Data Breach – The Responsibility of the Data Controller, That Is YOU!
Data Breach: What Actually Happened In The Recent Singtel Case
Some of us started following the Accellion data breach case in late December, sometime around the Christmas Day period. Accellion discovered that a bad actor had hacked it’s way into the secure file transfer application, via a zero-day vulnerability. Interestingly, this file transfer application product is due to retire in April 2021. Most only come to know about the case in mid-February 2021, through headlines similar to this – “Nearly 130,000 Singtel customers’ personal information, including NRIC details, stolen in data breach”.
Who’s Responsible for the Data Breach? Data Intermediary (Accellion) OR Data Controller (Singtel)?
The question remains for business owner or business management, also known as the data controller. Accellion, or the data controller who uses the service of Accellion?
Unless there are exceptions to the contractual arrangements, Accellion is only a cloud service provider, a data intermediary or a third-party outsourced partner.
“The primary accountability, under general circumstances, remain with the organization that have collected, and own, the personal data of the individuals.”
Customers will not be making phone calls to Accellion about their the privacy concerns, they will call Singtel. Singtel have done well in this breach situation, Singtel Group CEO Yuen Kuan Moon apologized “unreservedly” for the data breach and its impact to the affected individuals. That is corporate transparency, and it helps affected individuals to assess their exposure risk.
The Singapore Personal Data Protection Act (PDPA) defines data intermediaries as organizations that process personal data on behalf of a data controller, in pursuant of a contract. It is quite clear, the data controller (organizations, companies, institutions, etc.) are the owners of the data.
Two Important Points To Note In A Data Breach Situation:
- The data controller (data owner) is responsible to report the breach to PDPC (Personal Data Protection Commission). As per the Breach Notification Obligation (1 February 2021).
- In the ensuing investigation, due diligence report carried out before appointment of the data intermediary will be required for submission. (In this case, due diligence on a cloud service provider).
“For organizations who have yet to conduct any due diligence, from a risk-based perspective, of their data intermediaries, it may be time to take action on this as soon as possible.”
This includes apps (applications) that organizations use online, especially where the personal data is stored outside of Singapore. The PDPA Transfer Limitation Obligation have compliance requirements for personal data stored outside of Singapore.
Do You Know What To Do If Your Organization Encounters A Data Breach?
Those who do not, equipping your organization with relevant and adequate PDPA training will now become an imperative.
With recent cybersecurity breaches, the cost in response to a cyber breach may be financially high.
“Most organizations have never considered a cybersecurity insurance coverage until it is too late.”
Insurance is a risk mitigation tool, not merely an investment as viewed by many. It is a tool to reduce the organization’s risk exposure, and it demonstrates due care in managing its welfare.
Equip and enable your organization with the right risk and data protection solutions. Reach out to Region Management Pte Ltd at manager@regionmgmt.com, or visit www.regionmgmt.com