Breach disclosure 'inevitable' for S'pore data protection law

While this area will not be covered in Singapore's upcoming Data Protection Act, it will be a key consideration for inclusion in future, if the country strives to be consistent with more mature markets.

SINGAPORE--Public disclosure and notification of companies' security breaches will "inevitably" be part of discussions in future amendments to Singapore's upcoming Data Protection Act, as the country looks to keep in line with more mature jurisdictions.

In an interview with ZDNet Asia on Thursday, Ilias Chantzos, Symantec's senior director of government affairs for Europe, Middle East and Africa, Asia-Pacific and Japan, observed that notification of security breaches by companies is already a part of several jurisdictions such as with the European data protection and America's data protection directive.

Data protection laws of these countries are more "mature" as they have been around for some time, said the executive, who was in town to speak at Governmentware 2012.

As Singapore is relatively new with its data protection bill not officially enacted yet , it will definitely look to countries with more mature laws for "adequacy", or giving its citizens similar level of data protection, Chantzos explained.

Discussions over security breach notifications were part of the initial public consultation for Singapore's data protection bill, noted Ng Kai Koon, senior manager of legal and public affairs at Symantec, who was also present in the same interview. Currently, it is not mandatory for organizations to issue data breach notifications, he said.

With the rise in the number of high profile security incidents worldwide , such discussions would also start to reduce inconsistencies between the different jurisdictions in different countries, he added.

For example, if a Singapore company with international operations is breached, they would have to disclose the breach in countries such as the U.S. where the data protection law states the company has to notify them, he said. However, they do not have to disclose it in Singapore, because such a discussion was not present, he said.

This could affect the companies and the way they do business because of differing regulations, while citizens may question inconsistencies between the local government and those abroad, he said.

Furthermore, all data protection laws are designed to address the lifecycle of information, from the point it is created to its deletion, Chantzos pointed out. This includes how information is retained, used and destroyed , and what happens if the information is lost, he explained.

"Since security breaches leads to loss of information, it's only a matter of time before discussions of cybersecurity incident disclosure will start," he said.

Beware "notification fatigue"
However, when conducting discussions on how security breaches should be notified to the public, the parties involved must be careful not to "overplay" discussions and "lead it the wrong way", Chantzos warned.

If every single malware, virus or security breach is being disclosed, there will be a case of "notification fatigue" and people will stop caring about what they hear from the company, he explained.

In order to avoid this, only the significant breaches or matters should be disclosed, Chantzos advised.

There's also the problem of how to decide what is considered a significant security matter or what is not, so the government, private organizations, security vendors and the public must come together and decide on it, he added.