It was reported in the public news on 7 May 2021 that a Singapore bank leaked information on more than 1,100 of its customers. It is interesting to know that preliminary findings revealed that an employee fell prey to a Chinese police impersonation scam, leading to disclosure of customer names, identification, mobile numbers and account balances. Without going into the specifics of the case, there are several learning points and considerations when such an incident occurs.
- Root cause analysis – It is important to go beyond identifying the person who committed the act. Establish the underlying reasons causing the incident such as using the “5 Whys” technique to explore cause and effect relationships.
- Accountability – Riding on the spirit of the Guidelines On Individual Accountability and Conduct (IAC) issued by the Singapore regulator, effective on 10 September 2021, the Board, Senior Management, and employees who have authority to make decisions or conduct activities that can significantly impact the financial institutions should potentially be accountable when incidents occur. Would the employee in the above case be potentially identified as a “Material Risk Personnel” as defined in the IAC? This will depend on how an organisation establish the relevant criteria and may well differ from its peers based on the nature of their business and risk.
- Breach Handling and Reporting – As of 1 February 2021, the Singapore Personal Data Protection Act has been amended to include mandatory data breach notification. Organisations which discover a data breach must notify the Personal Data Protection Commission if the breach is likely to result in significant harm to the individuals whose personal data is affected by the breach; or is of a significant scale (not fewer than 500 individuals).
I hope the above provides some food for thought on the potential impacts, actions and follow ups required when an incident happens. It is no longer adequate to merely identify what happened and apply remedial actions. It now takes an organization wide effort and tone from the top to address and satisfy the concerns of all internal and external stakeholders.
Amendments to the Personal Data Protection Act to Take Effect in Phases Starting from 1 February 2021
Disclaimer: The views or opinions expressed are provided for general information and should not be relied upon as legal or professional advice.