In this episode, Sarah Bruno and LiLing Poh discuss recent trends as organizations invest more in technology through the acquisition of new platforms or programs, or by working with a vendor to bring a product to market. Exploring a case study involving a global pharmaceutical company on the rollout of a health-related digital app,
Singapore’s Personal Data Protection Commission (PDPC) has announced that data breach notification will soon become mandatory in Singapore. However, not all breaches need to be reported. We have prepared this guide to aid businesses in understanding when, to whom and how to notify should they encounter a data breach.
As further guidance and details on the new requirements will be provided by PDPC in due course, we will follow up with an updated guide at the appropriate time.
What is a data breach?
A data breach refers to any unauthorized access, collection, use, disclosure, copying, modification or disposal of personal data in an organization’s possession or under its control.…
The European Union Agency for Cybersecurity (ENISA) has been supporting the European Union (EU) Member States in developing, implementing and evaluating their cyber security strategies. Since 2012 and as part of this support, ENISA has been developing tools, studies and guidelines to help EU Member States build on their national cyber security strategies. The latest of these developments, launched on 28 November 2019, is a security mapping tool for operators of essential services (OES) and digital service providers (DSPs) in the energy, banking, health and digital infrastructure sectors, helping them comply with their obligations under the Network and Information Systems Directive 2016/1148 (NIS Directive).
Below we take a closer look at the new security mapping tool.…
Increasingly, businesses are looking to adopt data protection certifications and standards for myriad reasons, including enhancing consumer trust, demonstrating compliance when contracting with partners and managing regulatory risk.
We have prepared a high-level comparison to guide Singapore businesses in determining which certification or certifications could be the best fit.
Who can apply: All organisations, private or public, regardless of size and for-profit status. Data controllers and processors/intermediaries are eligible to apply.
Features: The ISO/IEC 27701:2019 standard provides a data privacy extension to ISO/IEC 27001:2013 Information Security Management and ISO/IEC 27002:2013 Security Controls. It extends their requirements to take into account, in addition to information security, the protection of privacy of individual consumers as potentially affected by the processing of personal data.
The annexes to the standard list the applicable controls for data controllers and processors, and map the provisions of the standard against the EU General Data Protection Regulation (GDPR), amongst other things.…
On 4 November 2019, Singapore’s Parliament published a draft amendment to the Banking Act.
Under the amendment, all banks will be required to evaluate the ability of their service providers (whether these be a branch or office, or an external party) to:
(a) safeguard the confidentiality and integrity, and ensure the availability, of the banks’ information; and
(b) protect all customer information against unauthorised disclosure, retention, or use.
Where the service provider is a branch or office of the bank, specific provisions covering the above must be included in the branch or office’s policies and procedures.
Where the service provider is an external party, however, then the relevant provisions must be included in the contract between the bank and the provider.
Such policies and procedures, or contract, as the case may be, must also confer on the bank, the regulator (the Monetary Authority of Singapore or MAS), or an auditor appointed by the bank, the right to audit the books of the service provider to ensure that the above requirements have been complied with.…
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released a fact sheet clarifying violations of HIPAA (Health Insurance Portability and Accountability Act of 1996) for which a business associate can be held directly liable. The fact sheet outlines 10 specific circumstances for which OCR has authority to take enforcement…
The UK government has recently published an invitation to take part in its consultation on proposals for the regulation of the Internet of Things (IoT).
The consultation, to be run by the Department for Digital, Culture, Media and Sport, seeks input into future regulation aimed at improving IoT security. This invitation follows the recent publication …
The Information Commissioner’s Office (ICO) recently published a summary report of its fact finding forum on data protection issues arising from advertising technology (adtech). Adtech is a term commonly used to refer to all technologies, software and services used for delivering and targeting online advertisements.
The ICO compiled responses from over 2,300 participants in an online survey, and conducted fieldwork with more than a hundred stakeholders (publishers, advertisers, start-ups, adtech firms, lawyers and citizens). The ICO highlighted three key challenges of adtech: (i) transparency, (ii) lawful basis and (iii) security.…
On 13 December 2018, the Singapore data protection commission issued four separate decisions against the following organisations, for breaches of the protection obligation under section 24 of the Personal Data Protection Act 2012 (PDPA):
- Funding Societies Pte Ltd
- WTS Automotive Services Pte Ltd
- Institute of Singapore Chartered Accountants
- SLF Green Maid Agency
The facts of this case were as follows:
- The organisation operates an online financing platform for investors and borrowers.
- There was a vulnerability on the organisation’s website, such that when a user logged in, they could access the personal details of other users of the site simply by changing a unique identifier without such identifier in both their authentication and authorisation tokens needing to match. The vulnerability lasted for 37 days and enabled the customer’s name, national registration identity card number and residential address to be accessed without authorisation.
- The commission found that an authorised user would have been able to pretend to be another user and perform functions such as using an investor’s account to contact prospective borrowers, updating a user’s personal details and even altering the auto-investment settings of an investor’s account.
The commission determined that:
- The organisation failed to put in place adequate security arrangements on its website, which led to the unauthorised access of users’ personal information and potential misuse of the accounts by unauthorized users.
- What is particularly noteworthy is the commission’s comment that it “did not consider being a young organisation to be a mitigating factor”.
- A financial penalty of $30,000 was imposed for the breach.
Earlier this month, the Information Commissioner’s Office (ICO) published security guidance in its guide to the General Data Protection Regulation (GDPR).
Article 32 of the GDPR specifies encryption as an example of an appropriate technical and organisational measure. The guidance states four things that should be considered when implementing encryption:
- The algorithm. This should be appropriate for its use and should be assessed regularly to ensure that it remains appropriate;
- The key size. This should be large enough to protect against an attack, and its appropriateness should be assessed regularly;
- The software. The ICO states that this should meet current standards such as FIPS 140-2 and FIPS 197; and
- The security of the key. The ICO provides that keys must be kept securely and businesses should have processes in place to generate new keys when necessary.
The ICO makes clear that, depending on the context of the incident, regulatory action may be pursued where data is lost or destroyed and it was not encrypted.…