Data Privacy in Singapore and the Rise of Third-Party Breaches

How can companies lower their third-party infosec risk and stay compliant with the Personal Data Protection Act?

Singapore takes data protection seriously — to the tune of up to $1 million in fines for companies found in non-compliance with its Personal Data Protection Act (PDPA).

It’s the steepest possible financial penalty in Asia for a lapse in data security, and Singapore companies are feeling the impact. In the past two years, Singapore’s Personal Data Protection Commission (PDPC) has fined more than 20 companies for security breaches.

Enforcements continue to roll out, and companies will need to shore up their internal security as well as that of their third and fourth parties to stay compliant with PDPA. As recent data breaches in the country have made all too clear, information security has never been a bigger threat.

The Rising Threat of Third-Party Data Breaches

Vendors, suppliers, contractors — all play a significant part in the day-to-day business of companies around the world. It’s not uncommon for companies to work with thousands of third parties to execute core operational functions. But as the reliance on third party vendors has grown, information security programs to manage these relationships for risk haven’t kept up.

Last year, 56% of businesses reported a third-party data breach, according to a recent study from Opus and the Ponemon Institute. When you work with a third party, their unique information security risks become yours. Their cyber weaknesses can directly influence the contracting company’s compliance and susceptibility to a breach.

Singapore companies aren’t immune.

Breach at JP Pepperdine Group

The PDPC discovered, following a complaint, that anyone could access the personal data of over 30,000 members of JP Pepperdine Group on their website and on a webpage hosted and created by Ascentis, a third-party vendor. Both JP Pepperdine and their vendor left the personal data publicly available instead of properly securing it on their IT system. Names, email and residential addresses, birth date, and other sensitive information were compromised in the breach, and the PDPC fined the company S$10,000.

Singtel and Tech Mahindra

Singtel provides a strong lesson on why it is important to take third-party risk management seriously, including the need for contracts to outline the terms of the relationship. In this case, Singtel dodged a fine when a third-party vendor, Tech Mahindra, failed to protect customer data on their OnePass app for managing mobile phone plans. After tasked with fixing an issue with a customer’s OnePass account, Tech Mahindra introduced code that updated 2.78 million Singtel customer profiles with the personal details of that single customer.

Because Singtel had a contract in place with Tech Mahindra stating their responsibilities as a data intermediary, including that all database changes be tested by Singtel first, Singtel wasn’t found at fault for the breach. The PDPC fined Tech Mahindra $10,000.

Facebook and Cambridge Analytica

PDPC enforcements extend to global corporations doing business in Singapore. Recently, Facebook has been in the spotlight for improperly sharing the personal information of up to 87 million users with Cambridge Analytica. More than 65,000 Facebook users in Singapore were part of the leak, and the PDPC is taking a look at what penalties, if any, Facebook may face for violation of data protection laws.

Protecting Physical Data

Digital data isn’t the only type of information being scrutinized by the PDPC. Aviva, an insurance company, was fined S$25,000 after a third-party printing company caused the personal data of more than 8,000 people to leak after sending inaccurate statements to policyholders.

Evading regulatory fines from data breaches is a strong motivator for better data protection. But it’s not the only reason to take information security seriously.

Tackling Information Security Risk

After a data breach, the damage to a company’s reputation can be more significant than a fine, and with longer-term impact. A brand image takes years to build, but only seconds in the headlines to tear down. When customers hand over their personal data, they expect that it will be kept safe. If a data breach or exposure reveals your security measures aren’t up to par, customers will be wary to continue to do business with you. Many times, you won’t be able to win their confidence back.

Getting a strong third-party risk management plan in place is the best way to protect your business and your customer data from hackers, ransomware, and modern cyber threats.

4 Best Practices for Reducing the Likelihood of a Third-Party Data Breach

As troubling as it is, there’s no way to completely avoid a data breach. But there are ways to reduce your risk considerably, particularly when managing third party relationships.

1. Make an inventory of all third-parties you share information with. Keeping your company safe means knowing everyone you’re doing business with. Who is your marketing team contracting with? How about your IT department? To reduce the chance of a data breach, you need to know what data vendors have access to and put controls in place so they only have access to the data they need to do their work.

2. Evaluate and audit third-party security and privacy practices frequently. New security threats emerge all the time. With a formal process for reviewing third-party security, you can make sure third parties are keeping up to keep data safe.

3. Create a dedicated third-party risk management team. Are vendors being onboarded with infosec risk in mind? Do contacts have clear language about how third parties handle data? Who will monitor third parties for changing risk? To be successful with third-party risk management, someone needs to be responsible for ensuring third parties are following privacy and security best practices.

4. Maintain visibility into 4th party subcontractors. Many times, third parties contract work out to other companies, called 4th parties or Nth parties. That opens up your data to another level of risk. Vendor contracts should require that third parties alert you when they share sensitive information with 4th parties.

The good news in all of this is that a strong risk management plan makes working with third parties significantly less risky so you can have confidence in the security of your data both inside and outside your systems. When it comes to fines and enforcements, the PDPC has said that it’s not just looking at the severity of a breach, but how well prepared a company was to prevent one. If you can prove your security practices are strong, including your vendors’, financial repercussions can be less severe.

Pat McParland
Pat McParland
Vice President of Marketing