There was only 1 PDPC enforcement actions published for Dec 2016. Details are as follows:


1.  The Cellar Door Pte Ltd (“TCD”) and Global Interactive Works Pte Ltd (“GIW”) – TCD FINED $5,000 AND GIW FINED $3,000

On or around September 2014, the Personal Data Protection Commission (“PDPC”) found unauthorized postings on a website known as ‘Pastebin’ comprising of personal data of customers and users of TCD. The personal data comprised of the full names, mobile and residential numbers, residential and email addresses and passwords of TCD’s customers. All this was available online.

The Commission undertook an investigation and found the following:

  1. TCD is in the business of selling food and wine products and has a business website.
  2. This website was developed by GIW. GIW was engaged to design and develop TCD’s website. Both the website and TCD’s customer database were hosted on GIW’s server. GIW would also backup TCD’s website and customer database.
  3. The disclosed personal data on Pastebin was a subset of TCD’s entire customer database.
  4. Before the PDPC informed TCD, TCD was not aware of the unauthorized disclosures.
  5. GIW stated that its engineers were unable to determine the reasons for the unauthorized disclosure of TCD’s customers’ personal data on Pastebin. GIW had developed the website for TCD in 2011. There was no maintenance contract signed.

The PDPC’s view was that it was TCD’s primary responsibility to ensure the overall protection of its personal data, and it was also TCD that had to implement the required security measures to protect such personal data. Engaging GIW as a data intermediary did not absolve TCD of its responsibility under Section 24 of the PDPA.

The PDPC determined that GIW was a data intermediary of TCD, hence Section 24 of the PDPA also applied to GIW. Hence GIW was subject to the protection obligation of the PDPA, to protect the personal data of TCD’s customers. As GIW hosted the personal data on its servers and was also the site administrator for both TCD’s website and TCD’s customer database, GIW had the direct responsibility of ensuring the protection of the personal data. The extent of its GIW’s obligations were scoped in accordance with the contract it had in place with TCD. The PDPC held that GIW had breached Section 24 of the PDPA as it did not put in place adequate security measures.

Interestingly, the PDPC held the view that it would be possible for the same set of personal data to be in the possession of one organization and under the control of another. Hence, even though TCD was not in direct possession of the personal data hosted on GIW’s servers, it was still obliged to protect that personal data by way of Section 4(2) of the PDPA and by the fact that it had control over the personal data.

The PDPC further found that there was a lack of adequate security measures adopted. The PDPC’s view was that an adequate security policy should be based on an organisation’s assessment of the risks, vulnerabilities and threats facing the IT system and its determination of what the system needed to address such risks, vulnerabilities and threats. In turn, the processes of an organization can be built on the implemented security policy, hence ensuring oversight, proper accountability of the personal data, and control over the measures and processes protecting the personal data. This would further enable an organization to detect the occurrence of a data breach and to determine the corrective measures to be taken.

The PDPC’s view was that TCD and not GIW had the primary responsibility of putting in place adequate security policies and processes. In the PDPC’s opinion, it found that TCD had not carried out and had no plan to carry out penetration testing, TCD did not have an ongoing maintenance process for the website and did not have an incident management policy that tracked identification of technical issues through to resolution. As TCD had control and overall responsibility of their website and failed to implement adequate policies or processes to protect the personal data under its control, the PDPC ruled that TCD had breached Section 24 of the PDPA as well.

The PDPC found that TCD/GIW did not have all-round security in place, stating that there was no server firewall installed, unused ports were not closed, and login credentials were transferred in clear and unencrypted text, and the overall administration password was weak as it was only six-characters long.

In issuing directions and fining both TCD ($5,000) and GIW ($3,000), the PDPC noted the lack of awareness and lack of cooperation as aggravating factors. Though the leaked data set was only a subset, the PDPC’s view was that TCD and GIW’s breaches had put the entire customer database of TCD at risk. In addition, as the primary responsibility and obligation to protect TCD’s customers’ personal data remained with TCD as the data controller, TCD was accordingly fined a higher sum.

Takeaways

  1. PDPC distinguishes between data controllers of personal data and parties who merely may have possession of personal data.
  2. Data controllers ruled to have primary responsibility and it appears that a data controller may never entirely transfer risk to its vendor/data intermediary.
  3. First reported case where PDPC didn’t specifically mention that they investigated due to a complaint.
  4. More guidance on the adequacy of security measures.

Contact P2D Solutions now if you have a PDPA related query about your organisation!

Enforcement

TALK TO US TODAY

For more information on how we can help your company comply with the PDPA easily and cost-effectively, contact us for a FREE consultation.

SERVICES
CONTACT US