Speaking at the Data Privacy Asia conference in Singapore Mikko Hypponen, chief research officer at Finnish security software maker F-Secure, said that it is simply "pragmatism" to require organisations to notify both customers and privacy commissions when personal data is put at risk, the Straits Times said.
"If your credit-card number had been stolen, you would want to know... to look out for (unauthorised) transactions. Similarly, if your password had been stolen, you would want to change it. The United States and Canada are doing the right thing and should be followed by the rest of the world," Hypponen said, according to the newspaper.
Other speakers supported Hypponen's argument, the Straits Times said.
Singapore's Data Protection Act came into force last year. It does not require companies to report breaches.
A guide to managing data breaches was also issued in May by Singapore's privacy watchdog the Personal Data Protection Commission (PDPC). When a data breach occurs, "in general, it is a good practice to notify individuals affected. Not only will this encourage individuals to take preventive measures to reduce the impact of the data breach, it will also help an organisation rebuild consumer trust," the guide says.
"Organisation could also be bound by legal or contractual obligations to notify affected individuals," it says, but does not give instances where this would apply.
The guide advises organisations to notify PDPC of data breaches that might cause public concern or where there is "a risk of harm to a group of affected individuals".
Leong Keng Thai, chairman of PDPC, told the conference that the Act is "still in the early phases of implementation and organisations require more guidance in achieving compliance".
The PDPC published updated regulations governing the appeals process for data protection in February.