Follow Us:

1.0 Scope of this procedure

This document aims to explain how Captivate Sdn. Bhd. will handle the unfortunate event of a data breach. How we will aim to mitigate the loss and damage caused to the data subject concerned, particularly when sensitive personal data is involved.

2.0 What is a Data Breach?

A data breach is generally taken to be a suspected breach of data security of personal data which may lead to unauthorised or unlawful processing, accidental loss, destruction of or damage to personal data.

3.0 How does a data security breach happen?

A data security breach can happen for a number of reasons:

 

  • Loss of theft of data or equipment on which data is stored
  • Inappropriate access controls allowing unauthorized use
  • Equipment failure
  • Human error
  • Unforeseen circumstances such as a fire or flood
  • Hacking attack
  • ‘Phishing’ offences where information is obtained by deceiving the organization who holds it.

4.0 Process of handling a data breach?

Should an incident of data breach occur, Captivate Sdn. Bhd. Will take all remedial actions to lessen the harm or damage. The following action plan will be implemented following the subsections below.

4.1. Immediate gathering of essential information relating to the breach

Captivate Sdn. Bhd. will promptly appoint dedicated personnel to be in charge of the investigation and process. The dedicated personnel shall promptly gather the following essential information:

 

  • When did the breach occur?
  • Where did the breach take place?
  • How was the breach detected and by whom?
  • What was the cause of the breach?
  • What kind and extent of personal data was involved?
  • How many data subjects were affected?
  • Who needs to be made aware of the breach?
  • Are there any methods to recover any losses and limit the damage the breach may cause?

 

The dedicated personnel may consider designating an appropriate individual / team (‘the coordinator’) to assume overall responsibility in handling the data breach incident, such as leading the initial investigation, informing relevant parties regarding the breach and what they are expected to do to assist in the containment exercise and the subsequent production of a detailed report on the findings of the investigation.

 

The coordinator may need to report and synchronize with different functional divisions / departments / units and escalate the matter to senior management so that remedial actions and executive decisions can be made as soon as possible.

4.2. Assessing the risk of harm

Some data security breaches will not lead to risks beyond possible inconvenience, an example is where a laptop is irreparably damaged, but its files were backed up and can be recovered. While these types of incidents can still have significant consequences, the risks are very different from those posed by, for example, theft or identity fraud.

 

Each data breach will follow the risk assessment process below:

 

  • The kind of personal data being leaked
  • The amount of personal data involved and the level of sensitivity
  • The circumstances of the data breach i.e. online or traceable
  • The likelihood of identity theft or fraud
  • Whether the leaked data is adequately encrypted, anonymized or otherwise rendered inaccessible, e.g. if passwords are needed for access
  • Whether the data breach is ongoing and whether there will be further exposure of the leaked data
  • Whether the breach is an isolated incident or a systematic problem
  • In the case of physical loss, whether the personal data has been retrieved before it can be accessed or copied
  • Whether effective mitigation / remedial measures have been taken after the breach occurs
  • The ability of the data subjects to avoid or mitigate possible harm
  • The reasonable expectation of personal data privacy of the data subject

4.3. Contacting the interested parties, containment and recovery

Once the risk has been assessed, the dedicated personnel in charge will take actions to stop the breach and if necessary this may involve law enforcement agencies i.e. police.

 

The following containment measures will be followed:

 

  1. Stopping the system if the data breach is caused by a system failure
  2. Changing the users’ passwords and system configurations to contract access and use
  3. Considering whether internal or outside technical assistance is needed to remedy the system loopholes and/or stop the hacking
  4. Ceasing or changing the access rights of individuals suspected to have committed or contributed to the data breach
  5. Notifying the relevant law enforcement agencies if identity theft or other criminal activities are or will be likely to be committed
  6. Keeping the evidence of the data breach which may be useful to facilitate investigation and the taking of corrective actions

4.4. Notification of breaches

Captivate Sdn. Bhd. appreciate the distress such incidents can cause. We endeavour to keep the data subject abreast with the investigation and remedial actions. In case of a personal data breach, without undue delay and where feasible we aim to notify the data subject within 72 hours of becoming aware of the breach.

4.5. Mitigation of possible future breaches

It is important not only to investigate the causes of the breach but also to evaluate procedures taken to mitigate possible future incidents. Captivate Sdn. Bhd. will attempt to learn from the experience, review how data collected is being handled to identify the roots of the problem, allow constant review to take place and to devise a clear strategy to prevent future recurrence.

 

The review will take into consideration:

 

  • Ongoing improvement of security in the personal data handling processes
  • The control of the access rights granted to individuals to use personal data. Are principals “need-to-know” and “need-to-access” being adopted
  • The adequacy of the IT security measures to protect personal data from hacking, unauthorized or accidental access, processing, erasure, loss or use
  • Ongoing revision of the relevant privacy policy and practice in the light of the data breach
  • The effective detection of the data breach. The keeping of logs and trails of access enabling early warning signs to be identified
  • The strengthening of the monitoring and supervision mechanism of data users, controllers and processors
  • Review of the ongoing training to promote privacy awareness and to enhance the prudence, competence and integrity of the employees particularly those who act as controllers and processors
  • Review of this policy and procedures listed.