Singapore-based organizations are now expected to complete an investigation into a suspected cyber attack event within 30 days and notify the authorities within 72 hours after completing their assessment.
These guidelines, unveiled on Wednesday, are introduced to help organizations manage data breaches more effectively and expected to be included in the upcoming amendments to the Data Protection Act of Singapore.
As per the Personal Data Protection Commission (PDPC), which sets out the law on data protection in the Republic, the affected organizations are expected to notify respective authorities in case of a hacking incident that affects over 500 individuals.
Data intermediaries are also expected to report the cyber attack to their parent organisations within 24 hours after identifying the breach.
PDPC stated that these guidelines also incorporated feedback from previous consultations and they would review and update them, if required.
In addition, the commission stated that the companies in the country should make necessary changes to facilitate detection process and breach notification would be made mandatory as part of the upcoming amendments to the act.
PDPC also announced new guidelines for "active enforcement", for organisations to shift from compliance to accountability. These include examples and clarifications to address common queries from organizations, such as policy considerations by the PDPC while conducting or discontinue an investigation on a breach, as well as financial penalty assessment factors.
In addition, the commission announced a third public consultation of its proposed inclusion of a data portability law. It said, "Data portability addresses the challenges faced by industries in accessing more diverse data or larger datasets for use in emerging technologies, such as artificial intelligence (AI) or Internet of Things (IoT) solutions, in order to generate better personalised products, services and insights, while creating incentives for competitive services and lowering barriers to entry for new entrants."
However, the PDPC explained that they took this move after evaluating data breach incidents in recent years and feedback from industry stakeholders.