Is Your Company’s Crisis Communications Plan Prepared for Cybersecurity Incidents?

A well-written and consistently updated crisis communication plan ensures that a company has the infrastructure in place to respond to a range of natural or man-made crises. While many companies have a crisis communication plan in place, not all plans are equipped to handle cybersecurity-related incidents. Below are six key elements to ensure that your crisis communication plan is prepared to effectively handle cybersecurity incidents.

  1. The plan is comprehensible, short, and flexible.

One of the most common mistakes that a company can make when creating a crisis communication plan is attempting to cover every “what if” situation and making the document too complicated for an employee to comprehend. Especially during times of crisis, making a plan overly complex can paralyze the employee in charge and cause additional confusion. In certain circumstances, this lack of action or unnecessary delay can make a company susceptible to allegations of misconduct or negligence.

  1. One individual should be designated as the spokesperson.

One individual should be designated as the primary spokesperson to represent the company and answer media questions throughout the crisis. Allowing one individual to be designated as a spokesperson ensures the company is able to control its message and prevents the public and its employees from receiving information that may be untrue or potentially misleading. In addition, a company’s employees should be instructed to refrain from making any comments until directed by the company. In order to prevent rumors from spreading, the company may want to consider creating an FAQ of pre-approved questions and answers once detailed information about the breach has been gathered. This could be used on a public website, or to respond to media or consumer inquiries about the cybersecurity incident.

  1. A legal representative should be involved in the crisis communication process.

A company’s in-house counsel or outside counsel should be involved in the crisis communication process by discussing, reviewing, and approving all external messages. Obtaining feedback from counsel reduces the risk that confidential attorney-client information is inadvertently released, or that misleading statements are inadvertently made about the incident. Releasing confidential information and providing false or misleading statements may damage the company’s chances of prevailing in potential litigation, and injure the company’s reputation.

  1. The plan provides proper and clear guidance to the public.

Many crisis communication plans take an obligatory, proactive approach to notifying the public with a statement like the following: “The company is aware of the crisis and is responding rapidly and responsibly.” While this approach may be appropriate for an earthquake or an active shooter, it may not be the right approach for a cybersecurity incident. Unlike crisis situations where the details of an event are usually known and then released in a matter of hours, data security incidents are often extremely complex and accurate information about a breach may not be known for days or even weeks.

Furthermore, a company may not want to issue a public statement prior to understanding whether a breach actually occurred or the magnitude of the breach. A premature public statement about an incident that turns out to be false can have serious ramifications for the company’s data subjects. These data subjects may be subjected to unnecessary worry, cost, and inconvenience, or attempt to mitigate a harm that may never materialize or exist.

  1. The plan does not conflict with other corporate plans or policies.

A company’s communication plan for a cybersecurity event is typically used in conjunction with an incident response plan. The crisis communication plan must be reviewed and vetted against the company’s incident response plan and with consideration for other policies to ensure that there are no conflicts between policies. Any discrepancies or conflicts between these policies may create delay, confusion, or inaction, and could have serious legal and economic ramifications for both the company and the individuals impacted by the security incident. Discrepancies and conflicts between various plans may also make a company susceptible to allegations of misconduct.

  1. The plan is tested on a yearly basis.

An incident response plan should be tested on a yearly basis. During the annual test, it is important not to neglect a company’s crisis communication plan. Conducting a walkthrough or tabletop exercise will allow a company to address any performance issues or policy gaps that may arise during the testing process. Testing the policy also allows company counsel to effectively train employees on how to handle a real crisis.

Reputation Management: A How-To Guide

Reputation Management: A How-To Guide

The reputational injury following a data breach can be severe. Indeed, reputational injury – including lost customers – often surpasses legal liability. Effective management of the reputational impact of a data security incident requires a proactive and reactive strategy. The proactive strategy assumes that the organization will control when, and what, information will be conveyed to the public, media, and impacted consumers. For many organizations the proactive strategy that they choose is to wait until their investigation of an incident is complete so that they can provide the public with the most accurate and meaningful information. …

reputation m

Outsourcing your organization’s DPO duties? Consider this

The General Data Protection Regulation will come into effect on May 25, 2018, and will provide a modernized compliance framework for data protection. Because of the extraterritorial reach, entities that operate in the U.S. should take note and consider complying with the regulation.  While having a data protection officer, as mandated under the GDPR, is not a new concept and is required for entities operating in countries such as Singapore and Germany, the extraterritorial scope of GDPR greatly broadens the number of companies that may need to hire one. Article 37(1) of GDPR requires the designation of a DPO in the following circumstances: where the processing is carried out by a public authority or body; where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions or offenses.

Due to the extraterritorial scope of GDPR, many companies will be required to spend money on either an internal DPO or a third-party entity such as a law or IT firm to act as their external DPO. According to one study by the IAPP, more than 28,000 new DPOs need to be hired by 2018, and that’s just in the EU and U.S. Applied globally, the IAPP found that number looks more like 75,000. With the shortage of individuals trained to handle DPO responsibilities, it is likely that many entities will look to hire an external third-party DPO. Before hiring an external DPO, entities should consider the following issues:

Can the DPO be adequately involved with an entity’s data privacy program and do the costs justify hiring an external DPO?

Contrary to common belief, a DPO’s duties do not solely involve responding to breach situations and cooperating with supervisory authorities. In addition, the GDPR states that a DPO’s duties are broad and include tasks such as: monitoring an entity’s compliance with GDPR; providing advice when conducting data protection impact assessments; informing the entity and its employee of data protection obligations, and cooperating with various supervisory authorities. Article 29 Working Party’s guidance on DPOs provides further clarification that a DPO should be invited to participate regularly in meetings with senior and middle management and also should be easily accessible within the organization.

Traditionally, law firms and IT consulting firms either charge by the hour or have a fixed budget (or semi-fixed budget) to provide their services. It is important to consider that certain responsibilities, such as attending meetings and monitoring an entity’s compliance with GDPR, may be extremely time consuming and expensive on a per-hour basis. Certain service providers have created a fixed-fee arrangement that may provide cost savings, but at the risk of sacrificing quality by putting less qualified and experienced individuals on certain DPO related duties. In a fixed fee or semi-fixed fee arrangement, an entity should consider the included services along with the experience of the individuals that will be performing those services.

Can the service provider act independently in performing its DPO duties?

According to GDPR Article 38(3) and Article 29 Working Party’s guidance on DPOs, a DPO must perform its duties and tasks in an independent manner. In other words, the DPO must not be instructed on how to deal with a matter and cannot be instructed to take a certain stance related to a data privacy issue. However, for many third party providers, this could be a potential issue, especially if the service provider has many engagements with the entity in question. If an entity has a close prior relationship with the service provider, the line may be easily blurred and may lead to instances where the service provider may be asked or may feel pressure to take a stance in a certain manner.

Does the DPO have other privacy, data security, or IT related engagements with the entity that could potentially create a conflict of interest?

According to GDPR Article 38(6) and Article 29 Working Party’s guidance on DPOs, a DPO is allowed to fulfill other tasks and duties. However, it requires that those tasks and duties do not result in a conflict of interest with its DPO duties. For many service providers, this can be an issue, especially if a service provider has worked with the entity’s management in designing an entity’s privacy program or assisted an entity in interpreting privacy rules and regulations. Service providers may be compelled or feel uncomfortable in making determinations that are contrary to the advice that the service provider provided in a previous engagement. In order to prevent issues of independence, U.S. publicly traded companies often use a different audit firm for Sarbanes Oxley corporate internal controls issues, as compared to general audit services. Other conflicts to consider include hiring the same external DPO as an entity’s Qualified Security Assessor under the Payment Card Industry Rules or hiring the same DPO as an entity’s security-information event-management firm.

Below is a list of questions and issues to consider prior to hiring an external DPO:

  • Do you envision the external DPO being extremely hands on?
  • What kind of fee engagement is the external DPO offering?
  • If the fee engagement is fixed: Are the included services adequate for your organization? Are the individuals handling DPO duties qualified?
  • If the fee engagement is on a per hour basis: Are the rates reasonable given the experience of the individuals performing DPO duties? Are there available discounts for a prepayment of expenses? What kind of duties do you envision the DPO handling?
  • Does the DPO represent other entities in your sector?
  • Does your entity have a close relationship with the external DPO that may cause independence issues?
  • Has the external DPO engaged in any privacy or data security work for your entity in the past? Could that work cause a conflict of interest?

 

This article first appeared in The Privacy Advisor.

It’s Time to Take Data Privacy Seriously in Singapore

It’s Time to Take Data Privacy Seriously in Singapore

In the past decade, there has been an explosion of new data privacy laws in Asia. However, at the same time, there has been a lack of enforcement of those laws. While certain countries like Malaysia have not actively been enforcing their privacy laws, recently, a number of countries like Singapore have substantially increased enforcement of their data privacy laws.

Even though the city-state of Singapore is only 720 square kilometers in size, it plays an integral role in the world economy. Singapore, along with Hong Kong, has often been called the “business nexus of the East.” In fact, a recent study conducted by Tower Watson states that Singapore is home to roughly 41 percent of the Asia Pacific headquarters for Fortune 500 companies (compared to 34 percent for Hong Kong and 16 percent for Mainland China).[1]

In 2012, Singapore passed the Personal Data Protection Act (PDPA), which established a general data protection law in Singapore. Among other things, the PDPA governs the collection, use, disclosure, and protection of individuals’ personal data by organizations. The main enforcement agency in charge of enforcing the PDPA is the Personal Data Protection Commission (PDPC). The PDPA provides the PDPC powers to: (1) investigate organizations’ data protection practices, (2) obligate organizations to cease activities which are in violation of PDPA, (3) obligate organizations to destroy personal data collected in contravention of PDPA, (4) obligate organizations to comply with any other orders by PDPC, and (5) obligate organizations to pay a fine which may not exceed US$ 1 million.[2]

PDPA guidance on enforcement actions

On April 21, 2016, the PDPC revised the Advisory Guidelines on the Enforcement of the Personal Data Protection Act (Enforcement Guidelines).[3] While the Enforcement Guidelines are not legally binding, they provide guidance on how the PDPC decides which organizations to target for an investigation and what fines it will seek.

The Enforcement Guidelines state that the PDPC may commence an investigation into any organization that the PDPC considers that an investigation is warranted based on the information that it obtained (whether from a complaint or otherwise).[4] Among other things, the PDPC looks at the following factors to decide whether to investigate and/or whether financial penalties may be assessed: whether the organization may have failed to comply with the PDPA, whether the organization has systematically failed to comply with the PDPA, or the potential harm and severity of the misconduct.[5]

Enforcement actions

In the past, the PDPC published enforcement actions related to “do-not-call” rules, which are a set of regulations loosely similar to the US Do-Not-Call rules. However, only recently has Singapore actively enforced and provided guidance on how the PDPC will approach enforcement of other parts of the PDPA.

First shots fired

On April 21, 2016, Singapore’s PDPC published its first set of 11 enforcement actions.[6] The organizations involved in the 11 enforcement actions range from small businesses to multinationals such as China’s Xiaomi subsidiary. Of the 11 enforcement actions, four organizations were fined for violations of the PDPA and six other organizations were issued warnings.[7] From the first set of 11 enforcement actions, a majority, eight out of 11 enforcement actions were based on a breach of Section 24 of the PDPA for failing to implement proper and adequate protective measures, which resulted in the unauthorized disclosure of personal data.[8] Section 24 of the PDPA provides that an organization shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks. [9]

The largest assessed fine by the PDPC was to K-Box Entertainment Group Pte Ltd for S$50,000.[10] In 2014, it was published that over 300,000 K-Box members’ information had been leaked and uploaded online.[11] The breach impacted the following types of data: names, contact numbers, and residential addresses.[12] K-Box was found by the PDPC to have failed to put into place adequate security measures to protect personal data in its possession.[13] Among other things, K-Box allegedly failed to enforce a password policy, provide reasonable controls over unused accounts, utilize new version of software, or conduct security audits.[14]

The PDPC also assessed a fine to Finantech Holding, K-Box’s IT service provider. Finantech was in charge of developing, hosting, and managing K-Box’s Content Management System (CMS).[15] As a data intermediary, Finantech allegedly did not implement adequate data security measures for the CMS, such as by patching security vulnerabilities or using a complex password for an administrative account.[16]

Continued enforcement of data privacy laws

Since April 21, 2016, Singapore has increased its rate of enforcement actions. The PDPC released details of 11 more enforcement actions.[17] Of the 11 new enforcement actions, seven companies received fines ranging from S$500 to S$25,000, and four companies received warnings.[18] Similar to the first set of enforcement actions released on April 21, the majority (eight out of 11) relate to a breach of Section 24 of the PDPA for allegedly failing to implement proper and adequate protection measures.
Among the most recent enforcement actions, the PDPC fined Toh-Shi Printing (Toh-Shi) on two separate occasions for failing to implement proper and adequate protection measures.[19] In both instances, Toh-Shi was a service provider in charge of printing and sending paper notices on behalf of consumers.[20] In both cases, Toh-Shi accidently sent sensitive financial information to the wrong customers.[21] The PDPC fined Toh-Shi for allegedly failing to provide adequate quality control and employee training.[22] The Toh-Shi cases suggest that enforcement of Section 24 of the PDPA is not limited to just IT security related measures, but includes non-technical measures of quality control and employee training.

Perhaps the most interesting aspect of the Toh-Shi enforcement actions is that the two different companies that hired Toh-Shi as a service provider were not fined or found in violation of Section 24 of the PDPA.[23] This contrasts with the K-Box enforcement action. Even though Finantech managed part of K-Box’s IT operations, K-Box was still fined for a breach of the PDPA.[24]

The K-Box enforcement action differs from the Toh-Shi enforcement action in two distinct ways. First, while Finantech was responsible for handling some of K-Box’s  IT operations, it did not manage all of K-Box’s IT operations.[25] K-Box still maintained some IT related responsibilities and the failures of those responsibilities contributed to the breach of over 300,000 customer records.[26] Under the Toh-Shi enforcement actions, Toh-Shi’s customer outsourced all parts of the printing operation, from the initial printing to the mailing of financial records.[27] This suggests that there may be less privacy risk with respect to enforcement actions if organizations use service providers to complete all aspects of a process.  Second, Unlike K-Box, which did not have any data protection provisions in its contract with Finantech, Toh-Shi’s customers contractually required Toh-Shi to put in to place adequate security policies, procedures and controls.[28] In other words, the PDPC’s actions suggest that the PDPC believes imposing contractual requirements on a vendor may discharge a company’s obligations to take “reasonable and appropriate” steps to secure information.

The Toh-Shi enforcement actions also show how a systematic and continuous disregard to adequate security measures may increase the magnitude of a company’s fines.[29] The systematic and continuous disregard for security measures likely resulted in an increase in Toh-Shi’s second fine, from S$5,000 to S$25,000.

While the size of the fines levied by the PDPC for non-compliance of the PDPA has been relatively modest as compared to million dollar fines issued by EU countries or the United States, the real cost of an investigation by the PDPC comes in the form of highly negative publicity and the expenditure of legal fees and human capital related to defend an investigation by the PDPC.

Future considerations

As Singapore’s PDPC gains more experience and refines its interpretation of the PDPA, we expect to see more enforcement actions in Singapore. According to Singapore’s government directory, there are 18 individuals who work in the Personal Data Protection Commission.[30] Of those 18 employees, roughly a third of the employees have been employed at the PDPC for less than 18 months.[31] Unfortunately, a detailed breakdown of headcount is not available from the Singapore government, but we speculate that as these new employees become more experienced and fully integrated with the PDPC, more enforcement actions will likely occur.

We understand that the PDPC is actively working with entities in Singapore by putting together data protection and security related training and educational sessions. However, the current list of enforcement actions shows that Singapore is also serious about its enforcement of the PDPA. Of the 22 enforcement actions, a sizeable majority of the companies are companies that may be deemed to be either a small or mid-size company. We speculate that this may be due to the fact that the PDPC is still a relatively new government organization and that it may want to pick relatively easy targets that either have egregious security practices or do not have the resources to challenge the PDPC in court. The PDPC may also be following an old Chinese idiom of (杀鸡儆猴) or kill the weak to scare the strong). Picking relatively small companies with egregious security practices to fine may be a method for the PDPC to show the general public that they are serious about enforcement of the PDPA and allows the PDPC to set an example of a few small companies in order to scare larger companies who may not be taking data protection seriously. As the PDPC becomes more experienced, we expect that larger organizations may be targeted and higher fines may be assessed.

Lastly, since data breaches are now high profile events often creating rapid and widespread media attention, we expect Singapore to focus heavily on Section 24 of the PDPA on implementing proper and adequate protective measures of personal data. 16 of the 22 enforcement actions involved a failure for entities to maintain proper and adequate protective measures of personal data.[32]

Considerations for entities operating in Singapore

Recent enforcement actions have showed a propensity for the PDPC to focus heavily on implementing proper and adequate protective measures for personal data. The PDPC recently released the Advisory Guidelines on Key Concepts In the Personal Data Protection Act (Guidelines).[33] Similar to the “I know it when I see it” standard for obscenity in the United States, the Guidelines do not provide a binary list of what an organization must do in order to be compliant under Section 24 of the PDPC. Instead, the Guidelines state that there is no one size fits all solution for data security, rather, security obligations depend on the nature of the information, the form of the information, and the possible impact of the unauthorized disclosure of the information.[34] Among other things, we recommend companies consider the following measures:

  1. Conduct a privacy and security assessment of policies and procedures. Conducting a data privacy and security assessment allows an organization to review current policies to determine whether (a) the policies and procedures need to be updated and (b) the company actually follows the stated policies and procedures. It is also important to remember that going through the motions of a security assessment is not enough. For example, the PDPC issued a warning to Metro Pte Ltd for not addressing SQL injection vulnerabilities that were discovered in earlier IT security audits.[35] To effectively lower risk, an organization needs to address issues found through security assessments and audits. In order to have an unbiased and truthful opinion of an organization’s security measures, an organization should consider using a third party vendor.

Organizations should consider at a minimum, implementing/acquiring the following policies and procedures:

  • Incident response plan.
  • Mobile IT policy.
  • Record retention policy
  • Password management policy.
  • User access and management policy.
  • IT vendor management process.
  1. Conduct an internal data inventory. Knowing the type of data collected and held allows an organization to review the sensitivity of the data and determine whether current security measures are appropriate and reasonable.

Organizations should consider the following when conducting a data inventory:

  • The types of data collected.
  • Where the data is physically housed (g., the building or location).
  • Where the data is logically housed (g., the electronic location within a server).
  • Whether encryption is applied to the data in transit (e., when it is moving). If it is, what encryption standard is being used?[36]
  • Whether encryption is applied to the data at rest (e., when it is being stored). If it is, what encryption standard is being used?[37]
  • The custodian of the data (e., who is responsible for it).
  • Who has access within the organization to the data.
  • Who has access outside of the organization to the data.
  • Whether the data crosses national boundaries.
  • The retention schedule (if any) applied to the data.[38]
  1. Review IT service provider contracts for adequate data protection provisions. The Toh-Shi enforcement actions suggest that one way an organization can protect itself against a possible enforcement action is to include adequate data protection measures in service provider contracts.

Consider adding the following provisions:

  • Limitations to the use of personal data.
  • Breach notification requirements.
  • Representations, warranties and covenants relating to data privacy and security.
  • Indemnification obligations.
  • Compliance with applicable data protection laws.
  • Data transfer limitations.
  • Audit or monitoring rights.
  • List of certain IT technical safeguards (i.e., encryption standard, access control).
  • Data maintenance/deletion obligations.
  1. Request IT service provider complete a security questionnaire. Taking a proactive approach of requesting a service provider complete a security questionnaire may avoid an organization the headache of selecting a service provider that does not have adequate security procedures and hence, lowers the risk of a potential data breach.

When drafting a security questionnaire, consider the following:

  • Designated employee responsible for overseeing security program.
  • Procedures for appropriately destroying documents with sensitive information.
  • Encryption standards for mobile devices.
  • Encryption standards for transmitting sensitive information.
  • Employee training.
  • Data breach incident response.
  • Vendor management process.
  • Process for provisioning user access.
  • Process for de-provisioning user access.
  • Disciplinary measures for security violations.
  1. Conduct data security/privacy training for employees. Conducting data security/privacy training for employees may prevent potential security incidents. This preventive measure allows employees to detect issues earlier and may prevent more serious security incidents in the future.

For good reason, Singapore is one of the most popular places for multinational companies to establish their APAC company headquarters. With a strong rule of law, Singapore takes enforcement of its laws serious and the PDPA is no exception. The increase in the number of PDPC enforcement actions shows the country’s intention of enforcing the PDPA. While the size of the fines levied by the PDPC for non-compliance of the PDPA has been relatively modest, it does not take into account the time and reputational costs associated with a PDPC investigation. Entities that operate in Singapore would be wise to conform their compliance to the PDPA and to pay attention to the PDPA’s actions and public statements.

 

[1] PriceWaterhouseCooper, The Preferred Asian HQ Location, (January 28, 2015), available at http://www.pwc.com/sg/en/singapore-budget-2015/budget-2015-01.html.

[2]    Personal Data Protection Act of 2012, Section 28-30, https://www.pdpc.gov.sg/legislation-and-guidelines/legislation   http://statutes.agc.gov.sg/aol/search/display/view.w3p;ident=566a39d6-31e9-44fa-8bb7-2d5bf3c8389a;page=0;query=DocId%3Aea8b8b45-51b8-48cf-83bf-81d01478e50b%20Depth%3A0%20Status%3Ainforce;rec=0#pr28-he-.

[3] Personal Data Protection Commission, Advisory Guidelines on Enforcement of the Data Protection Provisions, (April 21, 2016), https://www.pdpc.gov.sg/docs/default-source/advisory-guidelines-on-enforcement/advisory-guidelines-on-enforcement-of-dp-provisions-(210416).pdf?sfvrsn=2.

[4] Id. at Section 2.

[5] Id. at Sections 15.3 and 25.

[6]  Government of Singapore, PDPC Takes Action Against 11 Organizations for Breaching Data Protection Obligations, April 21, 2016, https://www.pdpc.gov.sg/docs/default-source/media/media-release-for-dp-enforcement-action-(25-apr-2016)(clean).pdf?sfvrsn=0

[7] Id.

[8] Id.

[9] Section 24 of the PDPA.

[10]  Decision of the Personal Data Protection Commission, K Box Entertainment Group PTE. LTD., Finantech Holdings PTE. LTD., [2016] SGPDPC 1, Section 44 (April 20, 2016), https://www.pdpc.gov.sg/docs/default-source/enforcement-data-protection-cases/grounds-of-decision—k-box-entertainment-(210416).pdf?sfvrsn=4.

[11] Id. at Section 2.

[12] Id. at Section 3.

[13] Id. at Section 30.

[14] Id. at Sections 26 to 29.

[15] Id. at Section at 5.

[16] Id. at Section 39.

[17] See Personal Data Protection Commission list of Data Protection Enforcement Cases at https://www.pdpc.gov.sg/commissions-decisions  (last accessed November 18, 2016); as of November 18, 2016.

[18]  Id.

[19] See Decision of the Personal Data Protection Commission, Aviva Ltd. and Toh-Shi Printing Singapore Pte. Ltd., [2016] SGPDPC 15, (September 21, 2016), https://www.pdpc.gov.sg/docs/default-source/enforcement-data-protection-cases/grounds-of-decision-aviva-ltd-and-toh-shi-printing-singapore-(210916).pdf?sfvrsn=0; Decision of the Personal Data Protection Commission, Central Depository (PTE) Limited and Toh-Shi Printing Singapore Pte. Ltd., [2016] SGPDPC 11, (July 21, 2016), https://www.pdpc.gov.sg/docs/default-source/enforcement-data-protection-cases/grounds-of-decision—toh-shi-(210716).pdf?sfvrsn=4.

[20] [2016] SGPDPC 15 at Section 4; [2016] SGPDPC 11 at Section 3.

[21] [2016] SGPDPC 15 at Section 8; [2016] SGPDPC 11 at Section 7.

[22] [2016] SGPDPC 15 at Section 34.

[23] [2016] SGPDPC 15 at Section 28; [2016] SGPDPC 11 at Section 18.

[24] [2016] SGPDPC 1, at Section 39.

[25] See generally, [2016] SGPDPC 1.

[26] Id. at Sections 9 to12.

[27] [2016] SGPDPC 15 at Section 4; [2016] SGPDPC 11 at Section 3.

[28] See [2016] SGPDPC 1 at Section 12; see also SGPDPC 15 at Section 27 and [2016] SGPDPC 11 at Section 17.

[29] [2016] SGPDPC 15 at Section 38.

[30]  See Singapore Government Directory for a list of Personal Data Protection Commission employees, https://www.gov.sg/sgdi/ministries/mci/statutory-boards/imda/departments/pdpc (last accessed November 18, 2016).

[31] Of the 18 individuals listed on the Singapore Government Directory, we found 13 of the individuals on LinkedIn. The information was based on a review of their LinkedIn profiles on November 18, 2016.

[32] See Personal Data Protection Commission list of Data Protection Enforcement Cases at https://www.pdpc.gov.sg/commissions-decisions  (last accessed November 18, 2016).

[33] Personal Data Protection Commission, Advisory Guidelines on Key Concepts in the Personal Data Protection Act (July 15, 2016), https://www.pdpc.gov.sg/docs/default-source/advisory-guidelines/advisory-guidelines-on-key-concepts-in-the-pdpa-(15july16).pdf?sfvrsn=2.

[34] Id at Section 17.

[35] Decision of the Personal Data Protection Commission, Metro Pte Ltd., [2016] SGPDPC 7, (April 20, 2016), https://www.pdpc.gov.sg/docs/default-source/enforcement-data-protection-cases/grounds-of-decision—metro-(210416).pdf?sfvrsn=2.

[36] In a recent enforcement action, the PDPC cautioned against the sole use of the common MD5 hash standard to encrypt passwords; see Decision of the Personal Data Protection Commission, Fei Fah Medical Manufacturing Pte Ltd., [2016] SGPDPC 3, (April 20, 2016), https://www.pdpc.gov.sg/docs/default-source/enforcement-data-protection-cases/grounds-of-decision—fei-fah-medical-manufacturing-(210416).pdf?sfvrsn=2.

[37] Id.

[38] Zetoony, David, Data Privacy and Security: A Practical Guide for In-House Counsel, Pg. 2-3, May 2016.

Practical Data Security Takeaways from Australia’s Recent Privacy Determination

Practical Data Security Takeaways from Australia’s Recent Privacy Determination

The Privacy Act of 1988 (Privacy Act), which includes the 13 Australian Privacy Principles (APPs), is Australia’s federal law regulating the collection, use, and disclosure of personal information. Recently, the Office of the Australian Information Commissioner (OAIC) has stepped up its enforcement of the Privacy Act. This article reviews OAIC’s recent privacy determinations and discusses practical data security related takeaways that can help companies ensure compliance. …

acc

Social Media Privacy Concerns: A How-To Guide

Social Media Privacy Concerns: A How-To Guide

The majority of organizations utilize social media to market their products and services, interact with consumers, and manage their brand identity.  Many mobile applications and websites even permit users to sign-in with their social media accounts to purchase items or use the applications’ services.

While using third party social media websites has significant advantages for businesses, it also raises distinct privacy concerns.  Specifically, the terms of use that apply to social media platforms may give the platform the right to share, use, or collect information concerning your business or your customers.  To the extent that the social media platform’s privacy practices are not consistent with the practices of your own organization, they may contradict or violate the privacy notice that you provide to the public. …

social media privacy

Cyber-Extortion: A How-To Guide

Cyber-Extortion: A How-To Guide

Cyber extortion refers to a situation in which a third party threatens that if an organization does not pay money, or take a certain action, the third party will take an adverse action against the organization. Among other things, threats may include exploiting a security vulnerability identified by the extorter, reporting the organization’s security vulnerability to the press, or reporting the organization’s security vulnerability to regulators. …

cyber ext

Bounty or Bug Programs: A How-To Guide

Bounty or Bug Programs: A How-To Guide

Data security officers typically look for security risks by monitoring reports from automated security systems, listening to employees’ reports of security issues, and/or auditing IT systems. There is a great deal of debate, however, about the merits of listening to the security concerns of people outside of an organization. On one end of the spectrum, some organizations refuse to discuss any aspect of their security with the public. On the other end of the spectrum, organizations proactively encourage the public to report security vulnerabilities by paying well-meaning hackers (usually called “white hat hackers” or “independent researchers”) to report problems. …

bounty

Document Retention Periods: A How-To Guide

Document Retention Periods: A How-To Guide

Data minimization can be a powerful – and seemingly simple – data security measure. The term refers to retaining the least amount of personal information necessary in order for an organization to function. Less information means that there is less that the organization needs to protect, and less opportunity for information to be lost or stolen. …

Doc Retention

Seeing the Silver Lining: 4 Positive Aspects of GDPR for Businesses

Since the General Data Protection Regulation (GDPR) was proposed, IT professionals, lawyers, and consultants have been talking about the potentially game-changing effect that it may have on businesses around the world. Similar to how US citizens in the 1950s and 60s were trained to prepare for a nuclear war, the vast majority of articles and presentations on GDPR relate to how one should prepare for a potential doomsday scenario. The looming risks and challenges to GDPR are real and daunting. Among other things, the regulation has an over-reaching territorial scope, includes the potential requirement of a Data Protection Officer in company practices, and encourages the incorporation of Data Protection Impact Assessments into an amended privacy program. However, there is a silver lining for almost everything, and GDPR compliance is no exception. This article discusses four “silver lining” benefits of GDPR as compared to the current data protection scheme in Europe.

 

Harmonization of EU privacy laws

One of the biggest complaints from companies operating in Europe is that they have to monitor and comply with the laws of 28 different countries. Under the EU Directive 95/96/EC (“EU Directive”), data privacy laws are essentially addressed at the member state level. To put it in another way, the EU Directive provides a framework for EU countries to develop and maintain their own privacy rules and regulations. This results in current data privacy laws essentially being a patchwork of different laws from various member states, which often leads to uncertainty for businesses and their EU-based clients, as well as substantial costs associated with compliance efforts.

Except for employment or national security-related privacy matters, GDPR will allow companies to focus on one all-encompassing, uniform set of data privacy regulations. This has the potential to help small- to mid-sized companies operating in or collecting information from EU residents. Rather than deciding between “full” compliance, which involves spending significant amounts on legal fees and relying on subjective analyses of various EU member state laws, or rolling the dice with non-compliance in certain EU countries, GDPR may permit companies to save costs and reduce risk by following a uniform set of rules that apply to the entire European Union.

 

Lead authority one-stop shop

Under the aforementioned EU Directive, there are over 20 different privacy regulations that a company operating in Europe must comply with. Although the EU Directive created a mechanism that was designed to facilitate communication between member state data protection authorities, investigations and enforcement actions are often done separately by various member states.

While companies would have preferred a system where one single privacy regulator has exclusive competence over regulation, GDPR allows companies to deal with one “lead authority” in the company’s place of main establishment. Various state data protection authorities will still have the ability to investigate and enforce data protection issues if a complaint is directed to them, but they must notify the lead authority of its intention to investigate or take action.

The lead authority will then have three weeks to determine whether it wishes to intervene and operate in a joint manner. While there are other nuances and exceptions, as a whole, GDPR’s designation of a lead authority has the potential to effectively promote various countries to work together on enforcement and investigation matters in a predictable and efficient manner, allowing companies to focus time, energy, and resources on dealing with one regulator.

 

Data breach reporting

The United States does not have a general federal breach reporting statute. Instead, most US states have their own data breach reporting rules and regulations. The current EU Directive also does not contain a general data breach-reporting obligation. Rather, data breach reporting requirements are predetermined by each member country. Some member states like Germany and the Netherlands have implemented data breach reporting obligations, while other countries such as the United Kingdom, Denmark, and Ireland have not. GDPR introduces a general obligation to report data breaches. GDPR Article 33(1) states that the breached entity must, without undue delay, notify the supervisory authority within 72 hours of becoming aware of personal data breach.

GDPR’s breach notification requirement may be advantageous to most companies. Similar to the burden of keeping track of changes in breach reporting statutes in the United States, the current EU Directive creates a burden upon companies to keep track of breach reporting statutes with member countries. For in-house counsel, contract negotiation over data breach provisions can be lessened and streamlined by virtue of the vendor company, providing detailed data breach reporting obligation provisions in their standard contracts as a component of GDPR compliance. Furthermore, it is often hectic during a data breach. In addition to keeping up with breach reporting regulations, breached companies also have to deal with contractual liability, PCI-DSS issues, and internal business/PR issues. Having to report to only one supervisory authority rather than figuring out which member states to report to saves time and energy for in-house counsel, particularly for smaller in-house departments. GDPR allows companies to have one all-encompassing EU data breach response plan.

 

Competitive advantage for GDPR compliant US entities

Compliance with GDPR, in addition to the cost and time savings mentioned above, can also serve as a competitive advantage in the US marketplace. Although not directly applicable in the context of a US-based customer company in most cases, a vendor company has the optical advantage of boasting its compliance with more stringent data privacy regulations in the form of GDPR than required under US law. This engenders trust in the vendor, and provides the customer company with the tangible benefits of transparency, privacy, and security with respect to the vendor’s treatment of the customer’s data. Customer companies are increasingly seeking to rely upon their vendors’ regulatory compliance as part of their overall compliance policies, and vendors that comply with GDPR support furthering those initiatives.