The modern age is filled with new and evolving threats. As businesses race to advance, they rely heavily on technology. Digital transformation has reinvented the way companies provide services, create products, and expand.
A side effect of this newfound reliance on technology is the threat of data breaches. A data breach involves unauthorized access to private or confidential data. This can be from clients, the company itself, or any form of user data.
As a result, many governments and organizations put policies and regulations in place to protect the data integrity and privacy of the public. Companies that do not abide by these regulations face hefty data breach fines and penalties.
According to the United Nations, 137 out of 194 countries have put in place legislation to secure the protection of data and privacy. We explore some of the data breach fines and data breach penalties in place across a few countries and how companies can prevent these data breach fines from being imposed on them.
Singapore is an island country situated off the southern tip of the Malay Peninsula. The country hosts one of the largest ports in the world and is one of the world’s leading petroleum refiners.
Data Laws and Regulations
Singapore’s Personal Data Protection Act 2012 consists of various requirements governing the collection, use, disclosure, and care of personal data. The PDPA covers personal data stored in electronic and non-electronic formats.
Organizations under the PDPA have obligations to users that include:
- Accountability for data protection.
- Notifying individuals of the purposes for which your organization is intending to collect, use or disclose their personal data.
- Only collecting, using, or disclosing personal data for purposes to which an individual has given his/her consent.
- Only collecting, using, or disclosing personal data for the purposes that a reasonable person would consider appropriate.
- Ensuring that the personal data collected is accurate and complete.
- Ensuring reasonable security to protect personal data.
- Ceasing the collection and ensuring the proper disposal of personal data when no longer useful.
- Instilling limitations on the transfer of data.
- Providing access and editing rights to the data.
- Immediate notification in the event of a data breach.
- Ensuring data portability.
The Personal Data Protection (Do Not Call Registry) Regulations 2013 allows individuals to register their Singapore telephone numbers with the DNC Registry to opt out of receiving unwanted telemarketing messages from organizations.
Non-compliance with certain PDPA's Do Not Call provisions is a criminal offense and punishable upon conviction with a fine not exceeding US$ 7,400 and/or imprisonment for a term not exceeding three years. In the event of a continuing offense, a further fine not exceeding US$ 740 for each day will continue after the conviction.
The Personal Data Protection (Notification Of Data Breaches) Regulations 2021 also decrees that organizations are inclined to notify all users of data breaches that may affect them.
The PDPC holds a lot of power in Singapore over organizations including:
- Ordering the payment of a financial penalty. On the 1st of October 2022, enhanced financial penalties under the Singapore PDPA came into effect. These allowed the PDPA to impose financial penalties on organizations of up to SGD 1 million or 10% of an organization’s annual turnover in Singapore - whichever is higher - for breaches of the Data Protection Provisions under the Singapore PDPA.
- Accepting a voluntary undertaking of a remediation plan - which has already been established - to resolve a data breach upon early detection.
Examples of Data Breach Penalties
- Singapore's Personal Data Protection Commission announced a SGD 62,400 fine against Eatigo International in relation to a 2020 data breach affecting 2.76 million individuals. The PDPC found the company failed to put in place reasonable security arrangements to protect users' personal data.
- The PDPC also fined Fullerton Healthcare Singapore and Agape CP Holdings for failing to implement security arrangements to protect personal data belonging to Fullerton Healthcare's corporate clients and direct patients. A $58,000 penalty was imposed on Fullerton and $10,000 on Agape CP Holdings.
- The Monetary Authority of Singapore (MAS) fined Singaporean banks DBS, OCBC, and the local businesses of US-based Citigroup and insurance firm Swiss Life. The penalties total SGD3.8m and were related to the Wirecard scandal. According to MAS, the financial institutions were found to have inadequate AML/CFT controls in place.
- The PDPC fined real estate company OrangeTee & Tie SGD37,000 for failing to protect the sensitive personal data of thousands of customers, agents, and employees in a 2021 data breach.
The Southeast Asian country of Malaysia is a major producer and exporter of rubber, palm oil, petroleum, and natural gas, and is one of the world’s largest sources of commercial hardwoods.
Data Laws and Regulations
The Malaysian Personal Data Protection Department (PDPD) was established to oversee the processing of personal data of individuals involved in commercial transactions.
Under the PDPA, users are protected from any form of abuse in the storage or processing of the personal data of individuals, public, and private sectors in Malaysia.
Image source: https://www.pdp.gov.my/
The Personal Data Protection Act 2010 (PDPA) of Act 709 safeguards personal data by requiring data users to comply with certain obligations and confer certain rights to the data subject to their personal data.
The Personal Data Protection Standard 2015 – or the 2015 Standards - includes security standards, retention standards, and data integrity standards. These apply to personal data that is processed electronically and non-electronically.
The 2015 Standards are intended to be 'a minimum requirement' and will apply to all data users, meaning any person who processes, has control of, or allows the processing of, any personal data in connection with a commercial transaction.
Failure to comply with the PDPA may amount to a criminal offense. The breach of any of the seven data protection principles attracts a fine of up to MYR 300,000 and/or up to 2 years of imprisonment.
The unlawful collection, disclosure, and sale of personal data attracts a fine of up to MYR 500,000 and/or up to three years imprisonment. Several other key data privacy laws and regulations in Malaysia are in play to protect users.
In its current form, the PDPA only covers commercial entities and transactions. This exempts both the federal and state governments from its rules and principles - including those requiring data users to properly secure personal information provided to them.
Indonesia is found off the coast of mainland Southeast Asia in the Indian and Pacific oceans. The country is a major exporter of crude petroleum and natural gas while also being one of the world’s main suppliers of rubber, coffee, cocoa, palm oil, and more.
Data Laws and Regulations
The Indonesian Personal Data Protection Law No. 27 was enacted in 2022. The PDP Law establishes responsibilities for the processing of personal data and rights for individuals. The PDP Law also broadly exempts the financial services sector.
The law imposes stricter requirements on controllers - such as broad record-keeping obligations for processing activities - and has unique provisions for the use of facial recognition technologies.
Special categories of data explicitly include children’s data and personal financial data. For specific data subject requests, such as access, rectification, and restriction, organizations only have 72 hours to respond.
The PDP Law imposes a tiered system for administrative sanctions - including civil and criminal penalties that increase depending on the severity of the penalty. Under the PDP Law, the Data Protection Authority may issue the following administrative sanctions:
- A written warning.
- Temporary suspension of processing activities.
- Forced deletion of personal data.
- Administrative fines of a maximum of 2% annual revenue or sales of the data controller.
While corporations may only be fined for criminal offenses, the PDP Law also specifies that managers, high-ranking officers, or certain owners of the corporation could be incarcerated and personally fined for their actions (Art 70).
However, corporations could receive a fine ten times the amount of the maximum fine imposed on an individual or corporate officer and be subject to other punishments including:
- Seizure of profits or assets obtained in the criminal offense.
- Revocation of licenses, business operations, or physical offices.
- Dissolution of the corporation or permanent ban on certain operations.
- Incase if you want to know more about Data Privacy, Data Governance and Data Regulations, then reach out to Sangfor Indonesia office to know more. We would love to have a discussion with you and suggest you the best solutions.
The Philippines is a Southeast Asian island country in the western Pacific Ocean. The country is largely agricultural. Its economy is based on free enterprise where individuals and non-government entities are free to participate in its development and management.
Data Laws and Regulations
The Republic Act No. 10173 – or the Data Privacy Act of 2012 - is a law that seeks to protect all forms of private, personal, or sensitive information. The law covers both natural and juridical persons involved in the processing of personal information.
The Act enforces the policy of the State to protect the fundamental human right of privacy of communication while ensuring the free flow of information with an end in view to promote innovation and growth.
The State has a vital role to ensure the protection and security of personal data in the private and public sectors.
Penalties provided in the Act and its IRR range from six months to seven years of imprisonment along with fines ranging from PHP 100,000 to PHP 5 million - based on whether personal information or sensitive personal information is involved.
Moreover, additional penalties may apply depending on the identity of the offender and the number of affected data subjects.
Reach out to data experts in Philippines to discuss more about Data privacy.
Thailand is a country located in the center of mainland Southeast Asia. The country is one of the world’s largest rice exporters with a market economy based in trade and light industries.
Data Laws and Regulations
Thailand’s Personal Data Protection Act (PDPA) includes data processing, data collection, data storage, and data consent protocols. The legislation mandates that data controllers and processors who use personal data must receive consent from data owners and use it only for expressed purposes.
Thailand’s PDPA also imposes punishment for non-compliance of up to THB 5 million in administrative fines and up to THB 1 million in criminal fines. The data protection obligations apply to all organizations that collect, use, or disclose personal data in Thailand or of Thai residents.
Preventing Data Breach Fines and Data Breach Penalties
For most organizations, the threat of a penalty or fine may feel like adding insult to injury in the long run. However, these regulations need to be put in place to ensure that companies take user privacy and data integrity seriously.
The best way to steer clear of these data breach fines and penalties is to invest in the right infrastructure.
- Sangfor is a leading cloud computing and cybersecurity provider that makes use of the latest technologies, innovations, and designs. Sangfor’s Managed Cloud Services provides a globally distributed data center with all the convenience and flexibility of a public cloud combined with the security, control, and professional service of a private cloud.
- The Sangfor Hyper-Converged Infrastructure (HCI) is an innovative 3rd generation platform that converges computing, storage, networking, and security on a single software stack - providing a simplified 1-stop software-defined data center solution tailored for business-critical applications.
- For those companies still on the fence when it comes to cloud infrastructure, Sangfor also offers an advanced Hybrid Cloud setup. This ensures flexibility for on- or off-premises applications as needed with centralized management.
Companies also need to be cautious about the data storage systems they use. More businesses need to invest in a data lake or data warehouse to ensure secure and reliable data storage.
Naturally, most data breaches are a result of poor cybersecurity. Sangfor is proud to have an array of cybersecurity platforms and products that will keep data breaches – and data breach penalties – at bay.
- The Sangfor Next Generation Firewall (NGFW) is used in conjunction with Endpoint Security to identify malicious files at both the network level and endpoints. The advanced firewall is a security device designed to inspect network and application traffic for threats, secure the network environment from intrusion, and bring in security intelligence from outside the network.
- The advanced Endpoint Secure technology provides integrated protection against malware infections and APT breaches across your entire organization's network – all with ease of management, operation, and maintenance.
- Finally, the Cyber Command platform monitors for malware, residual security events, and future potential compromises in your network and is coupled with our advanced Threat Intelligence technology and an enhanced AI algorithm that can keep you updated on any vulnerabilities detected.
Make the smart choice and choose Sangfor for infrastructure and cybersecurity solutions that will keep your company far from the costs of a data breach fine or penalty.