DATA BREACHES - THERE’S NO PITY PARTY

DATA BREACHES - THERE’S NO PITY PARTY
December 02, 2019
cybersecurity, PDPA, Data Breach, Blog

It never rains but it pours. Your data just got stolen, and the next thing you know, you’re facing a $16,000 fine. That’s why it’s crucial that data breaches do not happen and you should be aware of how you can protect your company with cybersecurity hand-in-hand with Personal Data Protection Act (PDPA) Compliance.

A data breach is a security incident in which information is accessed without authorisation. It usually happens when there is an unauthorised entry point into an organisation’s database that allows hackers to access customer data such as passwords, credit card numbers, banking information and other sensitive information.

Data breaches can hurt businesses and consumers in a variety of ways. They are a costly expense that can damage lives and reputation.1

What is the Personal Data Protection Act (PDPA)?

The PDPA is an act enforced by the Personal Data Protection Commission (PDPC).  It is a data protection law that comprises various rules governing the collection, use, disclosure and care of personal data. It identifies both the rights of individuals to protect their personal data and the needs of organizations to collect, use or disclose personal data.2 

10 questions to ponder if your company complies with the PDPA3

  • Do you have a Data Protection Officer?

All organisations must appoint at least one person as the Data Protection Officer (DPO).

The DPO function is management’s responsibility and, ideally, the appointed DPO should be part of the management team. The operational DPO functions, however, may be delegated to one or a few employees, or outsourced to a service provider (Data Protection Service Provider).  

Once you have decided on the person(s) to appoint, it is important to brief him/her on his/her roles and responsibilities. Next step is to inform all your staff on who the DPO is so that they can forward all PDPA-related queries and feedback to him/her.  

  • Do you notify the customer of your purpose in collecting, using or disclosing his/her personal data?
    The customer should be fully aware of what and why their personal data is collected/used/disclosed for.
  • Do you seek the customer’s consent when collecting, using or disclosing his/her personal data?
    The customer should give their consent when their data is used, collected or disclosed.
  • Do you allow the customer to withdraw consent at any time when collecting, using or disclosing his/her personal data?

            The customer should be allowed to withdraw consent at any time regarding their Personal data. 

  • Do you have an adequate response (within 30 days) when individuals ask about how their personal data has been used?

If you are unable to provide it within 30 days, you must inform the individual within 30 days and let him/her know when you can respond. 

  • Do you allow the correction of Personal data?
    Are customers allowed to correct or update their data maintained by the organisation?     
  • Are security arrangements in place to protect all personal data under your organisation?

Establish security arrangements to protect personal data under your organisation. This is to prevent unauthorised access, collection, use or disclosure of the data and other similar risks.

  • Did you dispose of personal data that is no longer needed?

Stop holding on to personal data when you no longer have any business or legal use for it.

  • Did you check the Do Not Call Registry before doing telemarketing?

If you conduct telemarketing to subscribers or users of Singapore telephone numbers, you will need to submit the telephone numbers on your telemarketing list for checks against the Do Not Call (DNC) Registry, unless the subscriber or user has given his/her clear and unambiguous consent to receive such messages.

  • Communicate your data protection policies, practices and processes

Provide the business contact information of your DPO so that your customers   can contact him/her for PDPA-related queries or complaints

How does Cyber Security help to mitigate the risk of data breach? 

A data breach is very much avoidable with the correct measures in place.
It is not wise for organisations to skimp on cyber security expenses. In this age when data is so valuable, a breach has certain irreversible consequences.  

Ways to mitigate the risk of data breach with cyber security 

  • Critical Infrastructure Security

Cyber security helps in securing your IT infrastructure as a whole which secures any mission critical applications that cannot afford any downtime.

Common attacks such as DDoS, can be prevented with adequate firewall in place to detect any incoming attacks through a mitigation facility. Through this method, customers’ IP addresses are masked with a Virtual IP so that all data traffic will be redirected before it reaches their network. 4

  • IP Address

Usually, an organisation may have a server with an externally facing IP, exposed to the internet, within a DMZ. These servers have static IP addresses which are accessible from anywhere with an Internet connection.

It is consequential for organisations to ensure this public address range is frequently scanned for exploits and weaknesses to ensure that crucial data is not leaked. 

One method to mitigate this is to use application layer defenses, consult a network firewall provider that has strong application layer protection. A firewall should have the ability to inspect the content of traffic and block malicious requests. Another method of mitigation can be by having a dynamic IP address that changes over time and is different each time you connect to the internet. Dynamic IP address reduces the chance of IP address hacking as it is changing over time and is difficult for hackers to decode. 5

  • Cloud Services

Is the convenience of the Internet still as enticing after knowing the threats? Fret not! Put in place your cloud security to mitigate the risk of data breach when storing your data in the cloud!

Insufficient due diligence will cost you greatly, hire the right people to monitor what’s going on in your workspaces can help you avoid or hold back data breaches or you can consult a unified cloud management platform. 6

Conclusion

All in all, cyber threats are imminent and impending, the PDPA is a very important legislature in data handling and exchange. Hackers will continue to mine the cyberspace for any information that they can exploit financially and it is important to be ready when the push comes to shove. 

Netpluz can be your one stop solution for all cyber security services that your company might require. Our managed cyber security services include cloud based simple and cost effective solution to mitigate and protect against any external threats, such as D-DOS attacks, secures any backend network and mission critical applications that cannot afford any downtime. 

Please feel free to book an appointment by submitting your information here for a free consultation.

Author: Ong Wei Zhao

References

1 https://cyber-armada.com/data-breach.html#:~:targetText=What%20is%20a%20Data%20Breach%3F,and%20take%20time%20to%20repair.

2 https://www.pdpc.gov.sg/Legislation-and-Guidelines/Personal-Data-Protection-Act-Overview

3 https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Help-for-Oragnisations/dp-starter-kit---171017.pdf 

4 https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/

5 https://www.sciencedirect.com/topics/computer-science/internal-server

6 https://medium.com/swlh/7-ways-to-secure-your-office-365-from-data-breach-86537dcb70db

    Latest Updates
    To Top