DATA BREACH MANAGEMENT
Making ‘Reasonable Security Arrangements’ – How Organisations Successfully Complied
This article aims to offer some valuable insights, drawing from the various decisions by the Personal Data Protection Commission (“the “Commission”) concerning organisations which have succeeded in demonstrating that they have taken “reasonable security arrangements”.
Introduction
The Personal Data Protection Act (“PDPA”) lays out stringent obligations for organisations to comply when it comes to protecting personal data. Under section 24 of the PDPA, organisations are required to protect personal data in their possession or under their control by taking reasonable security steps or arrangements to prevent unauthorised access to such information (“Protection Obligation”).1 A vast majority of the breaches in Singapore were organisations breaching their Protection Obligation.2
This article draws key lessons from decided cases showing that “reasonable security arrangements” had been taken thereby absolving the organisations concerned from liability.
AIG & Toppan Pte. Ltd. (“AIG & Toppan”)3
In this case, there were two organisations that were under scrutiny, namely AIG and Toppan. AIG was found to have complied with the section 24 Protection Obligation.4 This is because the incident was a result of a fault on Toppan’s processes, separate from AIG. Hence, the Commissioner was of the view that one could not expect AIG to implement further security arrangements.5 Although AIG could have audited Toppan’s processes, given Toppan’s credibility and expertise, and the fact that the process was a minor part of the big processes, it would have been unreasonable to expect AIG to do so.6
Carousell Pte. Ltd. (“Carousell”)7
The Carousell case was one where the organisation was found to have not breached their Protection Obligation.8 Another service provider’s platform was compromised, which ultimately resulted in some Carousell users being affected as they had the same log-in details for both platforms. Carousell had in place several security measures which include implementing One Time Passwords for card payments, informing users whenever there is a change in their log-in details, and regularly reviewing and testing their security programme based on fraud trends.9 Additionally, immediate action was taken to mitigate the effects of the attack, such as blocking suspicious IP addresses, suspending compromised users account, and forced password resets were made for affected users.10 Therefore, it was held that the organisation had adopted reasonable standards for protecting personal data in their customer accounts.
For more information about the Carousell case, please click here.
Giordano Originals (S) Pte Ltd (“Giordano”)11
In the case of Giordano, a ransomware infection compromised the personal data of over 790,000 members and 184 employees. However, since the organisation had in place reasonable security measures that are consistent with the PDPC handbook on “How to Guard Against Common Types of Data Breaches”, it was held to be one of the favourable factors when determining that it did not breach the Protection Obligation. 12
Such security measures included installing various endpoint security solutions alongside real-time system monitoring for any abnormalities. Additionally, regular period system maintenance and regular backing-up of data were also carried out by the organisation. The encryption of personal data using current industry-standard algorithm made it such that personal data affected by the ransomware was not legible without decryption. The Commission added that in the event of a breach of the Protection Obligation, they will take into account the use of an industry-standard encryption as a strong mitigating factor.13
The Commission also took into account the steps taken after the incident and found that the organisation had taken sufficient remedial actions to mitigate the consequences.14 Examples of which are: increasing the frequency of staff phishing simulation trainings, security reviews, and additional monitoring measures. Additionally, Giordano was able to successfully restore the personal data from its back-ups.
For more information about the Giordano case, please click here.
Singapore Telecommunication Limited (“Singtel”)15
In Singtel, the Commisson held that the organisation had met its Protection Obligation for the following reasons.16
Similar to the Sembcorp case, the data breach occurred due to the exploitation of zero-day vulnerabilities in a File Transfer Appliance provided for by a third-party system.17 The personal data of 163,370 individuals were compromised. Since the third-party developer was the only one with access to the proprietary source code of the system, the zero-day vulnerabilities could not have been discovered by Singtel. Thus, the responsibility was on the developer.
Upon discovering the incident, the organisation attempted to mitigate the harshness of the incident by shutting down the File Transfer Appliance, conducting a thorough review of processes and file sharing protocols.18 They also offered identity monitoring services to affected individuals and enhanced existing security measures.
“Accellion was the only party that had access to the proprietary source code to the FTA system. Accordingly, the discovery and rectification of the zero-day vulnerabilities within the FTA system fell within the sole responsibility and control of the developer. We are of the view that the Organisation could not have detected or prevented the incident as it had no control or visibility of the zero-day vulnerability of the FTA”
-Singapore Telecommunication Limited (Case No. DP-2102-B7878)
QCP Capital Pte Ltd (“QCP”)19
The case of QCP was about a personal data breach that had occurred through an unauthorised access to employee accounts and customer personal data. The personal data of over 675 individuals were affected. The Commission held that there was no breach of the Protection Obligation as reasonable security arrangements such as an internal monitoring system was in place.20 This allowed them to detect, escalate the anomalous transaction, and flag and suspend the said trading account.
Following the incident, prompt and extensive remedial action was also taken to mitigate consequences as well as to enhance the overall robustness of the security measures.21
Sembcorp Marine Ltd (“Sembcorp”)22
The Sembcorp ransomware case involved the exploitation of over 25,925 individuals during a zero-day vulnerability attack. A zero-day vulnerability attack occurs when attackers exploit a security hole that is unknown to the software developers or that is known but has yet been patched by the software developers.23
The Commissioner considered the fact that the organisation took prompt actions to identify their network vulnerabilities once they were aware of the attack.24 The organisation also had good practices such as a cybersecurity testing programme, regular vulnerability assessment and penetration testing, and cyber security monitoring.25 Therefore, it was held that they did not breach their Protection Obligation.26
The Law Society of Singapore (“Law Society”)27
Attackers gained access to Law Society’s IT administrator and created an account with full administrative privileges, resulting in 16,009 members’ personal data being compromised. However, Law Society had outsourced their system security to a vendor that regularly checked their Operating System updates. The Commissioner held that Law Society did not breach their Protection Obligation, specifically in terms of omitting to patch the vulnerability in the VPN system.28
On the other hand, it is notable that they breached their Protection Obligation in other aspects, namely the weak password requirements that ultimately led to the admin account being compromised.29 They also failed to enforce their security policies as well as conduct reviews on their security arrangements.
“[O]rganisations should conduct code reviews and pre-launch testing before new IT features or changes to IT systems are deployed. These processes allow organisations to pick up and rectify errors and/ or flaws in the new IT features and/ or systems prior to deployment. There have been a number of cases where errors in the application code resulted in the unintended disclosure of personal data or unintended access to personal data”
–Management Corporation Strata Title Plan No. 3400 [2020] SGPDPC 10
Conclusion
The table below provides general guidance on the types of security and other measures that can be taken based on lessons learned from the above cases. Needless to say, the list is not intended to be exhaustive and in the event of a serious breach, the engagement of external legal counsel as well as an external forensic IT specialist should be considered.
For PDF version of this article, please click here.
References
[1] Section 24 of Personal Data Protection Act 2012 (2020 Revised Edition).
[2] Yeong Zee Kin, “Personal Data Protection Digest” (2021) at p 33.
[3] AIG Asia Pacific Insurance Pte ltd & Toppan Forms (S) Pte Ltd [2019] SGPDPC 2.
[4] AIG Asia Pacific Insurance Pte ltd & Toppan Forms (S) Pte Ltd [2019] SGPDPC 2 at [35].
[5] AIG Asia Pacific Insurance Pte ltd & Toppan Forms (S) Pte Ltd [2019] SGPDPC 2 at [37].
[6] AIG Asia Pacific Insurance Pte ltd & Toppan Forms (S) Pte Ltd [2019] SGPDPC 2 at [38].
[7] Carousell Pte. Ltd. (Case No. DP-2105-B8350).
[8] Carousell Pte. Ltd. (Case No. DP-2105-B8350) at [7].
[9] Carousell Pte. Ltd. (Case No. DP-2105-B8350) at [4].
[10] Carousell Pte. Ltd. (Case No. DP-2105-B8350) at [6].
[11] Giordano Originals (s) Pte Ltd (Case No. DP-2011-B7387).
[12] Giordano Originals (s) Pte Ltd at [10].
[13] Giordano Originals (s) Pte Ltd at [8].
[14] Giordano Originals (s) Pte Ltd at [9].
[15] Singapore Telecommunication Limited (Case No. DP-2102-B7878).
[16] Singapore Telecommunication Limited (Case No. DP-2102-B7878) at [7].
[17] Singapore Telecommunication Limited (Case No. DP-2102-B7878) at [7].
[18] Singapore Telecommunication Limited (Case No. DP-2102-B7878) at [6].
[19] QCP Capital Pte Ltd [2022] SGPDPCS 16.
[20] QCP Capital Pte Ltd [2022] SGPDPCS 16 at [6].
[21] QCP Capital Pte Ltd [2022] SGPDPCS 16 at [5].
[22] Sembcorp Marine Ltd [2023] SGPDPCS 2.
[23] Cyber Security Agency of Singapore, “Be Jolly, But Watch Out for Zero and N-day Follies!” (14 December 2023).
[24] Sembcorp Marine Ltd [2023] SGPDPCS 2 at [5].
[25] Sembcorp Marine Ltd [2023] SGPDPCS 2 at [6].
[26] Sembcorp Marine Ltd [2023] SGPDPCS 2 at [7].
[27] The Law Society of Singapore (Case No. DP-2102-B7850).
[28] The Law Society of Singapore (Case No. DP-2102-B7850) at [21].
[29] The Law Society of Singapore (Case No. DP-2102-B7850) at [25].
At Infinity Legal LLC, we have assisted and provided legal representations to organisations and individuals in all matters relating to personal data protection, legal compliance and data breach management.
© Infinity Legal LLC 2024
The content of this article is for general information purposes only, and does not constitute legal advice and should not be relied on as such. Specific advice should be sought about your specific circumstances. Infinity Legal LLC does not accept any responsibility for any loss which may arise from reliance on information or materials published in this article. Copyright in this publication is owned by Infinity Legal LLC. This publication may not be reproduced or transmitted in any form or by any means, in whole or in part, without prior written approval.
Infinity Legal LLC thanks and acknowledges Interns Valencia Wan and Carine Teo for their contribution to this article.
[Last Updated: 15 May 2024, 5:58 pm]