On 22 May 2019, the Personal Data Protection Commission (“PDPC“) launched a guide titled “Guide to Managing Data Breaches 2.0” (the “Guide“) that refreshes an earlier guide on the topic that was published in 2015.
The refreshed Guide retains some of the best practices for managing data breaches in the earlier guide and provides some additional colour. In particular, more details on whether, when and how to report data breaches have been added in light of proposed changes to the Personal Data Protection Act (the “PDPA“) to introduce a mandatory breach notification requirement.
A summary of the PDPC’s refreshed four step data breach management plan and the updated breach reporting section is provided below.
Guide to Managing Data Breaches 2.0
To effectively manage and respond to data breaches, and in anticipation of the PDPC’s proposed mandatory breach notification requirement, the Guide encourages organizations to implement a data breach management plan. An effective data breach management plan should follow four key steps (using the acronym of C.A.R.E.):
Step 1: Contain the data breach to prevent further compromise of personal data.
The appropriate persons within the organisation should be notified, including the data breach management team. An initial assessment of the data breach should be conducted to determine its cause and severity. Immediate steps must be taken to contain the breach and limit any further access to or disclosure of the personal data.
Step 2: Assess the data breach by gathering the facts and evaluating the risks,
including the harm to affected individuals.
Within 30 days from when the potential data breach is first brought to its attention, the affected organization must undertake an in-depth assessment of the extent and the likely impact of the data breach. The assessment should take into consideration the context of the data breach, the ease of identifying individuals from the data and the other circumstances surrounding the breach. Where assessed to be necessary, continuing efforts should be made to prevent further harm even as the organization proceeds to implement full remedial action.
Step 3: Report the data breach to the PDPC and / or affected individuals, if necessary.
The Guide details whether, when and how data breaches should be reported to the PDPC and / or affected individuals. Following the internal assessment under Step 2, organizations should notify the PDPC if the data breach is likely to result in significant harm or impact to the individuals to whom the information relates; or is of a significant scale (i.e. the data breach involves personal data of 500 or more individuals). Organizations should notify the affected individuals if the data breach is likely to result in significant harm or impact to the individuals to whom the information relates. This allows affected individuals to take steps to protect themselves from the risks of harm or impact from the data breach (e.g. review suspicious account activities, cancel credit cards, and change passwords).
The Guide also provides notification timelines. The PDPC should be notified as soon as practicable, and no later than 72 hours after internal assessments confirm that the breach is eligible for notification. Affected individuals are to be notified as soon as practicable. When in doubt, organizations should seek clarification from the PDPC as to whether they should notify affected individuals.
According to the Guide, data intermediaries need not notify the PDPC or affected individuals of a data breach. Data intermediaries should instead inform their clients, the organizations, of a potential or confirmed data breach without undue delay. Under the Guide, undue delay refers to a period no longer than 24 hours.
Step 4: Evaluate the organization’s response to the data breach incident and consider the actions which can be taken to prevent future data breaches.
The Guide encourages all affected organizations to review and learn from the data breach incident to improve its personal data handling practices and prevent the reoccurrence of similar data breaches.
The Guide is also relevant to an organization’s obligations under the PDPA. Notifications made by the organization (or the lack of notifications), and the adequacy of an organization’s recovery procedures, will influence the PDPC’s assessment of whether an organization has reasonably protected the personal data in its possession or under its control, under Section 24 of the PDPA.
For more details, please refer to the Guide here. Please let us know if you have any queries regarding the information provided in the Guide or any other related matters.
