Data Breach

Application of Policy

This Policy is based on the Singapore Personal Data Protection Act 2012 (“PDPA”) and all the associated regulations and guidelines as may from time to time be issued by the Personal Data Protection Commission (“PDPC”).

Data Breach

Definition

Data breaches can lead to financial losses and a loss of consumer trust for the Organizations. In addition, individuals whose personal data have been compromised (the “affected individuals”) can be exposed to significant harm if they do not take steps to protect themselves.

It is important for Organizations to be accountable towards individuals by preventing, managing and notifying the Personal Data Protection Commission (“PDPC” or the “Commission”) and affected individuals of data breaches.

Data Breach Notification Obligation Guidelines

Taking key consideration from compliance published by Personal Data Protection commission guides.

• Data Breach Notification Obligation section of the Advisory Guidelines on Key Concepts in the PDPA.
• Personal Data Protection (Notification of Data Breaches) Regulations 2021.

Data Breach Notification Framework

I. Activities that may result in a data breach (not limited) are as follows:

• Hacking, ransomware, distributed denial of service incidents or unauthorized access to databases containing personal data.
• Unauthorized modification or deletion of personal data.
• Theft of computer notebooks, data storage devices or paper records containing personal data.
• Scams (e.g., phishing attacks) that trick organizations into releasing personal data of individuals.
• Loss of computer notebooks, data storage devices or paper records containing personal data.
• Sending personal data to a wrong e-mail or physical address, or disclosing personal data to a wrong recipient.
• Unauthorized access or disclosure of personal data by employees.
• Improper disposal of personal data (e.g., hard disk, storage media or paper documents containing personal data sold or discarded before data is properly deleted).
• Poor cyber hygiene practices such as using weak or poor passwords.
• Computer hardware or software issues may also lead to data breaches. For example, errors or bugs in the programming code of websites, databases, applications, and other internet downloads and usage of outdated software may be exploited to gain access to personal data stored on computer systems.

II. Identify Data Breaches

• Any unauthorized access, collection, use, disclosure, copying, modification or disposal of personal data.
• The loss of any storage medium or device on which personal data is stored in circumstances where the unauthorized access, collection, use, disclosure, copying, modification or disposal of the personal data is likely to occur.
• The result of malicious activities, human error, or computer system weaknesses.

III. Data Breach Should Follow Four Key Steps (Using the Acronym of C.A.R.E):

• Contain the data breach to prevent further compromise of data and implement mitigating action(s) to minimize potential harms from the breach after an initial appraisal has been conducted to determine the extent of the breach.
• Assess the data breach to determine the root cause (where possible) and the effectiveness of containment action(s) taken thus far to contain the data breach. Where necessary, continuing efforts should be made to prevent further harm from the data breach.
• Report the data breach to:
  • The PDPC (mandatory if the breach is a notifiable data breach under the Personal Data Protection Act (“PDPA”). Organizations may also inform PDPC of the data breach voluntarily); and/or
  • The affected individuals (if required under the Data Breach Notification Obligation (“DBN Obligation”)).
• Evaluate the organization’s response to the data breach and consider the actions that can be taken to prevent future data breaches. Where necessary, continuing efforts should be made to prevent further harm from the data breach.

Securing Operations

We quickly move to secure our systems and fix vulnerabilities that have caused the breach. Secure physical areas potentially related to the breach. Lock them and change access codes, if needed.

Request forensics experts and law enforcement when it is reasonable to resume regular operations.

Mobilize with our breach response team right away to prevent additional data loss.

Assemble our team of experts to conduct a comprehensive breach response. Assembling information security, information technology, operations, human resources, communications, investor relations, management, and may include forensics, legal.

Identify and assign a data forensics team to help us determine the source and scope of the breach. They will capture forensic images of affected systems, collect and analyze evidence, and outline remediation steps.
We will Consult with legal counsel with privacy and data security expertise and to advise on state laws that may be implicated by a breach.

Stop additional data loss.

We will take all affected equipment offline immediately and won’t turn any machines off until the forensic experts arrive.
Will do closely monitor all entry and exit points, especially those involved in the breach. Required will put new clean machines online in place of affected ones. On emergency addition, we will update credentials and passwords of authorized users. Hacked, our system will remain vulnerable, hence will change required credentials immediately.

Remove improperly posted information from the web.

Our website: If the data breach involved personal information improperly posted on our website, we will immediately remove it. We may contact the search engines to ensure that they don’t archive personal information posted in error are cached and stored.
Other websites We will perform an intensive search for our company’s exposed data to make sure that no other websites have saved a copy. Found any, we will contact those sites and ask them to remove it.
Interview people who discovered the breach. Initiate discussion with anyone else who may know about it. At our customer service support engineering site, we will make sure the staff knows where to forward information that may aid our investigation of the breach. We will document our investigation.
Do not destroy evidence. We don’t destroy any forensic evidence in the course of our investigation and remediation.

Fix Vulnerabilities

Working with Our service providers, if we have engaged service providers we will examine what personal information they can access, we will change their access privileges & inform them. We take initiative to ensure our service providers are taking the necessary steps to make sure another breach does not occur. We will monitor the responsibilities of our service providers for their remedied vulnerabilities, verify that they really fixed the things.
Checking our network segmentation. When setting up our network, we likely segmented it so that a breach on one server or in one site could not lead to a breach on another server or site. We work with our forensics experts to analyze whether our segmentation plan was effective in containing the breach. Required any changes, we will do so now. Working with our forensics experts. We will ensure our measures such as encryption were enabled when the breach happened.
Perform analyzes backups and/or preserved data.
Review logs to determine who had access to the data at the time of the breach.
We will analyze who currently has access, determine whether that access is needed, and restrict access if it is not required.
Verify the types of information compromised, the number of people affected, and whether we have contact information for those people.
Upon receipt of the forensic reports, we will take the recommended remedial measures as soon as possible.
We have the communications plan.
We have Created a comprehensive plan that reaches all affected audiences — employees, customers, investors, business partners, and other stakeholders. We don’t withhold ay key details that might help our consumers protect themselves and their information.
We don’t publicly share information that might put consumers at further risk.
Notifying Appropriate Parties
When our business experiences a data breach, we will notify law enforcement, other affected businesses, and affected individuals.
Determine our legal requirements.
Due diligent with enacted legislation requiring notification of security breaches involving personal information. Depending on the types of information involved in the breach, we may adhere to other laws or regulations that apply to our situation.
Notify law enforcement.
We will call your local police department immediately. Report our situation and the potential risk for identity theft. The sooner law enforcement learns about the theft, the more effective they can be.
Notifying affected businesses. Having the data breach and data compromised or stolen from us, we will notify the institution that does business with us so it can monitor the fraudulent activity. Collected or stored personal information on behalf of other businesses, we will notify the business owner and management the details of the data breach.
Notifying individuals. We quickly notify people that their personal information has been compromised, they can take steps to reduce the chance that their information will be misused. In deciding who to notify, and how, we consider:
the compliance state laws
the nature of the compromise
the type of information taken
the likelihood of misuse
the potential damage if the information is misused
When notifying individuals, we:
Consult with your law enforcement contact about the timing of the notification so it doesn’t impede the investigation.
Designate a point person within our organization for releasing information. Give the contact person the latest information about the breach, our response, and how individuals should respond.
We will consider using letters template, websites, and contact numbers to communicate with people whose information may have been compromised. If we don’t have contact information for all of the affected individuals, we might build an extensive public relations campaign into our communications plan, including press releases or other news media notification.
In general, unless you’re the state law says otherwise, we will want to: Clearly describe what you know about the compromise. Include:
how it happened
what information was taken
how the thieves have used the information (if you know)
what actions you have taken to remedy the situation
what actions you are taking to protect individuals, such as offering free credit monitoring services
how to reach the relevant contacts in your organization consult with your law enforcement contact about what information to include. Tell people what steps they can take, given the type of information exposed, and provide relevant contact information. See quantumsysit.com/databreach for information on appropriate follow-up steps after a compromise, depending on the type of personal information that was exposed. We do in addition to this information as an attachment to our breach notification letter, as we’ve keep our template.
We will Include current information about how to recover from identity theft. For a list of recovery steps, refer consumers to quantumsysit.com/databreach