Got a notice of data breach? Don’t panic!

Got a notice of data breach? Don’t panic!

The amended Personal Data Protection Act 2012 (PDPA) of Singapore has brought with it mandatory data breach notification rules. Although said guideline was only implemented early February, business organizations with reported incidents are quick to adapt.

On the customer’s end, an age-old question remains: what do you do when you get a notice of data breach? In this article, we give you simple tips on how to handle a potential exploitation of your personal information.

When is it required under the PDPA?

Singapore’s new provisions on its data protection law require an organization to notify a data breach if it results/likely results to significant harm to an affected individual or is likely to affect 500 or more individuals.

Once a purported data breach is determined to be notifiable, the organization is mandated to notify the Singapore Personal Data Privacy Commissioner (PDPC) as soon as practicable, before the affected individuals. However, there are exceptions to the obligation to notify affected individuals in the event that the organization:

• Had implemented, before the breach, any technological measure that makes it unlikely that the data breach will result in significant harm to an affected individual; or
• Is able to take action after the breach that makes it unlikely that the data breach will result in significant harm to an affected individual.

So what do you do if out of nowhere, you receive a notice of data breach? Well, it really depends on the type of information compromised. Therefore, the first thing you have to do is to research.

Find out what information was breached

A notice of data breach letter would usually just tell you what personal information was exposed in the breach. For mitigating bad press and other legal liability, most organizations would typically refrain from giving all-out information.

In fact, you might even hear about the data breach in the news before you receive any notification. Regardless, the news is a valuable source of information about the breach incident so be sure to keep on the loop on the developing story.

Next, you have to think through all the information that you may have disclosed with the organization. Did you use your credit card to transact with them? Have you’ve accomplished a form by giving out your social security number? Did you write your address? All of these details would determine what type of personal information was exposed.

A data breach on personal information would typically fall into three broad categories: a) financial information, b) medical information, and c) other personal information.

In case of financial information,

Records have shown that most data breach cases would involve the exploitation of financial information through identity theft and fraud. Consequently, this type of breach is the most straightforward to defend against.

Below are some tips to protect financial accounts that may have been exposed:

• Close your affected checking and savings account, money market funds, stocks, brokerage accounts, or any other affected financial accounts
• Contact your bank to cancel your credit and/or debit cards
• Change your username, and more importantly your password
• If you still haven’t, password-protect your accounts using only strong passwords. Consider using a password manager
• Two-factor authentication is always your best bet in adding an extra layer of protection
• Set up alerts on your financial accounts to notify you at once of new activity
• Keep on the lookout for any fraudulent transaction on your financial account by reviewing your transaction history

In case of medical information,

The Federal Trade Commission (FTC) has reported that medical information identity theft cases has doubled in 2019. This was obviously brought about by the rise of medical data breaches.

Below are some tips to handle medical information data breaches:

• If you receive a suspicious debt collection following a notice of data breach, do not immediately reply. Instead, call the institution and determine the medical provider they are collecting payment for
• Always contact the medical provider’s billing department and probe for information without mentioning any incident of identity theft
• Notify the medical provider, your insurance, and appropriate authorities once you determine any fraud
• Keep records of any transaction by requesting copy of your medical record from each of your providers right away
• Same as the previous section, contact your bank and credit card issuers to ask them to put an alert on your accounts

In case of other personal information,

Although financial and medical information are the two types of information that is usually exploited on a data breach, your other personal information might also be the subject of a data breach.

This would include all the information you provide when signing in on a website or accessing an app, software, or any other program. A notice of data breach might be improbable at this point since businesses such as app makers or social media companies aren’t obligated to notify individuals if non-protected information is stolen or breached.

The best way to keep yourself protected is by practicing good cybersecurity hygiene:

• Review the privacy policy whenever you are prompted upon signing up on any website, app, software, or program
• Never post your information on social media even if you are friends with only those you know
• Keep on the lookout for various social engineering attempts, such as phishing or any other fraudulent schemes

While it is true that regulations such as the PDPA are designed to impose a more robust data protection guideline for organizations, private individuals are still expected to know how to handle a notice of data breach in a professional manner.

The best way to do this is by not panicking and by being thoroughly informed before taking the appropriate actions.

What about organisations in general? How can they curb the instances of a Data Breach and to better protect their customers’ and other individuals’ personal data? A DPO can help.

For Organisations, hiring a DPO can help.

Aside from the fact that it is mandatory under the PDPA, an outsourced Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA).

A Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Furthermore, every Organization’s DPO should be able to curb any instances of PDPA noncompliance as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity.

Don’t wait any longer to ensure your organisation is PDPA compliant. Take our free 3-minute PDPA Compliance Self-audit checklist now, the same “secret weapon” used by our clients to keep them on track. Upon completion, we will send you the results so you can take the necessary action to protect your customers’ data. Complete the free assessment checklist today and take the first step towards protecting your customers’ personal data.