What every organization should know about the Notification Obligation
In early February, Singapore became the latest Asian state to enact the mandatory data breach notification obligation. The new rules were enacted as amendments to Singapore’s Personal Data Protection Act 2012 (PDPA), which has been in effect for more than six years.
Mandatory data breach notification rules are rapidly gaining traction in Asia-Pacific. Eight jurisdictions (Singapore, mainland China, Indonesia, the Philippines, South Korea, Taiwan, Australia, and New Zealand) now have some sort of breach notification requirements in place, and this number will increase to nine when Thailand’s new Personal Data Protection Act takes effect later this year. India and Hong Kong are also considering enacting breach notification rules.
Singapore’s Notification Obligation
Singapore’s new provisions require organizations to notify customers in the event of a data breach if they:
- Causes severe harm to an affected individual, or is likely to cause significant harm to an affected individual; or
- Affects or is likely to affect 500 or more people.
Singapore’s law is unique in that it allows for notification of a data breach based on the potential for harm or the number of impacted individuals. In the majority of other jurisdictions, whether a breach is reportable is entirely dependent on the former.
For example, in Australia, a breach is reportable if it is likely to cause substantial harm to even a single individual – but is not reportable if it is unlikely to create serious harm regardless of the number of individuals affected. South Korea is the only other Asian country that considers the number of impacted individuals when considering whether a breach must be reported.
Singapore mandates notification of a data breach if it is “likely” to result in “significant” harm. In everyday language, “likely” denotes that the danger of harm must be greater than 50%; nevertheless, courts have occasionally defined “likely” more liberally in legislation to mean a genuine possibility, even if the likelihood is less than 50%.
“Significant harm” is also a term that will require interpretation by the courts, although it implies a lesser level than the “severe harm” criterion applied in Australia, New Zealand, and the Philippines. Although the term “damage” is not defined, it is likely to encompass emotional, pecuniary, reputational, or physical injury.
Notification Obligation: Data breach definition
Singapore’s definition of “data breach” is largely in line with that in other jurisdictions. A data breach means:
- Any unauthorized access, collection, use, disclosure, copying, modification, or disposal of personal data; or
- Loss of any storage medium on which personal data is stored in circumstances where unauthorized access, collection, use, disclosure, copying, modification, or disposal of the personal data is likely to occur.
It’s worth noting that this concept encompasses illicit data alteration. This means that ransomware assaults that encrypt but do not exfiltrate personal data will still qualify as a “data breach.”
The legislation does allow an exception for unlawful access, acquisition, use, disclosure, copying, modification, or disposal of personal data that occurs only within an organization. Thus, if an unauthorized employee gains access to personal data (but does not reveal it outside the organization), this does not constitute a data breach.
Organizations that have cause to believe a data breach has occurred must conduct a “reasonable and timely” evaluation of whether the breach is notifiable. This assessment is typically both technical and legal in nature, as the organization must ascertain whether a data breach occurred, what personal data was compromised, the severity of the potential harm, and the number of affected persons.
If the data breach is determined to be notifiable, they are required to notify the the PDPC and affected persons. It is critical to highlight that notification to the PDPC must occur as quickly as possible and, in any case, within 72 hours after deciding that a data breach is reportable. A frequent misunderstanding is that the 72-hour period begins when the data breach is discovered; however, this is not the case under the PDPA.
The importance of a DPO
Of course, there is no need to notify the PDPC and the affected individual if there is no breach that occurred. A Data Protection Officer (DPO) is an officer that oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Under the PDPA, it is required for organizations to designate at least an individual as a DPO where their responsibilities include, but are not limited to:
- Ensuring compliance with PDPA when developing and implementing policies and processes for handling personal data;
- Fostering a data protection culture among employees and communicating personal data protection policies to stakeholders;
- Managing personal data protection-related queries and complaints;
- Alerting management to any risks that might arise with regard to personal data; and
- Liaising with the PDPC on data protection matters, if necessary.
With a DPO, organizations and their clients can ensure that the PDPA compliance is complied with, and there is no room for any breach.
Notification Obligation: When waived
The obligation to notify affected individuals is waived if the organization:
- Had implemented any technological measure prior to the breach that makes it unlikely that the data breach will result in significant harm to an affected individual; or
- Is capable of taking action following the breach that makes it unlikely that the data breach will significantly harm an affected individual.
This means that an organization will not be required to notify affected individuals if it possesses technological capabilities to wipe personal data from a lost device remotely. It would, however, be required to notify the PDPC of the breach.
Data intermediaries (Singapore’s term for data processors) who have reason to suspect a data breach has occurred must immediately notify the organization for which they are processing the personal data (the data controller). Notably, this responsibility also applies to data intermediaries processing personal data on behalf of Singapore government agencies, despite the fact that government entities are not subject to the PDPA.
Singapore’s new data breach reporting standards are largely similar to those in other jurisdictions, but they do include some specific provisions that organizations must be aware of, such as the requirement to notify data breaches affecting more than 500 individuals, even if there is no danger of harm exists.
While obligatory breach reporting rules are becoming more prevalent throughout Asia-Pacific, they are completely unfamiliar to Singapore enterprises, and we anticipate a learning curve. Businesses must understand that they now face legal liability for data security problems that they may have previously dismissed as simply technical.
As a result, we anticipate that the new guidelines will increase the number of organizations that purchase cyber risk insurance, as dealing with the impact of even relatively minor data breaches becomes more complicated and expensive.