24 July, 2018
Singapore authorities have announced that a total of 1.5 million SingHealth patients’ non-medical personal data have been stolen and of these, 160,000 had their dispensed medicines’ records taken too.
While it appears that the Singapore Prime Minister’s information was specifically targeted, the incident illustrates the importance of cyber risk management for every company.
Singapore’s Cybersecurity Act which came into force earlier this year aims to protect Critical Information Infrastructure (CII) against cyber attacks. The CII sectors include healthcare as well as energy, water, banking and Finance, transport, infocomm, media, security and emergency services, and Government. It authorises the Cyber Security Agency of Singapore (CSA) to prevent and respond to cybersecurity threats and incidents, empowering the Commissioner of Cybersecurity to investigate as is the case with the SingHealth cyber attack.
Like any other risk, cyber risk can be managed and mitigated with cyber insurance increasingly considered a key aspect of a company’s strategy. The first 48 hours after a company has identified it is under a cyber attack are pivotal. We set out six crucial considerations for any company facing a cyber attack.
1. Manage and protect communications
It is highly recommended that a legal advisor be assigned the duty of coordinating the rapid response team as they will be able to liaise with team members and the company, and claim the protection of legal professional privilege over most of those communications.
2. Stop the attack
It is of course critical that any cyber attack be stopped as soon as possible.
Where available, a security and technology plan should be executed to respond to the attack including identifying the extent of damage caused by the attack and also to limit the extent of business disruption caused.
In the SingHealth cyber attack, news reports indicate unusual activity was detected on SingHealth’s IT databases on 4 July, and immediate action was taken to halt this while investigations took place and security measure established. Network traffic was closely monitored before it was ascertained it was indeed a cyberattack and the Ministry of Health and CSA were informed, and forensic investigations were carried out.
3. Determine if there been a data breach
Contrary to common misconception, a cyber attack and a data breach are not the same. While many cyber attacks have the primary aim of extracting data from a system, constituting a data breach, other forms of attack aim to directly extort funds from a company (for example, certain malware attacks).
4. Breach notifications
If a data breach has occurred, it is important to identify as accurately as possible the extent of the records stolen, particularly the nature of the information stolen and the location (or locations) of the affected entities, which is required for notification purposes.
Identifying the jurisdictions and breach notification laws of each jurisdiction as soon as possible is critical given the diversity in the requirements that notification laws across the world impose. Legal advisors with a global reach greatly assist in undertaking this possibly mammoth task within a reasonable time frame.
The variety of the notification requirements for even a relatively minor breach can be surprising, with regulations in some jurisdictions amounting the breach to criminal conduct, whereas no action may be required in other jurisdictions. The deadlines by which a breach needs to be notified also vary.
Singapore is currently reviewing its Personal Data Protection Act (PDPA) including the likely implementation of a mandatory breach notification regime. The proposed approach will strike a reasonable balance between the need for organisations to collect, use and disclose personal data and individuals' right to the protection of their personal data. It is anticipated that notification will be deemed mandatory where the scale of the breach involves data of more than 500 people for example, according to the proposals.
In the case of SingHealth, all patients, whether or not they are affected, will receive an SMS notification over the next five days. Or they can choose to proactively access a mobile app or the SingHealth website to check if they have been affected.
5. Managing communications
Depending on how serious a breach is and the extent of the notification that will be made, a breach coach may also need to consider, in conjunction with the jurisdictional legal advisors and the company, whether any public relations material or campaigns will need to be prepared to protect the brand and reputation of the affected company.
6. Cyber insurance
The most comprehensive cyber policies include rapid response cover. Unlike most other policies, the protection afforded by rapid response could come into play as soon as a potential cyber attack has been identified, before the existence of a claim has been established.
For further information, please contact:
Ian Roberts, Partner, Clyde & Co
ian.roberts@clydeco.com