Syncing the Technical and the Legal: Cybersecurity Standards and the PDPA

I. Background

The growing value and prominence of the digital economy,[1] as well as the global push towards digitalisation, have created fresh opportunities for malicious cyber activities. It may be more important now than ever that organisations ensure that their digital assets are well protected, and that they have in place robust and up-to-date cybersecurity measures.[2] Organisations seeking to maintain a vigilant cybersecurity posture today are faced with a burgeoning number of cybersecurity standards, alerts, advisories, and guidelines, as well as updates to the same.[3]

From a legal perspective, there has been a corresponding proliferation in data privacy regulatory frameworks in response to emerging technologies. In Singapore for example, the Personal Data Protection Commission (“PDPC”) recently published guidelines addressing personal data protection considerations in relation to blockchain design, and also carried out a public consultation on proposed guidelines on the development and deployment of artificial intelligence systems that embed machine learning models. Organisations are compelled to regularly refresh their data protection management programmes in response to changing risk profiles in the cybersecurity environment.

Although review of cybersecurity standards may traditionally be seen as falling within the exclusive purview of information security compliance personnel, and not of immediate "legal" relevance, it may be appropriate that the roll out of data protection management programmes take a harmonious approach to the implementation of technical standards vis-à-vis compliance with legal obligations under the Personal Data Protection Act 2012 of Singapore (“PDPA”).

II.   Integrating industry standards with PDPA compliance – practical considerations

Under the PDPA, organisations that collect, use, and/or disclose personal data in Singapore are required to comply with various data protection obligations, and the standards required for compliance may be assessed by reference to, amongst other things, the organisation's compliance with the latest developments in cybersecurity best practices and standards, as applicable to the relevant industry or activities.

As a starting point, Section 24 of the PDPA (“Protection Obligation”) requires organisations to protect personal data in its possession or control by making reasonable[4] security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification or disposal or similar risks, and to prevent the loss of any storage medium or device on which personal data is stored.

In recent enforcement decisions, the PDPC had considered multifactor authentication (“MFA”) as a mandatory baseline standard for user authentication, especially in respect of accounts with administrative privileges,[5] and had stated that an organisation's failure to implement MFA for administrative accounts in certain situations could amount to a prima facie breach of the Protection Obligation.

This should be unsurprising insofar as "the standard of reasonableness is expected to be evolutionary",[6] "[t]here is no 'one size fits all' solution for organisations to comply with the Protection Obligation", and "[e]ach organisation [will need to] consider adopting security arrangements that are reasonable and appropriate in the circumstances".[7] The PDPC has emphasised that the standard required under the Protection Obligation is for organisation to implement up-to-date security measures that are reasonable in terms of inter alia being at least "recognised by the industry as relevant and secure" for protection of personal data.[8] Failure to keep up with the established developments in cybersecurity practices and standards in the industry may therefore be considered to be a prima facie breach of the PDPA, unless the organisation can justify such failure as being reasonable in the circumstances.

Organisations should also eschew an artificial “check-listing” approach to PDPA compliance (e.g. assuming that implementing any type of encryption will be sufficient) and instead consider whether the compliance measures undertaken are appropriate to the context.

The PDPC had previously held that a password that technically met recommended complexity rules in form could nonetheless be regarded as a weak security measure if it would be easily guessable and vulnerable to brute force attacks.[9] In another case, an organisation's use of Base64 encoding (which was found to be easily reversible) to protect passwords was held by the PDPC to have failed to amount to a "reasonable security arrangement" for the purposes of the Protection Obligation as it "is not an actual means of encryption".[10]

Moreover, organisations should also be mindful that previously accepted standards may no longer be relevant. The PDPC has from time to time held in the context of particular cases that certain security measures will no longer be regarded as sufficiently secure for the purposes of protecting personal data under the PDPA, which is an assessment that takes reference from developments in industry standards. In one enforcement decision, the PDPC stated for example that the MD5 hash function "is no longer sufficiently secure… as compared with other available algorithms" and that organisations should generally not rely solely on this algorithm for hashing passwords that provide access to personal data.[11]

Indeed, the PDPC has emphasised that organisations should periodically review their security arrangements and conduct vulnerability scanning, such as by scanning for the top ten security vulnerabilities listed by the Open Web Application Security Project (“OWASP”) as may be updated from time to time. Depending on the circumstances, failing to scan for common and (prevailing) well-known security vulnerabilities such as URL manipulation, SQL injection, and cross-site scripting (“XSS”) can potentially constitute a prima facie breach of an organisation's data protection obligations.[12]

The relevance of technical standards with legal compliance under the PDPA is also not limited to compliance with the Protection Obligation.

Consider for example, an organisation's obligation under Section 26 of the PDPA (“Transfer Limitation Obligation”)[13] to, before transferring an individual's personal data to a country or territory outside Singapore, take appropriate steps to ascertain whether, and to ensure that, the recipient of the personal data is bound by legally enforceable obligations to provide to the transferred personal data a standard of protection that is at least comparable to the protection under the PDPA.

The Transfer Limitation Obligation takes reference from industry standards in at least two ways – first, in considering whether the recipient provides to the transferred personal data "a standard of protection that is at least comparable to the protection under the PDPA", the relevance of cybersecurity standards to the Protection Obligation as discussed above is imported mutatis mutandis; second, according to the PDPC's current guidelines, the recipient's "assurances of compliance with relevant industry standards or certification"[14] may also be relevant in assessing the adequacy of the standard of protection applied by the recipient.

Apart from protection standards, other technological standards may also be relevant. For example, Part 6A of the PDPA (“Data Breach Notification Obligation”) generally requires organisations to, inter alia, assess whether a data breach is notifiable and if so, promptly notify the affected individuals and/or the PDPC. Under certain circumstances, the PDPA exempts organisations from notifying affected individuals, for example if prior to the occurrence of the data breach, it had implemented "technological measures" that render it "unlikely that the data breach will result in significant harm to affected individual[s]". Under existing PDPC's guidelines, in assessing whether such technological measures are sufficient to exempt organisations from notifying affected individuals, it is relevant whether the technological measures are of "commercially reasonable standards" and in line with "prevailing industry practices in the [relevant] sector".[15]

III.   Conclusion

The dynamic legal and technological landscape today requires information security and legal personnel to work together to create and implement integrated data management programmes that comprehensively address compliance with both technical requirements and legal obligations.

From a PDPA perspective, organisations may wish to take reference from applicable organisational and technical standards, in particular standards which have been referred to by the PDPC in its decisions and guidelines.[16] Organisations should also consider best practices or standards specifically applicable to the type of data processed or processing activities undertaken. For example, where biometric recognition technology is employed or biometric data is processed for the purposes of identification or authentication, the PDPC advises organisations to refer to industry standards such as ISO 30107 (Biometric presentation attack detection) and to also set a matching threshold that is reasonable and commensurate with the impact of misidentification.[17] There may also be industry or sector-specific requirements that should be taken into account, such as guidelines issued by the Monetary Authority of Singapore, Ministry of Health, etc.

The present trend towards assessing compliance with data protection obligations by reference to prevailing best practices and established standards extends beyond Singapore. Within the region, the current ASEAN Data Management Framework exhorts organisations to refer to existing international standards such as those mentioned above in designing and implementing data protection programmes. Similarly, the United Kingdom Information Commissioner's Office (“UK ICO”) has indicated that industry standards, codes of practice, and public guidelines may be relevant in assessing compliance with data protection requirements. Accordingly, whether from a local or global perspective, it is high time that organisations review developments in cybersecurity industry standards in tandem with routine refreshes of their data protection compliance programmes.

AUTHOR INFORMATION:

Lam Chung Nian is a Partner and Head of the Intellectual Property, Technology & Data Group at WongPartnership LLP.
Email: chungnian.lam@wongpartnership.com

Nick Chiam is a Senior Associate in the Intellectual Property, Technology & Data Group at WongPartnership LLP.
Email: nick.chiam@wongpartnership.com

Huey Lee is an Associate in the Intellectual Property, Technology & Data Group at WongPartnership LLP.
Email: jinhuey.lee@wongpartnership.com

REFERENCES

[1] According to the inaugural Singapore Digital Economy Report published earlier this year by the Info-communications Media Development Authority (IMDA) in partnership with the Lee Kuan Yew School of Public Policy, Singapore's digital economy continues to be a key driver of Singapore's economic growth and contributed about 17.3% (S$106 billion) of Singapore's gross domestic product in 2022.

[2] Cybersecurity has sometimes been described as a 'cat and mouse game' between the defenders and attackers: a constant volley whereby attackers discover vulnerabilities whilst defenders seek to 'patch' these vulnerabilities. See e.g. Speech by DPM Heng Swee Keat at Asia Tech x Singapore Summit 2022, CSA, Singapore Cyber Landscape (2019).

[3] For example, according to the 2022 Cloud Security Alert Fatigue Report published by Orca Security, 59% of security practitioners receive more than 500 cloud security alerts per day.

[4] Pursuant to Section 11(1) of the PDPA, "an organisation must consider what a reasonable person would consider appropriate in the circumstances" in meeting its responsibilities under the PDPA. The PDPC currently takes the position that, "Section 11(1) does not impose a separate obligation on organisations but requires them to consider "what a reasonable person would consider appropriate in the circumstances" when they undertake any action that is subject to the Data Protection Provisions. In seeking to comply with the Data Protection Provisions, organisations should therefore act based on what a reasonable person would consider appropriate in the circumstances.": Advisory Guidelines on Key Concepts in the Personal Data Protection Act, last revised 16 May 2022 (“Key Concepts Guidelines”), [9.2].

[5] See e.g. Re The Law Society of Singapore [2023] SGPDPC 4 (“Re Law Society”), [23]; Re Lovebonito Singapore Pte Ltd [2022] SGPDPC 3. This is despite the PDPC having described multi-factor authentication as a "good to have … for administrative accounts" in the PDPC's Guide to Data Protection Practices for ICT Systems.

[6] Key Concepts Guidelines, [9.5].

[7] For example, "taking into consideration the nature of the personal data, the form in which the personal data has been collected (e.g. physical or electronic) and the possible impact to the individual concerned if an unauthorised person obtained, modified or disposed of the personal data": Key Concepts Guidelines, [17.2].

[8] See e.g. the PDPC's Guide to Data Protection Practices for ICT Systems, the Guide to Securing Personal Data in Electronic Medium, etc. See also e.g. Fortytwo Pte Ltd [2023] SGPDPCS 3; Re Law Society [2023] SGPDPC 4.

[9] Re Chizzle Pte Ltd [2020] SGPDPCR 1, at [5].

[10] Re Ncode Consultant Pte Ltd [2019] SGPDPC 11, at [15] (“Re Ncode”).

[11] See e.g. Re Creative Technology Ltd [2020] SGPDPDC 1, at [11]; Re SPH Magazines Pte Ltd [2020] SGPDPC 3, at [3].

[12] See e.g. Re ComGateway (S) Pte Ltd [2017] SGPDPC 19, at [35], Re Ncode, at [13], Re Singapore Telecommunications Limited [2019] SGPDPC 36, at [17].

[13] Read with Regulation 10 of the Personal Data Protection Regulations 2021.

[14] Key Concepts Guidelines, [6.23].

[15] Key Concepts Guidelines, [20.31].

[16] E.g. ISO 27001 (Information security, cybersecurity and privacy protection), SS 584:2015 (Multi-Tiered Cloud Security), ISO 27017 (Code of practice for information security controls for cloud services), ISO 27018 (Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors) and ISO 29100 (Privacy framework) in relation to cloud computing, DOD 5220.22-M and NIST SP-800-88 in relation to deletion of data, etc, as may be updated or superseded from time to time.

[17] Guide on Responsible Use of Biometric Data in Security Applications, accessed on 31 October 2023.