Last review date: 15 January 2025

Yes.

☒  general obligation to take appropriate / reasonable technical, physical and/or organizational security measures

Last review date: 15 January 2025

☒  public company obligations (e.g., duties to maintain sufficient information security measures or ensure operational resilience to cyberattacks?)

☒  network information security requirements (broader than telecommunications)

☒  financial services requirements

☒  telecommunication requirements

☒  providers of critical infrastructure

☒  digital or connected (IoT) products

Last review date: 15 January 2025

☒  Data privacy

☒  health

Last review date: 15 January 2025

Yes, there are obligations pursuant to the Personal Data Protection Act 2012 (PDPA) to notify:

• The Personal Data Protection Commission (PDPC), the statutory authority that enforces and administers the PDPA, as soon as is practicable, but in any case no later than three calendar days from the day that an organization determines that a data breach is a notifiable data breach (pursuant to Section 26D(1) of the PDPA)
• Affected individuals whose personal data is affected by a data breach as soon as practicable, at the same time or after notifying the PDPC (pursuant to Section 26(D)(2) of the PDPA and the Advisory Guidelines on Key Concepts in the Personal Data Protection Act), and/or
• The organization or public agency that a data intermediary is processing personal data on behalf of, without undue delay from the time it has credible grounds to believe that the data breach has occurred (pursuant to Section 26C(3)(a) of the PDPA).

A data breach in relation to personal data means the unauthorized access, collection, use, disclosure, copying, modification or disposal of personal data; or the loss of any storage medium or device on which personal data is stored in circumstances where the unauthorized access, collection, use, disclosure, copying, modification or disposal of the personal data is likely to occur.

Once an organization has credible grounds to believe that a data breach has occurred, an organization would be required to take reasonable and expeditious steps to assess whether the data breach is notifiable under the PDPA. A data breach is notifiable to the PDPC if the data breach: (a) results in, or is likely to result in, significant harm to an affected individual; or (b) is, or is likely to be, of a significant scale.

For notification obligations under cybersecurity law, section 14 of the CSA provides that designated owners of critical information infrastructure are required to report to the Commissioner of Cybersecurity in the prescribed form and manner and within the prescribed time period on the occurrence of:

(a) a prescribed cybersecurity incident in respect of the critical information infrastructure

(b) any computer or computer system under the owner's control that is interconnected with or that communicates with the critical information infrastructure

(ba) a prescribed cybersecurity incident in respect of any other computer or computer system under the owner’s control that does not fall within paragraph (b)

(bb) a prescribed cybersecurity incident in respect of any computer or computer system under the control of a supplier to the owner that is interconnected with or that communicates with the provider‑owned critical information infrastructure, or

(c) any other type of cybersecurity incident in respect of the critical information infrastructure as specified by a written direction to the owner.

"Cybersecurity incident" means an act or activity carried out without lawful authority on or through a computer or computer system that jeopardizes or adversely affects the availability, operation or integrity of a computer or computer system, or the integrity and confidentiality of information stored in, processed by or transmitted through a computer or computer system.

The prescribed time period can be found in Regulation 5 of the Cybersecurity (Critical Information Infrastructure) Regulations 2018, which provides that the designated owner of critical information must notify the Commissioner of Cybersecurity of a cybersecurity incident in the required form within two hours after becoming aware of the occurrence, and provide, within 14 days of the initial submission, supplementary details on: the cause of the cybersecurity incident; its impact on the designated owner of critical information, or any interconnected computer or computer system; and what remedial measures have been taken.

There are no publicly available requirements for the notification of affected data subject individuals.

Following the recent Cybersecurity (Amendment) Act 2024, the penalty system has been revised. Previously, compliance with obligations was enforced through criminal penalties on CII owners.

• Under the new Section 37A of the Act, the CSA may now bring an action in court for civil penalties with the Public Prosecutor’s consent in place of any criminal penalties under Part 3, 3A, 3B, 3C or 3D of the Act. In making a recommendation to the Public Prosecutor, the CSA will consider a range of factors, including the risks created by the non-compliance, the egregiousness, and the facts of the case.
• The CSA is empowered to issue civil penalties with a range of maximum penalties for different offences, the highest of which would be up to SGD 500,000 or 10% of the annual turnover of the entity's business in Singapore (Section 37A of the Act).
• The criminal penalties under Part 3D of the Act, regulating Foundational Digital Infrastructure, can be a fine of up to SGD 200,000 or 10% of the annual turnover of the entity's business in Singapore (Section 18H of the Act). This is noticeably higher than the existing penalties for CII, which is a fine of up to a maximum of SGD 100,000 (Section 10 of the Act).

Last review date: 15 January 2025

An organization (equivalent of controllers/owners) must notify the PDPC, the statutory authority that enforces and administers the PDPA, as soon as is practicable, but in any case no later than three calendar days from the day that an organization determines that a data breach is a notifiable data breach (pursuant to Section 26D(1) of the PDPA); and affected individuals whose personal data is affected by a data breach as soon as practicable, at the same time or after notifying the PDPC (pursuant to Section 26(D)(2) of the PDPA and the Advisory Guidelines on Key Concepts in the Personal Data Protection Act).

Under the CSA, an owner of a critical information infrastructure must notify the Commissioner in the prescribed form and manner within the prescribed period (pursuant to Section 14(1) of the CSA).

Pursuant to 16I of the Cybersecurity (Amendment) Act 2024, a designated provider of essential service must obtain a legally binding commitment from the owner of the third‑party‑owned critical information infrastructure that the latter will notify the former of the occurrence of any of the following within the prescribed period after becoming aware of such occurrence:

(a)a prescribed cybersecurity incident in respect of the third‑party‑owned critical information infrastructure;

(b)a prescribed cybersecurity incident in respect of any computer or computer system under the owner’s control that is interconnected with or that communicates with the third‑party‑owned critical information infrastructure;

(c)any other type of cybersecurity incident in respect of the third‑party‑owned critical information infrastructure that the Commissioner has specified by written direction to the designated provider responsible for third‑party‑owned critical information infrastructure.

Pursuant to 16A of the Cybersecurity (Amendment) Act 2024, The Commissioner will designate a provider as a provider of an essential service if:

1. the computer or computer system (called a third-party owned critical information infrastructure) is necessary for the continuous delivery of essential service, and the loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore, and
2. the computer or computer system is not owned by the provider of the essential service.

☒  data protection authorities

☒  cybersecurity authorities

☒  affected individuals

Last updated: 15 January 2025

A data intermediary (equivalent of a data processor/agent) must notify the organization or public agency that it is processing personal data on behalf of without undue delay from the time it has credible grounds to believe that the data breach has occurred (pursuant to Section 26C(3)(a) of the PDPA).

☒  controller/ owner

Last review date: 15 January 2025

Yes.

☒  public company obligations (e.g., to notify security incidents that may materially affect an investor's decision)

☒  cybersecurity authorities

☒  financial services requirements

☒  providers of critical infrastructure

☒  other

For instance, financial institutions regulated by the Monetary Authority of Singapore, the police (if criminal activity such as hacking or unauthorized system access by an employee is suspected and to preserve evidence for investigations) or the Singapore Computer Emergency Response Team for cyberattacks (i.e., the deliberate exploitation of computer systems, technology-dependent enterprises and networks which use malicious codes to alter computer code, logic or data which can compromise data and lead to cybercrimes such as information and identity theft).

Details regarding the identified data security breach notification requirements

Pursuant to the various Notices on Technology Risk Management applicable to different categories of regulated financial institutions issued by the Monetary Authority of Singapore, these regulated financial institutions are required to notify the Monetary Authority of Singapore as soon as possible, but not later than one hour, from the discovery of a "relevant incident" (i.e., security breach). "Relevant incident" is defined as a system malfunction or IT security incident, which has a severe and widespread impact on the financial institution's operations or materially impacts the relevant financial institution's service to its customers, and would potentially include a breach of security for personal data. Further, a financial institution is also required to submit a root cause and impact analysis report within 14 days, or such longer period as the Monetary Authority of Singapore may allow. Notification of the affected data subject individuals is not mandatory. Penalties for non-compliance will vary depending on the specific type of financial institution involved. Maximum fines range from SGD 25,000 to SGD 150,000 per offense, and further maximum fines in the range of SGD 2,000 to SGD 15,000 per day for continuing offenses. For some financial institutions, directors and managers may also be found liable for non-compliance with the breach notice obligations.

A police report can be made by dialing 999 or texting 71999.

A report to the Singapore Computer Emergency Response Team can be submitted online on its website.

With respect to public company obligations, a company listed on the Singapore Exchange Securities Trading Limited has to include in its annual report any material weaknesses that are identified and the steps taken to address such weaknesses. In addition, while there are no specific disclosure requirements, Rule 703 of the SGX Rulebook provides that a listed company must announce any information which is necessary to avoid the establishment of a false market in its securities or would be likely to materially affect the price or value of its securities in a timely manner, unless certain conditions are fulfilled.

The Ministry of Health (MOH) conducted a public consultation from 11 December 2023 to 11 January 2024 on the proposed Health Information Bill (HIB). If enacted, healthcare providers will be required to report cybersecurity incidents or data breaches that meet prescribed thresholds to the MOH within two hours upon confirmation that the incident is notifiable. There will also be notification requirements to affected individuals.