Legal Requirement for Social Media Platforms to Inform Users When Accounts Have Been Compromised
Ministry of Digital Development and InformationSpeakers
Summary
This question concerns Miss Cheryl Chan Wei Ling's inquiry regarding potential legal requirements for social media platforms to notify users of account breaches, provide corporate reporting channels, and maintain response offices. Minister S Iswaran replied that security is a collective responsibility, noting that the Personal Data Protection Act mandates platforms to notify individuals of significant breaches and appoint Data Protection Officers. He observed that while major platforms already provide reporting mechanisms, users should also practice good cyber hygiene and can report hacking to the Police. The Government will continue reviewing laws and working with stakeholders to protect citizens in the digital space.
Transcript
47 Miss Cheryl Chan Wei Ling asked the Minister for Communications and Information whether the Ministry will consider (i) legally requiring social media platforms to inform its users that their account has been hacked or that an attempt has been made (ii) providing a channel for companies to report such acts and (iii) legally requiring social media platforms to maintain an office to respond to reports filed by the victims.
Mr S Iswaran: Mitigating cybersecurity and data security risks on social media platforms is the collective responsibility of the Government, social media companies and individual users.
Users, including companies, may file a report to the Police if their social media accounts have been hacked. Depending on the facts and circumstances of the case, the Police may commence investigation if an offence is disclosed under the Computer Misuse Act or other relevant laws.
For significant data breaches, the Government has introduced further safeguards under the recently amended Personal Data Protection Act (PDPA). If the exfiltration of personal data arising from the hacking of social media accounts results in significant harm to the users, the organisation responsible for this platform must notify both the Personal Data Protection Commission and affected individuals. In addition, the PDPA requires all organisations, including social media companies, to appoint a Data Protection Officer whose role includes responding to public enquires and complaints.
The major social media platforms also provide a channel for users to report to them suspected hacking incidents. Actions that could be taken by the platforms include removing suspicious messages from hacked accounts and assisting affected users in recovering their accounts. In addition, these platforms have mechanisms to notify users of unusual attempts to log into their accounts. All social media platforms should consider putting in place such measures, if they have not already done so.
Users of social media platforms should also take steps to protect themselves. They should immediately change their password and notify their contacts, if they realise or suspect that their accounts have been hacked. This way, their contacts could take the necessary precautions, such as not clicking on messages or posts which may contain malware or phishing links. To keep their online accounts secure, users are strongly encouraged to practise good cyber hygiene at all times. For example, they should set strong passwords, use a unique password for each account, and activate two-factor authentication.
The Government is committed to working with all stakeholders to protect our citizens in the digital space, and will continue to review our laws and other measures to do so.