How Not to Get Fined: PDPC 2020

2019 and 2020 have seen monumental growth in cybercrime. While none of our clients have encountered a breach incident, during the last twelve months around 80% of organizations in Singapore have been hacked! This means it’s a good time to review findings from the PDPC on some of this year’s PDPA breaches to avoid a similar fate.

Remember, parliament wants to increase the fines and introduce possible jail time for individuals who fail to protect PDPA data. This is already the case for government positions and is expected to become the case for individuals in businesses and nonprofits.

We have selected 5 examples released in 2020, summarized some findings, pointed out policies we already had in place that help mitigate those incidents, and we have included steps that you can take to help protect your organization.

1. Singapore Red Cross:

Finding:

  • Being a nonprofit organization does not decrease the standards for IT protection, the damage caused by a breach, nor fine amounts levied for PDPA breaches.
  • Do not store personal information beyond need.
  • Do not expose administrative tools for databases.

What we do:

  • We implement and/or update best practice enterprise IT security for our nonprofit/church clients as they are released.
  • We help organizations create data loss protection (DLP) policies and electronic labeling to automate deletion in accordance with their legal counsel’s recommendations.
  • Administrative tools for databases are restricted to our office IP address and only enabled when in use.

How you can help:

  • Let us know when you have data you need a label.
  • When creating a file in Word, Excel, PowerPoint, or sending an email with PDPA information click an appropriate sensitivity label.

2. Singapore Medical Association:

Finding:

  • Organizations in Singapore need to protect against Business Email Compromises (BEC).
  • Microsoft Office 365 (M365) needs periodic security reviews.
  • M365 passwords need to be protected.

What we do:

  • We require multi-factor authentication (MFA) so that if a password is compromised it’s much harder to gain access.
  • We monitor for repeated MFA failures and risky sign-ins.
  • We block automated forwarding of emails, a key element of a BEC.
  • We require admin review of any API access request that would allow for a BEC.

How you can help:

  • Be suspicious about emails asking you to enter your username and password or asking you to log into services like Facebook, Google, and Microsoft 365.
  • Always get in-person or phone verification when people ask you to make monetary transfers or to send them highly sensitive PDPA or intellectual property information.

3. MCST Plan 3400:

Finding:

  • Be careful about accidentally making data public due to misconfigured services.
  • Every device storage needs access controls and authentication.

What we do:

  • We require sign-in and MFA via conditional access policies.
  • We deploy single sign-on (SSO) to simplify authentication.
  • We retire network attached storage and servers that do not meet modern authentication standards.
  • We limit the types of devices and methods of accessing data.

How you can help:

  • Only use your work computer, OneDrive, Teams, or SharePoint for storing PDPA files.
  • Be sure to classify your PDPA files sensitivity level.
  • Never reuse your M365 password with other services.

4. SSA Group International:

Finding:

  • Webpages need to be checked for unauthorized personal information availability.

What we currently do:

  • We run web application firewalls.
  • We run periodic assessments of client websites.

How you can help:

  • Don’t store personal information on websites without consent to have it shared publicly.
  • Don’t grant access to membership directories without providing and getting sign-off of the user on PDPA guidelines.
  • If you intend to take pictures or video of an event such as a meeting or church gathering that you want to use on your website, PDPC recommend posting signs that photographs and video may be taken at the event.

5. MCST Plan 3593, Edmund Tie & Company Property Management Services, New-E Security / MCST Plan 4375, Smart Property Management, A Best Security Management:

Findings:

  • In both incidents CCTV was sent over WhatsApp via personal phones and that allowed for a subsequent breach to the public.
  • Organizations in Singapore are responsible for making sure staff do not use personal communication tools to send PDPA information.
  • A reminder that CCTV video is PII subject to PDPA.

What we currently do:

  • We segregate CCTV systems into their own virtual network to make them less vulnerable to hacking pivots.
  • We limit the ability to copy PII from M365 apps into personal communications apps.

How you can help:

  • Don’t send any PII, which includes videos and photos, over SMS, WhatsApp, Telegram, Facebook chat, or other personal communication applications.
  • Between colleagues, transmit PII via M365 products like Teams, SharePoint, or OneDrive.
  • Don’t forward any PII you receive from others, move it into M365 or another organization issued information system and delete it immediately off of personal communication applications.
  • Do not send PII directly to those outside the organization, even board members, ask your data protection officer (DPO) if it should be sent and/or if those who need access should have other accommodations made.

Isaac Johnson

Isaac has been in professional ministry since 2002, holds an M.Div. from Moody, and his goal is to equip churches to reach digital natives.

Other articles you might like…