Singapore: The PDPA has "teeth" - First Fines for Data Protection Breaches Imposed in Singapore

The Personal Data Protection Commission (PDPC) announced on 21 April 2016 that it had taken action against 11 organizations for breaching their obligations under the Personal Data Protection Act (PDPA). The penalties imposed ranged from warnings to fines, with the highest fine - $50,000 - imposed on K Box Entertainment Group Pte Ltd.

This development is significant as:

(a) these are the first fines and decisions imposed by the PDPC since the personal data protection regime came into force on 2 July 2014;.

(b) although the PDPA was initially put forward by the Government to be a relatively a "light touch" and "baseline" legislation when first proposed, the recently announced decisions make clear that the PDPC will not confine itself to outreach and education to promote good data protection practices, but will also be prepared of investigate breaches and enforce the PDPA and to impose financial penalties (the maximum for which is S$1 million). The PDPA therefore should be treated as having some "teeth";

(c) while about half of the decisions involved relatively minor breaches such as an employee accidentally and incorrectly sending out an email containing a spreadsheet of members' data,the remainder, however, involved more serious security breaches and in particular the decisions of the PDPC provide some useful indications on the approach of the PDPC to the requirement under section 24 of the PDPA to make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. In particular, the robustness or otherwise of an organizational IT systems and processes was clearly a significant factor that influenced the PDPC's decisions in a number of the cases investigated; and

(d) they illustrate that organizations which fail to put in place satisfactory data protection policies or fail to appoint a data protection officer, are likely to face fines for non-compliance with the PDPA in an investigation situation.

Some of the key takeaways from the PDPC's decisions on the application of section 24 are as follows:

• It is not sufficient to outsource data protection to a third party provider; the security provided by the third party provider should be reviewed to ensure that it is sufficient. In each of the cases involving hacking, the organizations' IT system was managed by a third party provider but the organizations failed to ensure, through their agreements and interactions with their service provider, that the service providers complied with a standard of protection at least comparable to industry standards. At a minimum therefore organizations should review their IT service agreements to ensure that data intermediaries agree to meet the requirements of section 24 of the PDPA.
• Organizations should ensure that software is kept up-to-date e.g. by installing released security patches. They should also conduct periodic audits and penetration testing of the security of their databases and IT systems.
• Known weaknesses in a site's security should be dealt with. In some of the cases, the PDPC noted that well-known security vulnerabilities in the site's software were not dealt with, leaving the site open to attack.
• Organizations should not only have a password policy requiring employees to use strong passwords, but should take steps to actually enforce it. For example, although K Box had a password policy, employees could set passwords that were in breach (such that one employee even used a single letter as a password).
• Accounts of former employees should be removed or disabled as soon as possible. In one instance, an employee with administrative access to the system not only used the weak password "admin", but her account remained open for up to a year even after she left.
• IT service providers should be aware that they may be found to be the organiztion's data intermediary pursuant to the PDPA even if the service agreement does not specifically appoint them as such. This was the case with K Box's service provider, Finantech Holdings Pte Ltd, and its breaches resulted in a fine of $10,000 being imposed on it.

The PDPC also issued Advisory Guidelines on Enforcement of the Data Protection Provisions (Guidelines) on 21 April 2016. As noted in the Guidelines, one of the factors that the PDPC takes into account in determining the quantum of the fine to be imposed will be the responsiveness and co-operation of the organization once an investigation has been launched. Organizations should be ready to work with the PDPC once investigations have started.

If you have any questions about this blog post please contact bastian.renner@allenovery.com.