Monthly Archives: March 2024

Keep Calm and Comply On: Singapore’s PDPA

PDPA Overview The Personal Data Protection Act

In 2024, as digital connectivity and data exchange continue to expand, protecting personal privacy has become increasingly critical.  Singapore’s Personal Data Protection Act (PDPA) represents a critical step in protecting individuals’ personal information while balancing the operational needs of organizations. This blog explores the PDPA’s core components, its objectives, and its implications for both individuals and organizations. In short, the PDPA is a general data protection law that applies to all private sector organizations.


What is Personal Data?

Personal data is any information about an individual who can be identified from that data, or from that data in conjunction with other information accessible to the organization. This broad definition encompasses a wide range of information, from names and contact details to medical records and financial information, highlighting the PDPA’s comprehensive approach to privacy.


Introduction to the PDPA:

The PDPA sets a baseline standard for personal data protection in Singapore, supplementing sector-specific frameworks such as those governing banking and insurance. It addresses the collection, use, disclosure, and care of personal data, ensuring organizations adhere to strict guidelines in managing personal information. Additionally, it is worth noting that there are more regulations established under this Act:


  • The Personal Data Protection (Notification of Data Breaches) Regulations 2021, which address the procedures following data breaches.

  • The Personal Data Protection (Composition of Offences) Regulations 2021, outlining the classification of offenses under the act.

  • The Personal Data Protection (Do Not Call Registry) Regulations 2013, establishing guidelines for the Do Not Call Registry.

  • The Personal Data Protection (Enforcement) Regulations 2021, detailing enforcement measures.

  • The Personal Data Protection (Appeal) Regulations 2021, specifying the appeal processes related to decisions made under the act.


Objectives of the PDPA:

The PDPA’s primary goal is to protect individuals’ personal data from misuse, fostering trust in organizations that handle such data. It aims to balance the protection of individual privacy with the legitimate needs of organizations to use personal data for reasonable purposes. By regulating personal data flow, the PDPA seeks to reinforce Singapore’s reputation as a trusted global business hub.


Scope and Applicability of the PDPA:

The PDPA covers both electronic and non-electronic formats of personal data. However, it exempts individuals acting in personal or domestic contexts, employees within their organizational capacity, public agencies dealing with personal data, and business contact information. This distinction ensures the PDPA’s provisions are targeted and relevant to the protection of personal privacy without unduly burdening personal or internal business processes.


Data Protection Obligations Under the PDPA:

Organizations are mandated to comply with the PDPA when engaging in any form of personal data collection, use, or disclosure. These obligations include obtaining consent, ensuring data accuracy, providing security safeguards, and allowing individuals access to and correction of their data. Compliance is not optional; it’s a legal requirement, with significant implications for non-adherence.


Development and Evolution of the PDPA:

Since its inception, the PDPA has undergone several key developments:

  • 2013: The Personal Data Protection Commission (PDPC) was established to oversee the Act’s implementation and enforcement.

  • 2014: Provisions related to the DNC Registry became operational, alongside the main data protection rules.

  • 2020: Amendments were passed to update the PDPA, reflecting evolving data protection needs.

  • 2021: These amendments took effect in phases, starting from February, marking the continuous effort to strengthen data protection in Singapore.


Most recently, on March 1, 2024, PDPC released Advisory Guidelines on using Personal Data in AI systems, focusing on recommendations and decisions. These guidelines, while not legally binding, provide a framework for how the PDPA might be enforced concerning AI. They offer clarity on exceptions for using personal data in AI development, emphasize data protection and accountability, and suggest transparency in policies.


Highlights:

  • The guidelines outline when organizations can use personal data exceptions for AI development.

  • They advise on protecting data and ensuring accountability in AI system deployment.

  • Organizations are encouraged to disclose their data protection policies to build trust.


Commitment to data protection:

The PDPA embodies Singapore’s role in balancing individual privacy rights with the operational needs of organizations. Its comprehensive approach, from setting standards for personal data management to establishing the DNC Registry, reflects a nuanced understanding of the digital age’s challenges. As the PDPA evolves, it remains a cornerstone of Singapore’s data protection regime, ensuring the country remains a secure and trusted place for both individuals and businesses.


Inside Germany’s Supply Chain Due Diligence Act

The German Supply Chain Due Diligence Act

The German Supply Chain Due Diligence Act (SCDDA), which took effect January 1, 2023, marks a significant milestone in the corporate responsibility and sustainability landscape. As of 2023, the act applies to enterprises that have their central administration, principal place of business, administrative headquarters, statutory seat, or branch office, and 3,000 employees in Germany. Starting in 2024, the Act began to extend to enterprises with 1,000 or more employees in Germany. This inclusive approach requires companies to scrutinize and mitigate risks not only within their immediate operations but also across their global network of direct and indirect suppliers.

It’s simple: now, an enterprise’s responsibility no longer ends at its own factory gate but affects the entire supply chain.

Understanding SCDDA Requirements:

The core of the SCDDA lies in its comprehensive due diligence obligations, urging companies to establish a robust risk management system. This system is designed to identify, prevent, and minimize potential human and environmental rights violations. Essential components include conducting detailed risk analyses, adopting a Management Board policy on human rights, implementing preventative measures, remedial actions for any infringements, and establishing a complaint mechanism for reporting violations. Additionally, companies are expected to maintain ongoing documentation and produce annual reports on their due diligence efforts.

The oversight of these regulations will be conducted by the Federal Office for Economic Affairs and Export Control, which possesses the authority to inspect business premises, request information, examine documents, impose fines, and mandate specific corrective actions to ensure compliance with the law.

Companies are mandated to fulfill certain obligations related to human rights and environmental due diligence within their supply chains to avoid penalties. These penalties range from fines starting at 8 million euros to as much as 2% of their global annual revenue, particularly affecting firms with an annual revenue exceeding 400 million euros. Beyond financial repercussions, companies violating these regulations may also face exclusion from public procurement opportunities. Expected areas of focus for businesses include combating forced labor, child labor, discrimination, breaches of freedom of association, unethical employment practices, unsafe work environments, and environmental degradation.

Strategies for SCDDA Implementation:

New regulations and acts require new strategies. Collaboration plays a pivotal role, with industry initiatives offering a platform for companies to share insights, address common challenges, and collectively enhance supply chain practices. Embracing advanced technology is essential; leveraging AI can significantly improve supply chain visibility, compliance monitoring, and risk management. Risk assessment and mapping form the cornerstone of a proactive strategy, enabling companies to meticulously identify, assess, and prioritize potential risks. Engaging with suppliers is equally critical, as providing them with the necessary training and support ensures they meet compliance expectations, fostering strong relationships and a transparent, ethical supply chain. Through these strategies, companies are not just adhering to standards but are paving the way for a more sustainable and responsible global supply chain ecosystem.

Navigating Challenges and Leveraging Opportunities:

The SCDDA poses complex implementation challenges, necessitating a deep dive into contractual relationships with suppliers and the development of comprehensive risk assessment methodologies. However, it also offers an opportunity for companies to lead the way in sustainable and responsible business practices. By integrating due diligence into their core operations, companies can not only comply with legal requirements but also build more resilient and ethical supply chains.

The German Supply Chain Due Diligence Act is more than just a regulatory requirement; it’s a call to action for companies to play a pivotal role in promoting global human rights and environmental sustainability. As businesses adapt to these new obligations, the collective effort can lead to a transformative impact on global supply chain practices, setting a benchmark for corporate responsibility worldwide. The journey toward compliance will be intricate and demanding, yet it offers a path towards fostering ethical, sustainable, and resilient supply chains that can thrive in the face of future challenges.

The Key to Ethical Supply Chains:

Navigating the complexities of the SCDDA requires a multifaceted approach, where compliance meets innovation, and collaboration drives improvement. By prioritizing legal and regulatory compliance, embracing technological advancements, engaging in industry-wide collaborations, conducting thorough risk assessments, and building strong partnerships with suppliers, companies can create a supply chain that is not only compliant but also sustainable and ethical. As the business world continues to evolve, these practices will not only ensure adherence to global standards but also position companies as leaders in ethical business practices. The journey towards a responsible supply chain is continuous and demands a commitment to improvement, transparency, and shared responsibility. Through adopting these strategies, companies can not only meet the challenges of today but also lay the foundation for a more sustainable and equitable future.


February 2024 Data Breach Round Up

Supply chain security concept illustration

From Healthcare to Finance: The Shocking Cybersecurity Wake-Up Call of February 2024

Lately, it feels like we’ve been hit by a wave of cybersecurity incidents that have really shaken things up. It’s not just a bunch of breaches we’re talking about here; we’re seeing huge, flashing signs telling companies it’s high time to beef up their cybersecurity defenses and get smarter about how they handle incidents when they happen. In this blog, I’ll dive into the chaos of these cyber incidents, break down their effects, and tease out the valuable lessons they’re teaching us. So, come along for the ride and read up about the top breaches of February! 


  1. Change Healthcare


Change Healthcare, a subsidiary of UnitedHealth Group, experienced a cybersecurity incident on February 21, 2024, that has led to significant disruptions across the U.S. healthcare sector, affecting hospitals, pharmacies, and millions of patients. This breach, described by government and industry officials as one of the most severe attacks on the health-care system in U.S. history, has highlighted critical vulnerabilities within the U.S. healthcare infrastructure. Change Healthcare, crucial for processing 15 billion claims amounting to over $1.5 trillion annually, acts as an intermediary between healthcare providers and insurers. The attack has not only compromised patient data but has also strained the financial operations of healthcare organizations reliant on Change’s services for billing and reimbursement.


The ramifications of this incident are widespread, with some hospitals unable to discharge patients due to medication access issues and others facing severe financial strains. Senate Majority Leader Charles E. Schumer has called for expedited payments to affected healthcare providers to mitigate the financial impact. Despite efforts to manage the situation, including temporary assistance from Optum and manual claims processing, the industry faces “very, very imperfec t workarounds,” according to Molly Smith from the American Hospital Association. The attack underscores the urgent need for enhanced cybersecurity measures across the healthcare ecosystem to prevent future disruptions and safeguard patient information.


In a company update, they confirm that they are “experiencing a cybersecurity issue perpetrated by a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat.”


  1. Unlocking the Impact: Fidelity’s Third-Party Vendor Vulnerability Exposed


On February 13, 2024, Fidelity Investments Life Insurance Company and Empire Fidelity Life Insurance Company discovered a cybersecurity incident involving their third-party vendor, Infosys McCamish Systems (IMS), which may have impacted the security of personal information belonging to approximately 28,268 people. IMS, responsible for administering certain life insurance policies for a limited number of customers, experienced a cybersecurity event when an unauthorized third party gained access to IMS systems between October 29, 2023, and November 2, 2023, potentially compromising data including names, Social Security Numbers, dates of birth, and bank account details used for premium payments. 


  1. Medical Management Resource Group: Eyes Wide Open

American Vision Partners, a company specializing in providing administrative support to ophthalmology practices, has recently addressed a significant cybersecurity breach affecting patient information. On February 15, 2024, the company sent out notification letters explaining that on November 14, 2023, the organization detected unauthorized access within its network infrastructure. Immediate action was taken to mitigate the breach by isolating the affected systems, initiating a thorough investigation with the help of leading cybersecurity experts, and notifying law enforcement authorities. Despite these efforts, it was confirmed by December 6, 2023, that the breach led to unauthorized access to personal data of patients linked to the practices serviced by American Vision Partners. The compromised data encompasses a range of sensitive information, including names, contact details, dates of birth, Social Security numbers, and specific medical and insurance details. 


It has also come to light that not only patients but also employees of the affected organization were victims of a data breach. The compromised information varies among individuals but could include a range of personal details such as names, contact information, dates of birth, Social Security numbers, driver’s license and passport details, and even bank account numbers. While not every piece of information was accessed for each individual, the breach’s potential impact is taken with utmost seriousness. In response, the organization is proactively offering identity protection and credit monitoring services to all impacted employees for two years at no charge, demonstrating a commitment to the security and welfare of its personnel. 


About 2,264,157 individuals were impacted by this incident. 


  1. Spark Driver: A Rough Road for Walmart’s Workforce

On February 23, 2024, Walmart Inc. notified employees about a recent security incident that has impacted Spark Driver™ accounts. This breach, discovered in late January, allowed unauthorized access to employees’ driver profiles, potentially compromising sensitive information, including Social Security Numbers, drivers licenses, dates of birth, names, and contact details. The breach provided the intruder with the ability to view details about earnings, tax information, driver verification documents, and background checks.


  1. LoanDepot: A Flood of Personal Data at Risk


LoanDepot issued a notice on February 23, 2024, regarding a data breach that potentially compromised sensitive personal information of almost 17 million people due to unauthorized access to its systems. This security incident was first identified on January 4, 2024, prompting immediate actions to contain and address the breach, including contacting law enforcement and initiating a thorough investigation with external cybersecurity experts. The breach, occurring between January 3 and January 5, 2024, may have exposed personal details such as names, addresses, email addresses, financial account numbers, Social Security numbers, phone numbers, and dates of birth.


In response to this incident, LoanDepot has taken significant measures to secure its systems and mitigate any potential impact on affected individuals. Although there is currently no evidence to suggest that the accessed information has been used maliciously, LoanDepot is offering 24 months of complimentary identity protection and credit monitoring services through Experian. This service is designed to assist in detecting and resolving identity theft and fraud. Affected individuals are encouraged to follow the provided instructions to enroll in these protection services to safeguard their personal information.


  1. UNITE HERE: A Union Under Siege


UNITE HERE, representing a substantial workforce across the U.S. and Canada, has formally reported a data breach to the Maine Attorney General on February 23, 2024, following the detection of unauthorized access to its IT network. The breach was discovered on October 20, 2023, when it was found that an unauthorized entity had gained access to their systems, impacting about 791,273 individuals. The potentially compromised information includes a wide array of personal data such as names, Social Security numbers, driver’s licenses, state ID numbers, alien registration numbers, tribal identification numbers, passport numbers, birth certificates, dates of birth, marriage licenses, signatures, financial account information, and medical data. 


Although there is no current evidence to suggest that this breach has led to identity theft or fraud, UNITE HERE is proactively informing affected individuals and has implemented several security measures. These measures include resetting system passwords, enhancing security protocols, and cooperating with law enforcement to prevent future incidents.


  1. Xerox Corporation: Copying Catastroph


On February 20, 2024, Xerox issued an alert regarding a security breach within its subsidiary, Xerox Business Services (XBS), emphasizing that safeguarding the data privacy and protection of its clients, partners, and employees remains a paramount concern. In early December 2023, an unauthorized entity managed to infiltrate a segment of the XBS network. Despite the swift detection and containment efforts by Xerox personnel, the investigation revealed that on December 10, 2023, the intruder succeeded in extracting a limited set of data from XBS’s systems.


The compromised information primarily includes names, contact details, and Social Security numbers of those affected. Xerox is actively conducting a comprehensive investigation into the breach and has already involved law enforcement agencies. Despite the ongoing legal probe, Xerox has chosen to promptly inform all impacted parties, underscoring its commitment to transparency and the importance of immediate action to address the security incident.


  1. PJ&A: Confidentiality on the Line


Perry Johnson & Associates, Inc. (PJ&A), a provider of medical transcription services for healthcare organizations including Concentra Health Services, Inc. (Concentra), has reported February 8th, a security incident affecting certain patient information. This incident, which did not affect Concentra’s systems directly, resulted from unauthorized access to PJ&A’s systems between March 27, 2023, and May 2, 2023. Notably, on April 7 and April 19, 2023, an unauthorized actor accessed a system containing Concentra patients’ information.


Upon detecting suspicious activity, PJ&A promptly initiated an investigation with cybersecurity experts to assess the incident’s scope and impact. The investigation identified that personal information, such as names and addresses, of almost 13 million Concentra patients was potentially compromised. Following the investigation, PJ&A informed Concentra, which then undertook efforts to verify affected patients and expedite notification.


To mitigate potential risks and support affected individuals, PJ&A is offering credit monitoring services through IDX for a specified period at no cost. Individuals are advised to remain vigilant by monitoring their account statements and credit reports for any suspicious activity and to consider enrolling in the provided credit monitoring service. Detailed instructions for enrollment and additional protective measures are included in PJ&A’s communication to the impacted parties.


  1. Verizon: An Inside Job


Verizon, one of the largest telecommunications service providers in the US has issued a notification concerning unauthorized access to certain personal information of its employees by one of its employees, in breach of company policies. This incident, identified around September 21, 2023, but addressed in February to the Maine Attorney General, involved unauthorized acquisition of a file containing employee data such as names, addresses, Social Security numbers or other national identifiers, gender, union affiliations, dates of birth, and compensation details. Currently, there is no indication that this information has been misused or disseminated outside of Verizon.


In response to this incident, Verizon undertook an immediate review to ascertain the nature of the compromised information and has taken steps to enhance its technical controls to prevent similar incidents in the future. The company has also informed relevant regulatory bodies about the breach.




From the major upset at Change Healthcare to the breach in Verizon’s backyard, it’s pretty obvious we’re standing at a major fork in the road. These incidents aren’t just cautionary tales; they’re wake-up calls, highlighting just how crafty and relentless cyber threats have become, and just how tough our defenses need to be.  Each month, we compile a summary of the most significant breaches from the preceding period. Be sure to explore our latest round-up! At Findings, we streamline the process of cybersecurity compliance assessments, ensuring your systems adhere to pertinent regulations while safeguarding your infrastructure.




Automate Your Cybersecurity Compliance Journey

* indicates required
Your work email please
Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today

Let's Tackle Compliance Together

Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account


Please fill your details below and click "Next" to create your account:

Payment

Feature
Startup
Business
Enterprise
Price
$10 / Month
$10 / Month
$25 / Month
VDPaaS
Alerts
Assessments
Integrated Apps
API
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
Feature
Startup
Business
Enterprise
Price
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
5
40
Unlimited
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
OKTA
DKIM
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Support
Email
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!