Data Breach Response Plan and Enforcement PDF
Document Details
Uploaded by AthleticSilver740
NUS Faculty of Law
Tags
Summary
This document details a data breach response plan, including activities like containing the breach, assessing risks, reporting the incident, and evaluating the response. It also discusses different enforcement options for data breaches. It covers topics such as data breach management, response plan, reporting, evaluation, and enforcement.
Full Transcript
9. DATA BREACH RESPONSE PLAN AND ENFORCEMENT The ‘key takeaway’ from this chapter is knowing how to develop and implement a data breach management response plan, and to learn more about the different enforcement options of the PDPC. (a) Use the CARE activities in the brea...
9. DATA BREACH RESPONSE PLAN AND ENFORCEMENT The ‘key takeaway’ from this chapter is knowing how to develop and implement a data breach management response plan, and to learn more about the different enforcement options of the PDPC. (a) Use the CARE activities in the breach response plan C ontaining the Breach to prevent further compromise of data and implement mitigating action(s) to minimise potential harms from the breach after an initial appraisal has been conducted to determine the extent of the breach. A ssessing Risks and Impact to determine the root cause (where possible) and the effectiveness of containment action(s) taken thus far to contain the data breach. Where necessary, continuing efforts should be made to prevent further harm from the data breach. R eporting the Incident To the PDPC (mandatory if the breach is a notifiable data breach under the Personal Data Protection Act (“PDPA”). Organisations may also inform PDPC of the data breach voluntarily); and/or To the affected individuals (if required under the Data Breach Notification Obligation (“DBN Obligation”). E valuate the organisation’s response to the data breach and consider the actions that can be taken to prevent future data breaches. Where necessary, continuing efforts should be made to prevent further harm from the data breach. (b) Consider the different types of enforcement options of the PDPC in the event of a contravention of the PDPA. 159 9.1 Data Breach Management Plan and a Data Breach Management Team _________________________________________________________________________ 9.1.1 Personal data protection breaches can occur due to various reasons, such as malicious activity, human error and computer system error. Therefore, an organisation should develop and implement a personal data breach management process to address personal data breaches. The plan may include the following activities: (a) containing the personal data breach; (b) assessing the risk(s) resulting from the personal data breach; (c) reporting the personal data breach; and (d) evaluating the response and recovering to prevent future personal data breaches. 9.1.2 An organisation should have a clear documented data management plan in place, which documents its personal data breach management process. The data breach management plan should set out the following: (a) a clear explanation of what constitutes a data breach (both suspected and confirmed), which will assist employees in identifying a data breach and respond promptly should one occur; (b) steps to report a data breach internally – The role of each employee is important in reporting data breaches. When an employee becomes aware of a potential or real data breach, he or she should know how and who to report the data breach to within the organisation (e.g. specific individual(s) with expertise in handling data breaches, the data protection officer, senior management representative, data breach management team). As such, it is important to include the contact mode/details and circumstances under which the person(s) would be notified in the event of a data incident; (c) how to respond to a data breach – The strategy for containing, assessing and managing data breaches would include roles and responsibilities of the employees and data breach management team. Organisations can also consider preparing contingency plans for possible data breach scenarios and measures to be taken or run regular breach simulation exercises to better prepare themselves to respond to data breaches in a prompt and effective manner; and (c) responsibilities of the Data Breach Management Team, which will ensure that the organisation’s response to the data breach will not be unnecessarily delayed. The composition and the roles and responsibilities of each member of the management team should be clear. In addition, a clear command and reporting structure of personnel at the management level who would be responsible for assessing the risks and making time-critical decisions on steps 160 to be taken to contain and manage the data breach should be clearly established and documented. 9.1.3 As part of the development of its personal data breach management process, an organisation should form a Data Breach Management Team. It should have a clear command and reporting structure of key employees who would take charge and make time-critical decisions on steps to be taken to contain the breach and to manage it. The organisation should document such responsibilities and authority clearly. 9.1.4 An organisation’s personal data breach management process should also document clearly the circumstances under which the Data Breach Management Team would be alerted by employees about any personal data protection breach of which an employee is or becomes aware. It should include the contact details of the individual(s) in the Data Breach Management Team who should be alerted about any personal data protection breach. It should also include when – the circumstances under which – the Data Breach Management Team will be activated to manage a personal data protection breach (versus the circumstances where, for example, the DPO is able to deal with it. For example, an organisation might decide that the DPO should deal with any situation that is a one-off and minor breach affecting very few individuals. 9.1.5 Finally, an organisation’s personal data breach management process should include examples of possible personal data breach scenarios and how the organisation might respond to them. Organisations can also consider preparing contingency plans for possible data breach scenarios and measures to be taken or run regular breach simulation exercises to better prepare themselves for responding to data breaches in a prompt and effective manner. Such scenarios would generally be specific to the organisation and the DPO might develop them by, for example, reference to the data protection risks identified by the organisation in its Data Protection Management Programme (DPMP). 161 9.2 Containment of the Data Breach _________________________________________________________________________ 9.2.1 An organisation should act swiftly as soon as it is aware of a data breach, whether suspected or confirmed. Upon detection, the person responsible should activate the Data Breach Management Team as the team is responsible for carrying out the actions that can reduce the potential impact of a data breach. 9.2.2 When a personal data breach occurs, it is important to contain the breach. The following are some measures which should be considered, where applicable: (a) Shut down the compromised system that led to the data breach; (b) Establish whether steps can be taken to recover lost data and limit any damage caused by the breach. (e.g. remotely disabling a lost notebook containing personal data of individuals.); (c) Prevent further unauthorised access to the system. Reset passwords if accounts and passwords have been compromised; (d) Put a stop to practices that led to the data breach. (e.g. shredding paper documents containing personal data instead of throwing into the garbage bin.); (e) Isolate the causes of the data breach in the system, and where applicable, change the access rights to the compromised system and remove external connections to the system; (f) Address lapses in processes that led to the data breach; and (g) Notify the police if criminal activity is suspected and preserve evidence for investigation.(e.g. hacking, theft or unauthorised system access by an employee.). 9.2.3 An initial assessment of the data breach should be conducted to determine the severity of the data breach. The first questions to which the organisation needs answers when investigating the breach are: (a) when and where did the personal data protection breach occur? (b) how was the personal data protection breach detected and by whom? (c) what was the cause of the personal data protection breach and whether the breach is still ongoing? (d) what types of personal data was involved and what was the extent of the personal data protection breach (that is, how many records were involved and to whom were the records disclosed)? (e) how many individuals are affected by the personal data protection breach? 162 (f) the affected systems, servers, databases, platforms, services etc. (g) whether help is required to contain the breach (h) the remediation action(s) that the organisations has taken or needs to take to reduce any harm to affected individuals resulting from the breach 9.2.4 At this stage, the organistion may consider notifying other stakeholders such as the internal or external legal counsel specialising in data protection and technical forensics specialists to be ready so that their expertise will be available on short notice. 9.2.5 Details of the data breach and post-breach response(s) should be recorded in an Incident Record Log to allow follow-up investigations or reviews, and to demonstrate to the PDPC that it has taken reasonable and expeditious steps to assess whether the data breach is notifiable (see below). At this stage, the situation will be dynamic as more facts are unearthed while investigating the incident. Organisations should expect that as more details emerge, the initial assessment will have to be revised and the action plan reviewed. 9.2.6 Organisations should consider alerting the following bodies if they suspect that criminal acts have been perpetrated, as these bodies may also offer assistance to the organisations in containing the data breach: The Police, if criminal activity (e.g., hacking, theft or unauthorised system access by an employee) is suspected, and to preserve evidence for investigation. Cyber Security Agency of Singapore ("CSA") through the Singapore Computer Emergency Response Team (SingCERT) for cyber incidents. 9.2.10 Organisations are also advised to be mindful of the requirements set out by their respective sectoral regulators (e.g., the Monetary Authority of Singapore, the Ministry of Health, CSA etc.) for reporting of data breaches. 163 9.3 Assessment of the Data Breach _________________________________________________________________________ 9.3.1 Upon containment of the data breach, the organisation should conduct an in-depth assessment of the data breach, which would involve questions such as: (a) how and when was the personal data protection breach escalated to the organisation’s Data Breach Management Team and to the organisation’s senior management? (b) what measures were taken by the organisation to contain the breach? 9.3.2 The organisation needs to assess the risks to, and impact on, individuals whose personal data has been exposed (includes at risk of unauthorised access, disclosure etc. and exfiltration of data). The questions to which the organisation needs answers in this context are: (a) how many individuals’ personal data was affected? (b) who, by category, are these individuals – for example, are they customers of the organisation, employees of the organisation, are they under the age of 18, etc.? (c) what types of personal data were involved, in particular, how sensitive is the personal data that was involved and the corresponding potential harm caused by the disclosure or access etc. of such personal data? 9.3.3 In assessing the likely impact of the data breach, the organisation should consider the following: (a) context of the data breach. In addition to the questions set out in paragraph 9.2.3 above, the organisation should also consider other contextual factors such as whether the personal data was publicly available before the data breach, or whether the personal data relate to vulnerable individuals (e.g. victims of abuse); (b) ease of identifying individuals from the compromised data. The ease with which an affected individual can be identified from the compromised data increases the likelihood of harm and impact to the individual. In general, the ease of identifying individuals from the compromised dataset increases with the number and uniqueness of identifiers in the dataset; and (c) circumstances of the data breach. The organisation should consider the circumstances surrounding the data breach, such as whether the data was illegally accessed and stolen by those with malicious intent, or whether the personal data had been publicly accessible for a significant period of time. Understanding the extent and likely impact of the data breach will help the organisation identify and take further steps to limit the harm resulting from a data breach and prevent the recurrence of similar incidents. 164 (d) notification to the PDPC and/or affected individuals. Crucially, the organisation will also have to determine if it is required to notify the PDPC and/or affected individuals of the breach under the DBN Obligation. Any unreasonable delay in assessing a data breach will be a breach of the DBN Obligation, allowing the PDPC to take enforcement action. 9.3.4 Finally, the organisation needs answers to the following questions so that it can assess the risks and impact on the organisation arising from the personal data protection breach: (a) what caused the personal data protection breach / what did not prevent the personal data protection breach from happening? (b) when did the personal data protection beach occur and was it a one-off incident and, if not, how often has it occurred? (c) who might gain access to the compromised personal data? (d) will compromised personal data affect transactions with any third parties? 9.3.5 The in-depth assessment will allow organisations to: (a) conclude whether the data breach is notifiable under law (for example, to the Monetary Authority of Singapore (MAS) if your organisation is a financial institution regulated by the MAS, to the Cyber Security Agency of Singapore (CSA) if your organisation owns a critical information infrastructure (CII)); and (b) consider, and if necessary, take steps to reduce any potential harm to the affected individuals. For example, taking steps to request that the third party delete the personal data that was accidentally disclosed, or implementing fixes to system errors/bugs to prevent further disclosure of/access to personal data. 9.3.6 The organisation has an obligation to conduct, in a reasonable and expeditious manner, an assessment of whether the data breach is a notifiable data breach under law. Assessments should be done expeditiously as any unreasonable delay in assessing a data breach may be a breach of the data breach notification obligation. Organisations should generally do so within 30 calendar days. If an organisation is unable to complete its assessment within 30 days, the organisation should be prepared to provide the PDPC an explanation for the time taken to carry out the assessment. 165 9.4 The Data Breach Notification Obligation _________________________________________________________________________ 9.4.1 Part 6A of the PDPA sets out the requirements for organisations to assess whether a data breach is notifiable, and to notify the affected individuals and/or the Commission where it is assessed to be notifiable. 9.4.2 Data intermediaries that process the personal data on behalf and for the purposes of another organisation (including a public agency) are also required to notify that other organisation or public agency of a data breach detected. 9.4.3 Duty to conduct assessment: Once an organisation has credible grounds to believe that a data breach has occurred (whether through self-discovery, alert from the public or notification by its data intermediary), the organisation is required to take reasonable and expeditious steps to assess whether the data breach is notifiable under the PDPA. 9.4.4 Assessments should be done expeditiously as the likelihood of significant harm to affected individuals may increase with time. Any unreasonable delay in assessing a data breach will be a breach of the DBN Obligation and the Commission can take enforcement action. 9.4.5 While there may be varying circumstances that would affect the time taken to establish the facts of a data breach and determine whether it is notifiable, organisations should generally do so within 30 calendar days. 9.4.6 If an organisation is unable to complete its assessment within 30 days, it would be prudent for the organisation to be prepared to provide the Commission an explanation for the time taken to carry out the assessment. 9.4.7 Data breach within an organisation: A data breach that relates to the unauthorised access, collection, use, disclosure, copying or modification of personal data within an organisation is not a notifiable data breach. 9.4.8 An organisation is required to notify PDPC (as soon as practicable, but in any case, no later than 3 calendar days after the day the organisation makes that assessment) of a data breach that: (a) results, or is likely to result, in significant harm to the affected individuals (i.e. where the compromised personal data falls within certain prescribed categories); or (b) is of a significant scale (i.e. if the actual or estimated number of affected individuals is 500 or more). (c) Where a data breach affects 500 or more individuals, the organisation is required to notify the Commission, even if the data breach does not involve any prescribed personal data 166 9.4.9 A data breach is deemed to result in significant harm to an individual if the data breach relates to: (a) Individual’s full name or alias or full national identification number in combination with any of the following personal data: (i) The amount of any wages, salary, fee, commission, bonus, gratuity, allowance or other remuneration paid or payable to the individual by any person , whether under a contract of service or a contract for services. (ii) The income of the individual from the sale of any goods or property. (iii) The number of any credit card, charge card or debit card issued to or in the name of the individual. (iv) The number assigned to any account the individual has with any organisation that is a bank or finance company. (v) The net worth of the individual (vi) The deposit of moneys by the individual with any organisation. (vii) The withdrawal by the individual of moneys deposited with any organisation. (viii) The granting by an organisation of advances, loans and other facilities by which the individual, being a customer of the organisation, has access to funds or financial guarantees. (ix) The incurring by the organisation of any liabilities other than those mentioned in paragraph (viii) on behalf of the individual. (x) The payment of any moneys, or transfer of any property , by any person to the individual, including the amount of the moneys paid or the value of the property transferred, as the case may be. This includes payments of money or transfers of property to discharge (partially or fully) any debt owed to the individual, including a debt owed by the organisation concerned. (xi) The creditworthiness of the individual. This includes the individual's loan/credit history, repayment/default history and credit rating/status, and includes credit reports prepared by a credit bureau (whether or not the credit bureau is licensed under other written law). (xii) The individual's investment in any capital markets products (xiii) The existence, and amount due or outstanding, of any debt - a. owed by the individual to an organisation ; or 167 b. owed by an organisation to the individual. (xiv) Identification of vulnerable individuals. Examples include court-related documents or information (e.g. statement of facts/charge sheets), court orders (e.g. care and protection orders, Family Guidance orders, probation orders, Juvenile Rehabilitation Centre orders, orders in relation to vulnerable adults), family violence/child abuse history, details of incidents, family circumstances or conflicts. (xv) Life, accident and health insurance information which is not publicly disclosed (xvi) Specified medical information (xvii) Information relating to adoption matters (xviii) Private key used to authenticate or sign an electronic record of transaction (b) in relation to an individual’s account with an organisation: the individual’s account identifier, such as an account name or number; and any password, security code, access code, response to a security question, biometric data or other data that is used or required to allow access to or use of the individual’s account. 9.4.10 Where the data breach results, or is likely to result, in significant harm to the affected individuals, organisations will be required to notify affected individuals on or after notifying the PDPC, unless either one of the stated exceptions apply, namely: (a) where the organisations have taken remedial actions that renders it unlikely that the notifiable data breach will result in significant harm to the affected individual; (b) where the personal data that was compromised by the data breach is subject to technological protection (e.g. encryption) that renders it unlikely that the notifiable data breach will result in significant harm to the affected individual; or (c) where organisations are prohibited from notifying the affected individuals (i.e. if a prescribed law enforcement agency so instructs them). In addition, the PDPC may, on written application, waive the requirement in exceptional circumstances where notification to affected individuals may not be desirable. 168 9.4.11 In addition to the PDPA requirements as set out above, organisations should also be mindful of the requirements set out by their respective sectoral regulators (e.g. the Monetary Authority of Singapore) for reporting of data breaches. 9.4.12 Where different categories of personal data are lost or compromised at different times, the affected organisation must notify the Commission and/or affected individuals if the organisation assesses that the different data breaches are likely to be linked. This may be based on whether the same perpetrator is involved or based on the surrounding circumstances of the data breaches. 9.4.13 As to the contents of the notification, the notification to PDPC should include the following: (a) the date and circumstances in which the organisation first became aware that the data breach had occurred; (b) an account of steps taken afterwards, including the organisation’s assessment of whether the breach is notifiable (c) how the data breach occured; (d) the number of individuals affected by the data breach; (e) the personal data or classes of personal data affected; (f) the potential harm to the affected individuals as a result; (g) any action by the organisation to (i) eliminate or mitigate any potential harm to any affected individual; and (ii) address or remedy any failure or shortcoming that resulted in the breach; (h) the organisation’s plan to inform all or any affected individuals or the public or grounds for not informing the affected individuals (if applicable); (i) the business contact information of at least one authorised representative; and 169 (j) the reasons for late notification and/or the grounds for not notifying affected individuals (if the organisation is otherwise required to notify), where applicable. 9.4.14 The notification to affected individuals should contain the following: (a) the circumstances in which the organisation first became aware that the data breach had occurred (b) the personal data or classes of personal data affected; (c) the potential harm to the affected individuals as a result; (d) any action by the organisation to (i) eliminate or mitigate any potential harm to any affected individual; and (ii) address or remedy any failure or shortcoming that resulted in the breach; (e) the steps that the affected individual may take to eliminate or mitigate any potential harm as a result, including preventing the misuse of the data; and (f) Contact details of at least one authorised representative whom the affected individual can contact for further information or assistance. 9.4.15 Notification to the PDPC is to be submitted at https://eservice.pdpc.gov.sg/case/db. For urgent notification of major cases, organisations may also contact the PDPC at +65 6377 3131 during working hours. 9.4.16 For more information on the Data Breach Notification Obligation, refer to the revised Advisory Guidelines on Key Concepts in the Personal Data Protection Act (available at: https://www.pdpc.gov.sg/ag) and the Guide to Managing and Notifying to Data Breaches under the PDPA (available at: https://www.pdpc.gov.sg/og ). 170 9.5 Evaluation of the Response to the Data Breach _________________________________________________________________________ 9.5.1 The organisation should also review and learn from the data breach incident to improve its personal data handling practices and prevent the reoccurrence of similar data breaches. 9.5.2 In conducting such a review and improving the personal data protection breach management plan, an organisation should consider and include a post breach evaluation which looks at the following: Operational and policy-related issues Data breach Was the data breach management plan effective in responding to management the data breach incident? Were there any areas where the plan plan and could be improved? response Were data breach response plans tested regularly to ensure effectiveness? Is there a need to develop new data breach scenarios? Was there a clear line of responsibility and communication during the management of the data breach? Were pre-defined modes of communication effective during the data breach incident response? Existing Were audits regularly conducted on both physical and IT-related measures and security measures? Were the action items from the audits processes remediated? Are there processes that can be streamlined or introduced to limit the damage if future data breaches happen or to prevent a relapse? Were there weaknesses in existing security measures (e.g. use of outdated software and protection measures such as weak passwords)? Were there weaknesses in the use of portable storage devices or connectivity to the Internet? Were the methods for accessing and transmitting personal data sufficiently secure (e.g. access only limited to authorised personnel)? Roles of external Should support services from external parties, such as vendors parties and partners, be enhanced, to better protect personal data? Were the responsibilities of vendors and partners clearly defined in relation to the handling of personal data? Management-related issues Managing the How was senior management involved in the management of the data breach data breach? Was there sufficient or effective direction given in managing the data breach? Employee and resource related issues Training Were employees aware of security related issues? Was training provided on personal data protection matters and incident management skills? Were employees informed of the data breach and the learning points from the incident? 171 Responding to Was there an appointment of a competent and qualified data the data breach breach incident response manager/team? Did the manager/team understand and properly execute the data breach management plan? Were there enough resources to manage the data breach? Should external resources be engaged to better manage such incidents? Were key personnel given sufficient resources to manage the incident? Root cause analysis and post-breach actions taken Root cause What was the chronological timeline of events that led up to the analysis incident? What weakness did the breach exploit, e.g. systems, procedures, people? Was this a new issue or an issue that we had already knew about? Were there existing procedures that could have addressed the breach and were the processes followed? Were there signs that were missed? Does monitoring need to be refined? What were the probable causes and the underlying cause that led to the breach? Post-breach What had been done to contain the breach short term? actions taken What had been done to contain the breach long-term to prevent a similar incident from happening? Were there backups of the affected systems to help restore operations? How long will the affected systems be monitored and what to look for when monitoring? 9.5.3 The organisation’s DPO may also document personal data protection breaches and post-breach response(s) in an ‘incident record log’. A sample of an incident record log is attached. 9.5.4 For more information, on managing data breaches and the steps outlined herein, see the PDPC’s Guide to Managing and Notifying to Data Breaches under the PDPA (available at: https://www.pdpc.gov.sg/og ). 172 9.6 Enforcement Options of the PDPC _________________________________________________________________________ 9.6.1 If the PDPC is alerted to a potential contravention of the PDPA, the PDPC may investigate or review the matter. The PDPA sets out offences relating to, e.g: (a) obstructing or hindering of the PDPC in the performance of any function or duty, or the exercise of any power; or (b) without reasonable excuse, neglecting or refusing to provide information or produce document to the PDPC or an inspector, or attend before the PDPC or inspector, as required. 9.6.2 The PDPC may investigate by issuing Notices to Require Production of Documents and Information (NTPs). It is important for the organisation to respond to the PDPC within the stipulated deadline as a failure to comply with the NTP may constitute an offence under the PDPA. The organisation should inform the PDPC (and provide its reasons) if it requires an extension of time. 9.6.3 The enforcement outcomes that follow an investigation are as follow: (a) Suspension or discontinuation of the investigation: The PDPC may consider discontinuing investigations where the impact is assessed to be low or limited. The PDPC may also issue an advisory notice to the organisation(s) involved. The advisory notice is not a finding of breach and serves to highlight the areas that an organisation can improve on, to improve their compliance with the PDPA. (b) Voluntary undertaking: Under certain circumstances, the PDPC may accept a voluntary undertaking from the organisation. The organisation’s request in writing to the PDPC to invoke the voluntary undertaking process must be made soon after the incident is known. The organisation’s execution of a voluntary undertaking does not amount to an admission of breach of the PDPA. The voluntary undertaking is intended to allow organisations to be given the opportunity to implement their remediation plan in relation to the incident within a specified time. (c) Expedited breach decision: The expedited decision procedure process allows investigations to be completed in a significantly shorter period, while achieving the same enforcement outcomes. To avail themselves to the EDP process, an organisation will have to intimate its intention, at an early stage of the PDPC’s investigations. The PDPC will then proceed to find the organisation in breach of the PDPA based on the information provided, and the organisation’s voluntary admission of liability. 173 Save where an organisation is a repeat offender, an organisation’s voluntary admission of liability, made at an early stage of the investigations through the EDP process, is a factor that PDPC will consider favourably should a financial penalty be under consideration to the organisation. (d) Full investigation process – Breach findings with Warnings, Directions, and Financial Penalties: The PDPC encourages organisations to resolve the issues with the complainant(s) amicably through a facilitation and mediation process. However, for incidents assessed as high impact, the PDPC will launch a full investigation process immediately. These are usually incidents where many individuals were affected and/or the personal data disclosed could cause significant harm. Such investigation process is likely to be prolonged depending on the level of cooperativeness from the organisation(s) involved. 9.6.4 The PDPC will not accept an organisation’s request to invoke the expedited breach decision process when: (a) The organisation refuses to provide an upfront voluntary admission of liability for breaching the relevant obligation(s) under the PDPA and the organisation’s role in the cause(s) of breach; or; (b) The organisation refuses to accept the terms and conditions of the expedited decision procedure. The PDPC may exercise its discretion to discontinue the expedited decision procedure and proceed with a full investigation of the incident at any time before the conclusion of the case. Where an organisation does not comply with the direction(s) and/or the financial penalty notice(s) issued by the PDPC upon completion of the investigation, the PDPC will take steps as it thinks fit in the circumstances to enforce the relevant compliance. 9.6.5 For a breach of the Data Protection Provisions, the new section 48J of the PDPA provides that the PDPC may impose a financial penalty of up to S$1 million or 10% of the organisation’s annual turnover in Singapore, whichever is higher. 9.6.6 With the new higher financial penalty cap in the PDPA, the PDPC will continue to calibrate financial penalties in a manner that is proportionate to the seriousness of the contravention and provides sufficient deterrence against future or continued non- compliance. The PDPC may consider imposing a substantially higher financial penalty to achieve the desired enforcement outcome if a contravention is particularly egregious by the facts and circumstances of the case. 9.6.7 In determining the financial penalties to be imposed, the PDPC will employ the following approach: 174 (i) Assess the incident based on the principles of harm and culpability; (a) Harm includes the number of affected individuals, categories of affected personal data, duration of the incident, etc. (b) Culpability refers to the organisation’s conduct in the incident (e.g., nature of the specific breach of the PDPA as well as the organisation’s overall compliance with the PDPA); (ii) Consider other relevant factors calling for an increase and/or decrease of the financial penalty. Such factors may include the following: (a) Whether the organisation or person took any action to mitigate the effects and consequences of the non-compliance, and the timeliness and effectiveness of that action; (b) Whether the organisation or person had previously failed to comply with the PDPA etc.; (c) Whether there was voluntary admission of liability, including whether done under the Expedited Decision Procedure; (d) Cooperation with the PDPC during the course of the investigation; (e) Whether the organisation or person is a first-time offender; and (iii) Adjust the financial penalty by considering the likely impact on the organisation or person as well as considering if it is proportionate and effective in achieving compliance and deterring non-compliance. For further information on the different enforcement options see PDPC’s Guide on Active Enforcement https://www.pdpc.gov.sg/og. 175 Resources For Chapter 9 Data Breach Response Plan For further information on managing data breaches see PDPC’s Guide on Managing and Notifying Data Breaches under the PDPA (available at: https://www.pdpc.gov.sg/og) 176
