Data Becomes Tomorrow's Valuable Asset for Lawyers in Emerging Technologies

Data Becomes Tomorrow's Valuable Asset for Lawyers in Emerging Technologies

In Singapore, the legal landscape for addressing data breaches and cyberattacks is robust and multi-faceted. The Personal Data Protection Act (PDPA) and sector-specific cybersecurity regulations, enforced by regulatory authorities such as the Personal Data Protection Commission (PDPC) and the Monetary Authority of Singapore (MAS), form the backbone of the current legal remedies.

The PDPA, which governs the collection, use, and disclosure of personal data by organizations in Singapore, empowers the PDPC to investigate and penalize organizations that suffer data breaches or improperly handle personal data. Financial penalties and remedial actions such as improving security measures are among the sanctions that can be imposed. Organizations are also mandated to notify affected individuals and the PDPC when a data breach poses a risk of significant harm.

Financial institutions in Singapore are subject to MAS regulations, which require robust cybersecurity measures, incident reporting, and regular penetration testing. Failure to comply can result in regulatory actions including fines, license suspension, or reputational damages. MAS also enforces the Cyber Hygiene Notice, setting baseline cybersecurity standards such as timely patching and malware protection.

Singapore's regulatory bodies are proactive in issuing advisories to improve data security practices. A recent joint advisory from the PDPC and the Cyber Security Agency (CSA) urged the cessation of using National Registration Identity Card (NRIC) numbers for authentication due to their vulnerability to impersonation and data misuse. The government has also announced plans to update the Cybersecurity Act to grant more powers to authorities to combat sophisticated cyber threats and impose stricter controls for critical infrastructure and affected sectors.

While criminal prosecution under the Computer Misuse Act for hacking and unauthorized access is possible, civil remedies such as lawsuits for breach of confidence, negligence, or breach of contract may also be pursued by victims of data breaches, depending on the context.

It's worth noting that information that is confidential or trade secret is protected by the law of confidentiality, and intellectual property law protects certain types of information, including expressions of ideas, databases, and inventions. The distinction exists between information and the physical medium on which it is recorded.

The law is constantly being stretched to address emerging legal issues related to technology and data. For instance, personal data, as defined under the PDPA, is protected in Singapore. The Singapore Academy of Law (SAL) has Accredited Specialists and Senior Accredited Specialists in Data and Digital Economy Law to help navigate these complexities. The Directory of Specialists at SAL can be found online.

Rajesh Sreenivasan, a Senior Accredited Specialist at SAL, has contributed to a chapter in the recently published "Law and Technology in Singapore (Second Edition)". The book, which can be purchased online, provides a comprehensive overview of the legal landscape in Singapore.

[1] Personal Data Protection Commission. (2021). PDPA Breach Notification Guidelines. Retrieved from https://www.pdpc.gov.sg/-/media/Files/PDPC/Documents/PDPA/Guidelines-and-Codes-of-Practice/Breach-Notification-Guidelines.pdf

[2] Monetary Authority of Singapore. (2021). Technology Risk Management Guidelines. Retrieved from https://www.mas.gov.sg/-/media/MAS/Regulation/Guidelines/Tech-Risk-Management-Guidelines/TRM-Guidelines-Banks.pdf

[3] Personal Data Protection Commission. (2021). Joint Advisory on the Use of National Registration Identity Card Numbers for Authentication. Retrieved from https://www.pdpc.gov.sg/-/media/Files/PDPC/Documents/Advisories/Joint-Advisory-on-the-Use-of-National-Registration-Identity-Card-Numbers-for-Authentication.pdf

[4] Ministry of Communications and Information. (2020). Cybersecurity Act Review Committee Report. Retrieved from https://www.mci.gov.sg/microsites/cybersecurity/images/Cybersecurity%20Act%20Review%20Committee%20Report.pdf

[5] Cyber Security Agency of Singapore. (2021). Cybersecurity Act Review Committee Report. Retrieved from https://www.cybersecurity.gov.sg/news/cybersecurity-act-review-committee-report

1. Law firms specializing in data and digital economy law, such as those with Accredited Specialists and Senior Accredited Specialists at the Singapore Academy of Law (SAL), can provide valuable guidance on navigating the complexities of intellectual property, cybersecurity, and data-and-cloud-computing laws in Singapore.
2. In cases of data breaches, organizations may face penalties and remedial actions, including financial penalties and improvements to security measures, as outlined by the Personal Data Protection Act (PDPA) and enforced by the Personal Data Protection Commission (PDPC).
3. Financial institutions in Singapore are expected to adhere to strict cybersecurity measures, including regular penetration testing and timely patching, as dictated by the Monetary Authority of Singapore (MAS), or risk facing regulatory actions such as fines, license suspension, or reputational damages.

Read also: