Singapore should not criminalise good intent to encourage data sharing in cybersecurity

People who fear prosecution may be less willing to share threat information, which is vital in fending off attacks, and Singapore government should clearly define its proposed mandate for companies to report data breaches within 72 hours.
Written by Eileen Yu, Senior Contributing Editor

The Singapore government should not criminalise cybersecurity activities carried out with good intent in order to encourage the sharing of valuable threat information, which will help the industry better combat attacks.

It also should clearly define its proposed mandate that would compel organisations to report a data breach within 72 hours, particularly since it typically took weeks or even months before a vulnerability was identified.

The Singapore government on Thursday mooted the introduction of a new ruling, under the Personal Data Protection Act (PDPA), that would require organisations to report data breaches within 72 hours.

They would have to report such incidents to affected customers as well as the Personal Data Protection Commission (PDPC), which oversaw the act. The move would provide consumers the opportunity to take steps to protect themselves from any potential risk, the commission said.

The mandatory breach report also would allow the PDPC to have a clearer overview of incidences and management of data breaches at a national level, it said, adding that it would provide guidance to affected organisations on remedial steps to take.

The government agency noted that it was mindful not to impose "overly onerous regulatory burdens" on businesses or cause "notification fatigue" amongst individuals. Hence, the proposed law would require affected customers to be notified only when there was a risk of impact or harm.

The PDPC also must be notified where there was significant scale of breach, for example, if the breach involved the personal data of more than 500 individuals.

In cases where organisations were required under a separate legislation to report a data breach to law enforcement agencies or the ministry overseeing their industry, the PDPC should be notified concurrently. It said this was aimed at minimising the regulatory burden for organisations governed by overlapping requirements to raise an alert in the event of a data breach.

Data intermediaries that processed personal data on behalf of another organisation must inform the organisation of any data breach immediately, the PDPC said. This would enable the organisation to more quickly evaluate the nature of the breach and determine if they were required to notify the necessary government agencies.

Under Singapore's proposed national cybersecurity bill, operators of critical information infrastructures (CII) would be required to report cybersecurity incidents "within the prescribed period" after the event, amongst other mandatory responsibilities. The Singapore government had listed 11 sectors considered to own CIIs, including water, healthcare, maritime, media, infocom, energy, and aviation. The public sector itself was part of this category.

According to PDPC's proposed mandatory breach reporting, businesses would have to notify affected individuals of the data breach "as soon as [it was] practicable" to do so, "unless an exception or exemption applies".

"PDPC should similarly be notified as soon as practicable, but no later than 72 hours from the time the organisation becomes aware of the data breach," it said.

The mandate was similar to the European Union's General Data Protection Regulation (GDPR), which also would require organisations to notify authorities within 72 hours after discovering a data breach, if it was likely to put affected customers at risk.

In finetuning this proposed mandate, the Singapore government should be clear about what this entailed, said Bill Taylor-Mountford, LogRhythm's Asia-Pacific Japan vice president.

Speaking to ZDNet on the sidelines of the RSA Conference in Singapore, he said the 72-hour rule could be interpreted differently depending on how or what had been identified as a breach. For instance, would companies be required to report--within 72 hours--a data breach that had been identified by a threat intelligence system.

And would the 72-hour clock start ticking once the breach had been identified or after they had determined the impact and scale of the breach, said Sean Duca, Palo Alto Networks' Asia-Pacific chief security officer and vice president.

He noted that companies might need more time to figure out what was happening, for instance, whether a data breach involving one laptop had impacted other systems in the network. "Sometimes, you can't work that out in 72 hours," Duca told ZDNet. "I don't think the 72-hour mandate is unreasonable but it will be challenging [for some companies] and we need to define exactly what that means."

He said this further underscored the importance of running tabletop exercises and drills to increase the organisation's preparedness in the event of an actual breach.

According to research from Ponemon Institute, financial institutions took an average of 98 days to detect a data breach while retailers took up to 197 days.

Sharing of threat data should be made easier

Duca also urged the need for legislations to facilitate the sharing of threat information, which was vital in helping the industry better combat attacks. "It shouldn't be mandatory, but we need to work out ways to make this easier," he said.

And rather than penalise disclosures or activities that might unintentionally expose compromised systems, he encouraged governments not to criminalise good intent or exploratory work aimed at identifying potential vulnerabilities so these could be plugged.

He added that some companies or individuals might fear violating privacy laws if they discussed threat data and, hence, would refrain from sharing such information. "If we foster a good way for people to talk about this and encourage that behaviour, then organisations will be more likely to share data," he said.

Increasing user awareness also would be essential with the growing adoption of Internet of Things (IoT) and other smart devices, according to Gavin Chow, security strategist at Fortinet's FortiGuard Labs.

Consumers must understand the implications of using such devices and raise questions when they felt businesses crossed the line, Chow said in response to questions about news that iRobot, which manufactured Roomba vacuums, was looking to sell mapping data of their customers' home.

iRobot CEO Colin Angle said data collected from Roomba could help smart home devices better understand their environment, such as matching sound systems to a home's acoustics.

Before purchasing or using IoT devices, Chow said consumers should find out how manufacturers planned to use their personal data and whether they could opt out. He noted that legislations could help govern such usage, for instance, by mandating equipments sold in a country declared the kind of user data the devices would collect and how the manufacturers would use the information.

However, this would likely be a long process to push through and challenging to enforce across borders, he said. It could be particularly challenging in Asia-Pacific, too, because the markets were highly fragmented.

He explained that security researchers, for example, had found a way to hack into web-connected cameras made in China, but ran into difficulties when they tried to contact the manufacturers, some of which simply did not respond. Those that did claimed they were simply resellers or OEMs (original equipment manufacturers) of the device and were unable to fix the vulnerability.

So no one took ownership of the problem, Chow said, adding that the software codes containing the vulnerability were possibly used in various OEM models. He urged consumers to always check for patches and firmware upgrades to ensure their home devices such as routers, network-attached storage devices, and printers were secured.

Duca concurred, stressing the need for consumers to think about how they were using the device and the associated risks from a privacy and security standpoint. While many believed the onus should be on the manufacturers, he noted that many of these businesses operated on a lowest-cost model to get their products out to market as quickly and cheaply as possible.

"So ask the supplier and the manufacturer questions about how they're using your data. We all need to start thinking about how we're maintaining our own security," he said.

Help for Singapore companies on data protection

To develop "a trusted data ecosystem" in Singapore, the PDPC said it planned to make available by year-end an online assessment tool and guides aimed at helping companies establish a data protection management plan as well as conduct data protection impact assessments.

In addition, a Data Protection Trustmark certification programme would be launched by end-2018, said Singapore's Minister for Communications and Information Yaacob Ibrahim. This would indicate that the organisation adopted sound data practices and regularly updated its processes, said Yaacob, who was speaking Thursday at the Personal Data Protection Seminar.

Citing a 2016 study conducted by PDPC, the minster said four in five consumers here felt more confident transacting with organisations that had been accredited for meeting personal data protection standards. "In assessing applications for the Trustmark, we will recognise businesses that have made the transition from mere compliance to accountability," he said.

"It is not possible for the PDPC to catch every single breach. Instead, companies must play their part," Yaacob noted. "Organisations must change their mindsets [and] not view data protection as a mere compliance exercise, but rather as a responsibility bestowed upon them by their customers, and fully integrated into the organisational culture of stewardship and accountability."

He said the government also recognised the value of data and importance of facilitating, and not hindering, data usage to improve service delivery. E-commerce operators, for instance, would need to share customer data with their logistics partners to deliver purchases.

"Even as we urge businesses to be accountable for the data they collect and use, we also want to urge them to use the data meaningfully to drive growth and innovation," the minister said. "Data, once collected, can generate value not only for the organisation collecting the data, but also for others far removed from the initial point of contact."

"We want to encourage the responsible sharing of personal data in order to generate value for our economy," Yaacob added, noting that the PDPC would be publishing a guidebook to "provide clarity" on how companies could share data.

Five years after Singapore introduced the PDPA, he said it was time to review and update the legislation to ensure it supported innovative uses of data.

Apart from the data breach notification, other proposed changes included the Notification of Purpose, which would be the basis for "the collection, use, or disclosure of personal data where consent is not practical or desirable through enhanced approaches", said the PDPC.

It said the data protection act currently focused primarily on individual consent as a key basis for businesses to collect, use, and disclose personal data. This should remain as a fundamental principle, it noted, adding that organisations always should seek to obtain user consent "where possible", particularly if the collection, use, or disclosure of data could adversely impact or pose risks to the individual.

Editorial standards