Singapore introduces mandatory data breach notification requirements
At the beginning of February, Singapore became the latest Asian jurisdiction to introduce mandatory data breach notification rules. The new rules were enacted as amendments to Singapore’s Personal Data Protection Act 2012 (“PDPA”), which has been in effect for more than six years.
Mandatory data breach notification rules are fast gaining popularity across Asia-Pacific. Eight jurisdictions (Singapore, mainland China, Indonesia, the Philippines, South Korea, Taiwan, Australia and New Zealand) now have some form of breach notification rules, and this will become nine when Thailand begins enforcement of its new Personal Data Protection Act later this year. Breach notification rules are also on the legislative agenda in India and Hong Kong.
Singapore’s new provisions require an organisation to notify a data breach if it:
- Results, or is likely to result, in significant harm to an affected individual; or
- Is, or is likely to, affect 500 or more individuals.
Singapore’s law is unique in that a data breach can be notifiable based on the harm it could cause or the number of affected individuals. In most other jurisdictions, whether a breach is notifiable depends solely on the former. For example, in Australia, a breach will be notifiable if it is likely to cause serious harm to even a single individual – but if it will not cause serious harm, it will not be notifiable regardless of how many individuals it affects. South Korea is the only other jurisdiction in Asia, which takes the number of affected individuals into account in determining whether a breach is notifiable.
In terms of the effect of the data breach, Singapore requires notification if it is “likely” to result in “significant” harm. In ordinary English, “likely” means that the risk of harm must be more probable than not; however, courts have sometimes interpreted “likely” in legislation more broadly, to mean a real possibility, even if the probability is less than 50%. “Significant harm” is also a phrase that will need to be interpreted by the courts, but it suggests a lower standard than the “serious harm” standard used in Australia, New Zealand and the Philippines. “Harm” is not defined, but presumably could include emotional, financial, reputational or physical harm.
Singapore’s definition of “data breach” is largely in line with that in other jurisdictions. A data breach means:
- Any unauthorised access, collection, use, disclosure, copying, modification or disposal of personal data; or
- Loss of any storage medium on which personal data is stored, in circumstances where unauthorised access, collection, use, disclosure, copying, modification or disposal of the personal data is likely to occur.
It is interesting to note that this definition includes the unauthorised modification of personal data. This means that ransomware attacks that encrypt personal data but do not exfiltrate it will still constitute a “data breach”.
However, the law makes an exception for unauthorised access, collection, use, disclosure, copying, modification or disposal of personal data solely within an organisation. So if a rogue employee accesses personal data they were not authorised to view (and does not disclose it outside the organisation), that will not constitute a data breach.
Organisations which have reason to believe that a data breach has occurred must conduct an assessment of whether the breach is notifiable in a “reasonable and expeditious” manner. This assessment will usually be both a technical and legal exercise, as the organisation will need to determine whether a data breach occurred, what personal data was affected, the seriousness of the harm that could result, and the number of affected individuals.
If this assessment determines that the data breach is notifiable, they must then notify the Singapore Personal Data Privacy Commissioner (“PDPC”) and the affected individuals. It is important to note that the notification to the PDPC must be made as soon as practicable, and in any event within 72 hours of determining that the data breach is notifiable. A common misconception is that the 72 hours begins from the time the data breach is discovered – this is not the case under the PDPA.
There is an exception to the obligation to notify affected individuals if the organisation:
- Had implemented, before the breach, any technological measure that makes it unlikely that the data breach will result in significant harm to an affected individual; or
- Is able to take action after the breach that makes it unlikely that the data breach will result in significant harm to an affected individual.
This would mean that an organisation will not need to notify affected individuals if, for example, it has technological means to remotely wipe personal data from a lost device. However, it would still need to notify the breach to the PDPC.
Data intermediaries (Singapore’s term for data processors) which have reason to believe that a data breach has occurred must notify the organisation for whom they are processing the personal data (in other words, the data controller) without undue delay. Interestingly, this obligation also extends to data intermediaries processing personal data on behalf of Singapore government agencies, even though government agencies themselves are not subject to the PDPA.
Singapore’s new data breach notification rules are broadly similar to those in other jurisdictions, but they do have some unique features of which organisations will need to be aware, such as the need to notify data breaches which affect more than 500 individuals, even if they do not pose any risk of harm.
While mandatory breach notification rules are becoming more common across Asia-Pacific, they are entirely new to Singapore businesses, and we expect that there will be a learning curve. It is important that organisations realise that they now have legal obligations in relation to data security incidents that they may previously have regarded as purely technical issues.
For this reason, we expect that the new rules will encourage more organisations to take out cyber risk insurance, as dealing with the fallout of even relatively minor data breaches becomes a more complex and expensive exercise.