore patents. He volunteers at the Association of Information Security Professionals (AiSP) and is involved in a wide range of AiSP initiatives such as the Data & Privacy Special Interest Group.

_{This article is first published on ASME Website: CLICK HERE}