MCI response to PQ on social media platforms legally required to inform users on hacked accounts

Parliament Sitting on 1 February 2021

QUESTION FOR WRITTEN ANSWER

**
47. Miss Cheryl Chan Wei Ling:** To ask the Minister for Communications and Information whether the Ministry will consider (i) legally requiring social media platforms to inform its users that their account has been hacked or that an attempt has been made (ii) providing a channel for companies to report such acts and (iii) legally requiring social media platforms to maintain an office to respond to reports filed by the victims.

Answer:

1. Mitigating cybersecurity and data security risks on social media platforms is the collective responsibility of the Government, social media companies and individual users. 

2. Users, including companies, may file a report to the Police if their social media accounts have been hacked. Depending on the facts and circumstances of the case, the Police may commence investigation if an offence is disclosed under the Computer Misuse Act or other relevant laws. 

3. For significant data breaches, the Government has introduced further safeguards under the recently amended Personal Data Protection Act (PDPA). If the exfiltration of personal data arising from the hacking of social media accounts results in significant harm to the users, the organisation responsible for this platform must notify both the Personal Data Protection Commission and affected individuals. In addition, the PDPA requires all organisations, including social media companies, to appoint a Data Protection Officer whose role includes responding to public enquires and complaints.

4. The major social media platforms also provide a channel for users to report to them suspected hacking incidents. Actions that could be taken by the platforms include removing suspicious messages from hacked accounts and assisting affected users in recovering their accounts. In addition, these platforms have mechanisms to notify users of unusual attempts to log into their accounts. All social media platforms should consider putting in place such measures, if they have not already done so.

5. Users of social media platforms should also take steps to protect themselves. They should immediately change their password and notify their contacts, if they realise or suspect that their accounts have been hacked. This way, their contacts could take the necessary precautions, such as not clicking on messages or posts which may contain malware or phishing links. To keep their online accounts secure, users are strongly encouraged to practise good cyber hygiene at all times. For example, they should set strong passwords, use a unique password for each account, and activate two-factor authentication.

6. The Government is committed to working with all stakeholders to protect our citizens in the digital space, and will continue to review our laws and other measures to do so.