21 April, 2016
New cloud outage incident response (COIR) guidelines in Singapore can help cloud providers and the businesses that use their services to manage data breaches in line with the country's data protection regime.
Although the guidelines issued by the Infocomm Development Authority of Singapore (IDA) (58-page / 786KB PDF) state that they are "not meant to resolve issues due to cyber security, malicious act or breach of personal data protection laws", they are built upon recognised Singapore and international standards for cloud security, SS 584: 2015.
The guidelines help explain how those standards interface with the country's Personal Data Protection Act (PDPA) in event an outage is coupled with a data breach.
Businesses subject to the PDPA are obliged to employ reasonable security arrangements to protect personal data in their possession or under their control from unauthorised access, collection, use, disclosure, copying, modification or disposal.
Penalties for non-compliance with can include fines of up to SIN$1 million ($740,000)
The security measures that each company needs to deploy to be compliant with the PDPA will vary from case to case and will depend on the nature of the personal data and potential harm caused by a breach of that data, but will likely include a mix of staff training and physical and technological security measures being deployed.
Organisations are advised to notify the Personal Data Protection Commission (PDPC) and affected individuals as soon as possible after any data breach that might cause public concern or where there is a risk of harm to a group of affected individuals. Notifications made, or lack thereof, and whether organisations have adequate recovery procedures in place, will affect the PDPC’s decision on whether an organisation has fulfilled its protection obligations under the PDPA.
The COIR guidelines also incorporate a framework of self-disclosure by cloud providers to help inform cloud users about the reliability and resilience of the cloud services they offer, as well as the "accountability, change management procedures and incident management procedures" cloud providers have in place. A dedicated self-disclosure form has been created for cloud providers to fill out and post on their websites.
The guidelines set out how cloud providers can assess and plan for cloud outages, for example through stress scenario testing, conducting risk assessments and establishing appropriate communications plans to follow in the event of an incident. It also encourages the use of outage incident response plans, and says cloud providers should identify senior managers "to lead and make timely decisions", as well as third parties to engage, when incidents occur.
Cloud providers are also encouraged to identify what cloud services to prioritise the recovery and restoration of post-incident and have clear channels of communication with customers to enable notification of outages when they occur.
The guidelines are structured into four tiers, giving cloud providers the opportunity to prepare cloud outage incident response plans tailored to severity of the impact an outage of their services would have, from a systemic or life-threatening impact, to a business critical impact, operational impact and minimal impact.
The adoption of a specified multi-tier approach and a self-disclosure regime ensures that users and service providers are on the same page when contracting for cloud services. This is important as Singapore is pushing towards creating a Smart Nation, which will result in more services and data being stored on the cloud and wider adoption of cloud technologies.
For further information please contact:
Bryan Tan, Partner, Pinsent Masons MPillay
bryan.tan@pinsentmasons.com