_commit_at,_commit_hash,_id,_item,_version,_commit,description,tags,date,pdf-url,nature,title,url,timestamp,pdf-content,decision,_item_full_hash,_changed_columns 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,171,171,1,952,"A financial penalty of $30,000 was imposed on Funding Societies for failing to make reasonable security arrangements to prevent the unauthorised disclosure of the personal data of its members.","[""Protection"", ""Financial Penalty"", ""Finance and Insurance"", ""financing platform""]",2018-12-13,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---Funding-Societies-Pte-Ltd---131218.pdf,Protection,Breach of Protection Obligation by Funding Societies,https://www.pdpc.gov.sg/all-commissions-decisions/2018/12/breach-of-protection-obligation-by-funding-societies,2018-12-13,"PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 29 Case No DP-1708-B1035 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Funding Societies Pte. Ltd. … Organisation DECISION Funding Societies Pte. Ltd. [2018] SGPDPC 29 Tan Kiat How, Commissioner — Case No DP-1708-B1035 13 December 2018 BACKGROUND 1 On 14 August 2017, the Personal Data Protection Commission (the “Commission”) received an email notification from the Organisation. The Organisation is the operator of an online financing platform that connects borrowers and investors (the “Website”). Individuals who used the Website would have to register for an account, either as an “Investor” or a “Borrower” (collectively, “Members”). Each Member was given a unique identifier, which was generated sequentially (the “MemberID”). 2 In its email notification, the Organisation informed the Commission that one of its Members, [Redacted] (Replaced with “Mr J”), had emailed them on 25 July 2017 to inform that he had found a vulnerability with the Website. To illustrate this, Mr J showed the Organisation the personal details of two other Members that he had extracted from the Website (the “data breach”). The Organisation took immediate action to rectify the vulnerability and was able to do so by 26 July 2017. 3 After receipt of the email notification from the Organisation, the Commission proceeded to investigate into an alleged breach of the Personal Data Protection Act 2012 (“PDPA”). Funding Societies Pte. Ltd. [2018] SGPDPC 29 MATERIAL FACTS The Website’s vulnerability 4 On 19 June 2017, the Organisation rolled out new system components for the Website. This update gave rise to a vulnerability in the Website’s security system, the details of which are summarised below. 5 When a Member successfully logged into the Website using his username and password, his browser received an authentication token from the Website’s server.1 This token contained the user’s MemberID and granted the user access to the Website. Simultaneously, his browser also received an authorisation token, containing the same MemberID. The authorisation token controlled the functions and type of data that the particular user could access. Operating together, the two valid tokens (ie authentication and authorisation tokens, which shared the same MemberID) granted the logged-in user access to the Website’s functions and data from his own Member account. 6 However, the Organisation’s in-house Website developers did not programme the Website to require both tokens to contain the same MemberID. When a logged-in user carried out a browsing activity on the Website, the security system only verified that the user’s authentication token was valid, and thereafter granted data access based on the MemberID in the authorisation token, without ensuring that the MemberIDs in both tokens were identical. 1 A token is part of the request command from the browser to the Website. Token based authentication works by ensuring that each request to a server is accompanied by a signed token which the server verifies for authenticity and only then responds to the request. 2 Funding Societies Pte. Ltd. 7 [2018] SGPDPC 29 As a result, a Member who had successfully logged into the Website (under an authentication token which carried his MemberID) could browse another Member’s data by changing the MemberID in the authorisation token. The Organisation suspects that this is how Mr J had gained unauthorised access. 8 The investigations revealed that the Organisation became aware of this vulnerability on 7 July 2017, 18 days before the data breach occurred. The vulnerability was detected by a member of the Organisation’s engineering team. Upon discovery, the Organisation initially planned to roll out a quick-fix within a week, and thereafter to have a complete fix within a month. 9 According to the Organisation, a quick-fix was rolled out on 11 July 2017, but had to be retracted on the same day as it caused the Website’s mobile applications to crash. The Organisation then worked on finding a fix that would close out the vulnerability without causing the Website’s mobile applications to crash. 10 On 20 July 2017, the Organisation rolled out a partial-fix for about 25% of their “endpoints”.2 They did not roll out the entire fix as they wanted to “minimise the chances of inducing a negative effect” on their system. Although there was no evidence that this partial-fix had solved the vulnerability, the Organisation claimed that if Mr J had attempted access through one of the fixed endpoints, he would have been denied access to the data. 11 Before the Organisation could roll out a complete fix for the vulnerability, Mr J informed them of the data breach on 25 July 2017. The 2 The Organisation explained that the “endpoint” referred to a function defined on the gateway which had a HTTP URL. The Commission understands the “endpoint” in this case to refer to the server which controlled access to their data. 3 Funding Societies Pte. Ltd. [2018] SGPDPC 29 Organisation escalated the matter as top priority and rolled out the complete fix within 24 hours of Mr J’s report. 12 In total, the vulnerability lasted for about 37 days. The affected Personal Data 13 Mr J had accessed and extracted the personal data of two Members. In particular, the personal data that had been extracted included the Members’ Customer ID, name, NRIC number, and residential address. 14 While there was no further evidence of unauthorised access, the investigations revealed that the personal data of all the Organisation’s existing Members were also at risk of disclosure. At the time of the data breach, the personal data collected and held by the Organisation numbered in the thousands. The personal data that was at risk of disclosure included a Member’s Customer ID, NRIC number, account username, first and last name, telephone number, marital status, spouse’s name, residential address, bank account details (for investors), subscription agreement (for investors), crowdfunding settings (for investors), suitability assessment settings (for investors), wallet account balance (for investors), and company details (for borrowers). 15 Notably, an unauthorised user would have been able to pretend to be another user by using the other user’s MemberID as the authorisation token to perform certain functions in respect of the other user’s account. In particular, this included: (a) Using the Investor’s account to contact prospective Borrowers; (b) Updating a Member’s personal details (subject to actual verification of the details); 4 Funding Societies Pte. Ltd. (c) [2018] SGPDPC 29 Providing feedback to the Organisation on behalf of the Member; (d) Changing the Member’s email address which was used to subscribe to the Organisation’s newsletter; and (e) 16 Altering the auto-investment settings of an Investor’s account. With regard to paragraph 15(e), it was revealed that an unauthorised user would have been able to delete the Member’s auto-investment settings, or to alter the parameters for the Member’s auto-investment settings. Such an alteration of the auto-investment parameters may have caused the Member to make an investment which he had not initially intended or to fail to make an investment which he may have wanted. 17 There was no evidence that Mr J, or any other person, had performed any of the unauthorised functions in paragraph 15. The Organisation’s Remedial Measures 18 Following the incident, the Organisation immediately requested Mr J to delete the data which he had accessed as a results of the vulnerability. Although the Organisation had requested written confirmation for this, they were only able to obtain verbal confirmation from Mr J that the data had been deleted. 19 The Organisation also took the following remedial actions to resolve the Website’s vulnerability: (a) Introduce a more robust logging system to log all unauthorised access to user account data; 5 Funding Societies Pte. Ltd. [2018] SGPDPC 29 (b) Forming an internal quality assurance team (“QA team”); (c) Implementing documentation requirements which required the QA team to create and maintain details of test cases and test results; (d) Applying secure connection technologies or protocols, such as Transport Layer Security (TLS) protocol, to all websites and web applications handling personal data; (e) Storing documents containing personal data on Amazon Web Service’s Simple Storage Service (S3), which allows the storage of data in private buckets that require credential keys which are provided only when requests are authenticated; and (f) Developing and implementing policies and procedures to manage future rollouts of new system components. FINDINGS AND BASIS FOR DETERMINATION 20 The key issue to be determined is whether the Organisation had complied with its data protection obligations under section 24 of the PDPA. 21 Section 24 of the PDPA requires an organisation to protect the personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks (the “Protection Obligation”). 22 As to the standard of reasonable security arrangements, the Commissioner has clarified in Re Aviva Ltd [2017] SGPDPC 14 that organisations must protect personal information by implementing security 6 Funding Societies Pte. Ltd. [2018] SGPDPC 29 safeguards appropriate to the sensitivity of the information and that “more sensitive information should be safeguarded by a higher level of protection”.3 23 In the present case, the Organisation possessed a wide range of personal data of their Members, including financial information such as bank account details and wallet account balance. The Commissioner considers the financial information of an individual to be “sensitive personal data”.4 It is also noteworthy that such sensitive personal data was readily accessible on the Website via a logged-in account. 24 Having considered the material facts, the Commissioner found that the Organisation did not have reasonable security arrangements in place to prevent the unauthorised access, use and disclosure of personal data in its possession. 25 First, the Organisation did not have adequate security arrangements on their Website to ensure that Members could only access their own information and perform functions on their own accounts. The decoupling of authentication and authorisation into two separate tokens was a deliberate design decision on the Organisation’s part so as to “enable stateless API development”. However, the Website should have been equipped with a security measure to ensure that the two tokens carried the same MemberID before granting access to data. 26 In the Commissioner’s view, implementing such a security measure was a necessary step that the Organisation should have taken after decoupling the tokens. The lack of such security measures was a fundamental mistake on the Organisation’s part, and left a glaring vulnerability in the Website. Indeed, this 3 Aviva Ltd [2017] SGPDPC 14 at paragraph [19]. 4 Credit Counselling Singapore [2017] SGPDPC 18 at paragraph [15]. 7 Funding Societies Pte. Ltd. [2018] SGPDPC 29 vulnerability was so obvious that the Organisation’s own engineer had discovered it in the course of his routine work. 27 Second, the Organisation did not adequately test the security of their Website. The Organisation claimed that they had conducted testing prior to the rollout of the new Website components, but were unable to provide documentation of such testing. In any case, the Organisation explained that the tests focused on functionality and load testing of the Website, but not on the security and protection mechanisms. In this regard, it was clear to the Commissioner that the Organisation had failed to conduct the necessary security tests on its Website. Consequently, the Organisation failed to identify the vulnerability during its testing stage. 28 Third, the vulnerability in the Website could be exploited with relative ease. A Member who had some understanding of web technology would have been able to change the MemberID on the authorisation token, thereby granting him access to another Member’s profile. While making such a change was not as simple as manipulating the URL, the Commissioner noted that the tools necessary to make such changes were not sophisticated and were readily available online. Crucially, the fact that MemberIDs were generated in a sequential order made it even easier for Members to guess other Members’ MemberIDs. 29 Fourth, the Organisation failed to appreciate the degree of risk that the vulnerability posed to the personal data in their possession. This was evident in their treatment of the vulnerability after their engineer discovered the breach. They had resolved to fix the vulnerability on 7 July 2018 but did not actually prioritise this until the breach occurred on 25 July 2018. The Organisation’s explanation that it had only rolled out 25% of the partial-fixes to minimise the 8 Funding Societies Pte. Ltd. [2018] SGPDPC 29 impact on their system revealed that they were uncertain about the effectiveness and compatibility of their partial-fix. It also reflected that they had not taken the vulnerability seriously, and that they were in no rush to fix the vulnerability so long as their business remained operational. 30 As such, the Commissioner finds that the Organisation had failed to make reasonable security arrangements to protect the personal data in its possession and within its control. The Organisation is, therefore, in breach of section 24 of the PDPA. Representations by the Organisation 31 The Organisation made representations following the issuance of a preliminary Decision to the Organisation. The representations did not substantively address the Commissioner’s decision to find the Organisation in breach of its obligations under the PDPA but were in the nature of a request to consider mitigating circumstances. The Commissioner has considered the representations and has decided to maintain the directions in the preliminary Decision. 32 The representations made by the Organisation are summarised below: (a) The Organisation is a relatively young enterprise that has been in operation for less than 4 years and while, it takes “all reasonable efforts to ensure that any security issues and deficiencies are identified, handled and remedied on a proactive basis”, there are some issues or deficiencies that it reactively dealt with. In the present case, once the incident was known, the Organisation notified PDPC of its breach voluntarily; and 9 Funding Societies Pte. Ltd. [2018] SGPDPC 29 expanded reasonable efforts to remediate the incident promptly; (b) The Organisation continued to assess the data breach incident after its remediation efforts to develop long term procedures to prevent similar occurrences in the future; (c) The Organisation had in place a framework of security arrangements, such as a risk management framework, an information security policy and training and audits of its policies and procedures; (d) Only the data of two individuals were actually disclosed in the incident and no actual loss or damage was suffered; the actual compromised data did not include any financial information. Furthermore, the Organisation received verbal confirmation from the individual who discovered the flaw in the system that he had deleted the personal data of the two individuals that he extracted. 33 The Commissioner did not consider being a young organisation to be a mitigating factor. Neither should the fact that the Organisation continuously assessed its compliance with the obligations set out in the PDPA and that it had the necessary frameworks in place mitigatory as these were the standard of conduct expected for compliance. These are not activities or measures which go beyond the standard of protection required by the PDPA and as such is not a mitigating factor. 34 With respect to point (d) above, this had already been taken into consideration when the Commissioner decided on the financial penalty. 10 Funding Societies Pte. Ltd. [2018] SGPDPC 29 ENFORCEMENT ACTION BY PERSONAL DATA PROTECTION COMMISSION 35 Given that the Commissioner has found the Organisation in breach of section 24 of the PDPA, the Commissioner is empowered under section 29 of the PDPA to give the Organisation such directions as he deems fit to ensure compliance with the PDPA. This may include directing the Organisation to pay a financial penalty of such amount not exceeding $1 million as the Commissioner thinks fit. 36 In assessing the breach and determining the directions to be imposed on the Organisation, the Commissioner took into account the following factors: Aggravating Factors (a) The personal data of more than 4,000 individuals were at risk of unauthorised access, use and disclosure; (b) The personal data which was at risk included financial information and was sensitive in nature; (c) An unauthorised user would have been able to alter a Member’s investment parameters, which could have led to actual financial losses; (d) The Organisation was unable to confirm that Mr J had only accessed and extracted the personal data of two Members;5 5 The Organisation stated that their “system logging did not capture information required to show when [Mr J] was accessing the other user’s account data”. It was possible that Mr J had accessed and extracted the account data of countless other Members. 11 Funding Societies Pte. Ltd. (e) [2018] SGPDPC 29 The Organisation did not make reasonable efforts to rectify the vulnerability despite being made aware of it early; Mitigating Factors (f) The Organisation voluntarily notified the PDPC of the breach; (g) The Organisation was generally co-operative and forthcoming in providing timely responses to the Commission during the investigation; and (h) The Organisation took prompt corrective action to resolve the vulnerability after being alerted to the data breach incident, as well as other remedial measures to improve its Website security. 37 Having carefully considered all the relevant factors of the case, the Commissioner has decided to impose a financial penalty of $30,000 on the Organisation. This financial penalty is to be paid within 30 days from the date of the directions, failing which interest shall be payable on the outstanding amount of such financial penalty. YEONG ZEE KIN DEPUTY COMMISSIONER FOR COMMISSIONER FOR PERSONAL DATA PROTECTION 12 ",Financial Penalty,1f9a6cd77117118c2993744cd45d390f6d952a0a,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,172,172,1,952,"A financial penalty of $6,000 was imposed on Institute of Singapore Chartered Accountants for failing to make reasonable security arrangements to prevent the unauthorised disclosure of the personal data of its members.","[""Protection"", ""Financial Penalty"", ""Finance and Insurance""]",2018-12-13,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---Institute-of-Singapore-Chartered-Accountants---131218.pdf,Protection,Breach of Protection Obligation by Institute of Singapore Chartered Accountants,https://www.pdpc.gov.sg/all-commissions-decisions/2018/12/breach-of-protection-obligation-by-institute-of-singapore-chartered-accountants,2018-12-13,"PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 28 Case No DP-1711-B1367 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Institute of Singapore Chartered Accountants … Organisation DECISION Institute of Singapore Chartered Accountants [2018] SGPDPC 28 Tan Kiat How, Commissioner — Case No DP-1711-B1367 13 December 2018. Background 1 Technology has transformed the way we communicate. Today, we live in a world of tweets and texts, email and instant messaging. This case shows that when sending documents containing a significant volume of personal data by email, it is important for organisations to have in place reasonable security arrangements to protect these documents from unauthorised access by unintended recipients. 2 On 27 November 2017, the Personal Data Protection Commission (the “Commission”) received notification from the Institute of Singapore Chartered Accountants (“ISCA”) that one of its employees inadvertently sent an email attaching a Microsoft Excel document containing personal data of 1,906 individuals (the “Excel File”) to an unintended recipient (the “Incident”). 3 Following an investigation into the matter, the Commissioner found ISCA in breach of section 24 of Personal Data Protection Act 2012 (“PDPA”). Material Facts 4 Established in 1963, ISCA is the national professional body for accountants in Singapore with about 32,000 members. ISCA is the Institute of Singapore Chartered Accountants [2018] SGPDPC 28 Administrator of the Singapore Chartered Accountant Qualification and the designated body to confer the “Chartered Accountant of Singapore” designation. 5 On or about 23 November 2017, as part of business operations, 2 ISCA employees (the “First Employee” and the “Second Employee”, collectively the “Employees”) were unable to open the Excel File (stored on ISCA’s internal shared drive) as it appeared to be corrupted. The Employees sought the assistance of ISCA’s IT department. Arising from this, ISCA’s IT Support Specialist sent an email to the System/Network Engineer from the ICT department to recover the Excel File from the backup server, and to send the recovered Excel File to the Employees. 6 On 24 November 2017, the System/Network Engineer created an email to send the recovered Excel File as an attachment to the Employees (the “Subject Email”). As the earlier email from the IT Support Specialist did not include the Employees in the addressee list, the System/Network Engineer had to specifically insert the Employees in the recipient section of the Subject Email. Due to the auto-complete feature in Microsoft Outlook’s email software, the System/Network Engineer inadvertently selected an accounts manager (the “Unintended Recipient”)1 in a listed telecommunications service provider (“Telco”) instead of the First Employee as they both had the same first name. The Subject Email containing the Excel File was therefore sent to the IT Support Specialist, the Second Employee and the Unintended Recipient. The Excel File was not encrypted with a password. 1 The Unintended Recipient was the designated accounts manager to communicate with ISCA on services provided by the Telco to ISCA. 2 Institute of Singapore Chartered Accountants 7 [2018] SGPDPC 28 The Excel File listed 1,906 candidates in the ISCA Professional Examination programme. The personal data2 of the candidates which were disclosed include the following: (a) NRIC numbers; (b) Passport numbers; (c) Name; (d) Date of Birth; (e) Postal Address; (f) Email Address; (g) Mobile Phone Numbers; (h) Employment history records; (i) Qualification records; (j) Exam results; and (k) Appeal status of their candidature. (collectively, the “Subject Data”) 8 The Second Employee discovered the mistake within 10 minutes of the Subject Email being sent, and reported it to the Manager, Info-communications and Technology Management, who was also one of ISCA’s data protection officers (the “Manager ICT”). 9 2 ISCA took the following remedial action: Each of the 1,906 candidates did not have the same types of data disclosed in the Excel File. Some candidates had more data in the Excel File than others. 3 Institute of Singapore Chartered Accountants (a) [2018] SGPDPC 28 On 24 November 2017 at around 3.24pm, the System/Network Engineer emailed the Unintended Recipient to inform her to disregard the Subject Email. At around 3.44pm, the Unintended Recipient replied the System Network Engineer to inform ISCA that she had deleted the Subject Email without opening the Excel File. (b) On 25 November 2017, the Manager ICT sent a further email to the Unintended Recipient to require that all copies of the Subject Email and Excel File are permanently deleted. Through emails dated 27 and 28 November 2017, the Unintended Recipient confirmed that the Subject Email and Excel File have been permanently deleted. (c) The Unintended Recipient signed a Declaration confirming that: (i) The Subject Email and Excel file was promptly deleted upon the Unintended Recipient being notified by ISCA of the Subject Email being sent by mistake; (ii) The Excel File was not opened by the Unintended Recipient nor anyone else; and (iii) The Unintended Recipient’s employer does not possess the Subject Email and Excel File and no copies remain in its mail servers, backups or systems. (d) On 29 November 2017, ISCA notified all 1,906 candidates of the Incident by email and/or SMS. 4 Institute of Singapore Chartered Accountants [2018] SGPDPC 28 The Commissioner’s Findings and Basis for Determination 10 It is not disputed that the Subject Data is “personal data” as defined in section 2(1) of the PDPA. There is also no dispute that the PDPA applies to ISCA as it falls within PDPA’s definition of “organisation”. 11 The issue to be determined by the Commissioner in this case is whether ISCA had complied with its obligations under section 24 of the PDPA. Whether ISCA complied with its obligations under section 24 of the PDPA 12 Section 24 of the PDPA provides that an organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. 13 It is not disputed that ISCA had possession and/or control of the Subject Data in the Excel file stored on ISCA’s internal shared drive and backup server. ISCA’s security arrangements to protect electronic documents containing personal data 14 As part of ISCA’s business operations, its employees are required to access a significant number of its members’ personal data contained in electronic files (e.g. the Excel File contained 1,906 individuals’ Subject Data). The Subject Data in ISCA’s possession and/or control included personal data which has a higher expectation of confidentiality (e.g employment history records, qualification records, exam results and appeal status) and could be potentially embarrassing if disclosed to unauthorised recipients. 5 Institute of Singapore Chartered Accountants 15 [2018] SGPDPC 28 In this regard, ISCA has a general policy that applies to the whole organisation with respect to the protection of personal data of its members. This “Information Sensitivity Policy” is intended to guide employees on protecting information at varying sensitivity levels, including during electronic distribution. According to ISCA, the Subject Data in the Excel File would fall under the “More Sensitive” category. For electronic distribution of documents in this category, there are “no restrictions to approved recipients within ISCA, but should be encrypted or sent via a private link to approved recipients outside of ISCA premises”. 16 ISCA also has targeted policies and standard operation procedures (“SOPs”) for specific departments and/or operational activities that deal with personal data. The policies/SOPs that require electronic documents containing personal data to be protected are: (a) “Data Management for CPE Programmes Policies and Procedures” applies to employees dealing with continuing professional education. It requires encryption for excel reports generated that contains personal data. (b) “Data Management” applies to the Member Services and Marketing department of ISCA. It requires internal reports generated by the department that contain personal data to be “encrypted with password”. (c) The SOP entitled “Student Data Management” attached 2 emails in relation to the protecting files that contain personal data which stated: 6 Institute of Singapore Chartered Accountants (i) [2018] SGPDPC 28 “Please ensure that your files are password-protected especially if they contain personal data such as name, NRIC number, address, phone number and email address”; and (ii) “For electronic transmission (i.e. email, thumbdrives etc) of personal data, please ensure the files are encrypted”. 17 However, none of ISCA’s security arrangements at [15] and [16] required password based encryption for the Excel File in the circumstances leading up to the Incident. (a) ISCA’s Information Sensitivity Policy did not apply because the System/Network Engineer intended to send the Excel File by email to authorised recipients within ISCA only. (b) ISCA conceded that none of the policies/SOPs at [16] applied to the System/Network Engineer who was in ISCA’s ICT department. 18 The Commissioner found that ISCA failed to put in place reasonable security arrangements to protect the Subject Data in the Excel File during email transmission for the following reasons: (a) The volume (1,906 members) and type (data with a higher expectation of confidentiality) of Subject Data in the Excel File warranted direct protection. In this regard, ISCA should have had a policy/SOP that applied to all employees requiring password based encryption for the Excel File in respect of both external and internal emails. This would be a reasonable security arrangement to protect the Subject Data against unauthorised access in the event the Subject Email was sent to any unintended recipient. 7 Institute of Singapore Chartered Accountants (i) [2018] SGPDPC 28 ISCA’s Information Sensitivity Policy at [15] was not a sufficient security arrangement as it only required password based encryption for external emails. (ii) ISCA’s “Student Data Management” SOP at [16(c)] recognised that the Subject Data in the Excel File required direct protection. Under this SOP, the Employees who had requested the Excel File would have had to ensure that the Excel File is encrypted with a password for electronic transmission. However, as discussed at [17(b)], this SOP did not apply to the System/Network Engineer. At the material time, ISCA did not have a specific policy/SOP for the ICT department in respect of its operational activities that deal with personal data. (iii) According to ISCA, the System/Network Engineer did not open the Excel File when recovering it from ISCA’s backup server. He was therefore not aware that the Excel File did not have password based encryption. This excuse is not credible for the reason that when the Employees requested for the restoration of an Excel file from the backup server, one would have expected that the least that would have been done was for the System/Network Engineer to open the file to be sure that it had been properly restored and thus usable by the Employees. It is more likely that the System/Network Engineer had opened the file but it had not occurred to him that it was a spreadsheet containing voluminous personal data. In any event, the lack of policy/SOP for the ICT department and the gap in the extant Information Sensitivity Policy meant that the System/Network Engineer would not have been required to password protect the restored Excel file. 8 Institute of Singapore Chartered Accountants (b) [2018] SGPDPC 28 ISCA conducted PDPA training for its employees. In this regard, data protection training only has an impact on the proper implementation of an organisation’s data protection policies and practices. It does not replace the requirement for an organisation to have the necessary data protection policies in respect of its operational/business activities that deal with personal data. In the present case, ISCA did not have any policy/SOP that if properly implemented, would have been a reasonable security arrangement to protect the Excel File during internal email transmission. 19 For the reasons above, the Commissioner finds ISCA in breach of section 24 of the PDPA. Representations by ISCA 20 ISCA made representations following the issuance of a preliminary Decision to ISCA. The representations did not go to the merits of the matter but were mainly related to the timelines for ISCA to comply with the Commissioner’s directions. The Commissioner has considered the representations made and has made adjustments to the timelines in the final set of directions below. The Commissioner’s Directions 21 Given the Commissioner’s findings that ISCA is in breach of section 24 of the PDPA, the Commissioner is empowered under section 29 of the PDPA to issue ISCA such directions as it deems fit to ensure compliance with the PDPA. This may include directing ISCA to pay a financial penalty of such amount not exceeding S$1 million. 9 Institute of Singapore Chartered Accountants 22 [2018] SGPDPC 28 In assessing the breach and determining the directions, if any, to be imposed on ISCA in this case, the Commissioner took into account the following mitigating factors: (a) ISCA notified the Commission of the Incident and was fully cooperative in the investigations; (b) The unauthorised disclosure was limited to a single Unintended Recipient for a short period of 10 minutes; (c) ISCA took prompt action to mitigate the impact of the Incident by (i) requesting the Unintended Recipient to permanently delete the Subject Email containing the Excel File; and (ii) notifying all affected individuals of the Incident; and (d) There was no evidence to suggest any actual loss or damage resulting from the unauthorised disclosure. 23 Having considered all the relevant factors of this case, the Commissioner hereby directs ISCA to do the following: (a) Within 90 days from the date of the Commissioner’s directions, review its policies and security arrangements in respect of electronic transmission of documents containing personal data; and (b) Pay a financial penalty of S$6,000.00 within 30 days from the date of the Commissioner’s direction, failing which, interest at the rate specified in the Rules of Court3 in respect of judgment debts, shall accrue 3 Cap 322, R5, 2014 Rev Ed. 10 Institute of Singapore Chartered Accountants [2018] SGPDPC 28 and be payable on the outstanding amount of the financial penalty until the financial penalty is paid in full. YEONG ZEE KIN DEPUTY COMMISSIONER FOR COMMISSIONER FOR PERSONAL DATA PROTECTION 11 ",Financial Penalty,e2bbbd06e9b393bceb76c1214148a7dc8f472f96,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,173,173,1,952,Directions were issued to SLF Green Maid Agency for failing to make reasonable security arrangements to prevent the unauthorised disclosure of individuals’ personal data.,"[""Protection"", ""Directions"", ""Others"", ""domestic helper""]",2018-12-13,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---Green-Maid-Agency---131218.pdf,Protection,Breach of Protection Obligation by SLF Green Maid Agency,https://www.pdpc.gov.sg/all-commissions-decisions/2018/12/breach-of-protection-obligation-by-slf-green-maid-agency,2018-12-13,"PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 27 Case No DP-1806-B2265 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And SLF Green Maid Agency … Organisation DECISION SLF Green Maid Agency [2018] SGPDPC 27 SLF Green Maid Agency [2018] SGPDPC 27 Yeong Zee Kin, Deputy Commissioner — Case No DP-1806-B2265 13 December 2018 1 This case arose out of the common practice of reusing scrap or discarded paper where the reverse side of the paper can still be used. This is highly commendable and environmentally-friendly, but organisations must take care to ensure that there is no personal data on the scrap or discarded paper set aside for such re-use. An employee of SLF Green Maid Agency (the “Organisation”) wrote information for the Complainant on a piece of paper which contained personal data of other individuals on the reverse side and gave the paper to the Complainant. This happened on two separate occasions. The key issue is whether this disclosure of personal data by the Organisation amounts to a breach of section 24 of the Personal Data Protection Act 2012 (“PDPA”). Material Facts 2 On 8 April 2018, the Complainant visited the Organisation’s office to enquire about engaging a foreign domestic worker. An employee of the Organisation assisted her and over the course of these enquiries, the employee handed the Complainant some paper on which he wrote information related to her query. The Complainant discovered that the reverse side of the paper contained personal data of other individuals. The Complainant informed the employee that the paper that was used should not have been given to the Complainant. 3 On 24 April 2018, the Complainant returned to the Organisation’s office and was served by the same employee. Again, over the course of the queries, she was provided information hand written on used paper. Similarly, the reverse side of the paper contained personal data of other individuals. 4 Over the two occasions, the following personal data was disclosed to the Complainant: (a) On the first occasion, the used side of the paper contained a photocopy of the front and back of an individual’s NRIC. 2 of 6 SLF Green Maid Agency (b) [2018] SGPDPC 27 On the second occasion, the used side of the paper was a letter detailing a family’s personal circumstances, explaining why a foreign domestic worker was required by them. The letter also contained four individuals’ names and two of their FIN numbers. In an accompanying portion of a contract, the same four individuals’ passport numbers and passport expiry dates were found; and (c) the same portion of a contract contained five other individuals’ names and NRIC numbers, with some accompanying signatures. Did the Organisation breach section 24 of the PDPA 5 Section 24 of the PDPA stipulates that an organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. It is undisputed that the personal data listed in paragraph 4 was disclosed without authorisation. The totality of the circumstances led me to conclude that the unauthorised disclosure stemmed from the Organisation’s lack of reasonable security arrangements to prevent such disclosure. I set out the factors leading to this conclusion below. 6 Organisations that re-use scrap paper should put in place reasonable security measures to prevent scrap paper containing personal data from being re-used or given to other clients. The security arrangements will have to involve at least two aspects: 7 (a) Implementing a system of processes backed up by policies, and (b) Training of staff to be aware of the risks and to be alert to spot them. In this case, investigations did not turn up any process or system within the organisation for segregating scrap paper containing personal data from the pile(s) of scrap paper that can be re-used by staff. 8 Neither were there any policies. In fact, the Organisation admitted that they did not have a detailed policy with respect to personal data protection nor did they provide staff with any formalised training on personal data. Instead, the Organisation relied on the management’s verbal directions to screen through all discarded paper and to destroy any paper that contained 3 of 6 SLF Green Maid Agency [2018] SGPDPC 27 personal data; and that only paper which did not contain personal data was to be re-used. The Organisation intimated, in written responses during investigations, that the following instructions were given to employees: “Physical Office Manning- Office should be manned continuously by staff during operating hour. In occasion that staff is alone in office and the need to leave the office, say go to the toilet, office should be locked. Do not leave office open but unattended. Management of Client’s data- Clients (Employer/customer and FDW) data should not be used or discussed loosely. Not even between staff and staff. Management insists that no loose talk on sensitive data like how rich is an employer and personal income, where employer stays, etc...Only on a need to know and authorized to know basis. Clients/FDW’s document. Individual client/FDW’s document are filed and serialized. Files are safe keep in cabinet within the office space which is locked after office hour. Access to Personal Computer. Instruction to all staff is that “outsider” person who is not authorized is not allowed to “touch” our personal computer. Ever happened before that a staff let a customer use her personal computer to check certain thing from website was reprimanded.” 9 To my mind, these instructions were insufficient and failed to establish the practices around the Organisation’s policy of using discarded paper that contained personal data. 10 The Organisation intimated that they prominently pasted a set of guidelines on handling personal data and provided a copy of a document entitled “Guidelines to Personal Data Protection” (“Organisation’s “Guidelines””). The relevant part of the Organisation’s “Guidelines” stated: “Proper Housekeeping Other than the document that Staff is working on at any point in time, no other unnecessary document, especially document with personal data should be lying around on the working table or other places.” … “Management of waste paper with personal information on it. Waste paper with personal data on them are not to be disposed of in public rubbish bin direct, unless data is permanently masked off by using permanent marker and is torn into small pieces.” (emphasis in original) 11 There are a couple of issues with the Organisation’s Guidelines. First, they do not address the re-use of discarded paper containing personal data directly. They deal with safekeeping and disposal of waste paper containing personal data. Second, investigations did 4 of 6 SLF Green Maid Agency [2018] SGPDPC 27 not uncover any evidence to substantiate that the Organisation’s Guidelines were provided to its employees. 12 Turning now to the importance of staff training as a security arrangement. It has been said before in Re: National University of Singapore [2017] SGPDPC 5 and it bears repeating that training is important to inculcate the right employee culture and establish the right level of sensitivity to personal data amongst staff. The organisation admitted that no training had been provided. The closest form of training in this matter was a verbal exhortation by management to screen scrap paper and to discard (and not to re-use) scrap paper that contained personal data. Clearly, this was insufficient to establish the right level of employee sensitivity to client personal data. These verbal instructions did not appear to have been effective on the employee who served the Complainant as he made the same mistake to the same client twice: he handed over to the Complainant scrap paper containing personal data of other individuals on two separate occasions and had failed to retrieve them even after the employee was informed by the Complainant that he should not re-use paper with personal data. 13 For a company like the Organisation that handles personal data of foreign domestic workers and clients on a daily basis (eg passport and income information), it is necessary for it to put in place a better system of staff training and awareness given the sensitive nature of personal data that it handles, as well as the volume. Merely disseminating guidelines and verbal instructions is insufficient. As noted in Re Aviva Ltd, whilst there is no specific distinction in the PDPA based on the sensitivity of the data, organisations are to ensure that there are appropriate levels of security for data of varying levels of sensitivity: [2018] PDP Digest 245 at [17]-[18]. NRIC and passport numbers and financial information would generally be considered more sensitive: Re Aviva Ltd at [17]. Structured and periodic training could have been implemented to protect personal data. 14 I therefore find that the Organisation was in breach of its obligation to protect personal data under section 24 of the PDPA as it did not implement reasonable security arrangements to protect the personal data found in the discarded papers. Since the incident, the Organisation has reminded its staff to comply with internal guidelines on personal data protection and the procedures for destroying documents containing personal data. They have also highlighted to the staff internal penalties for any failure to comply. 5 of 6 SLF Green Maid Agency [2018] SGPDPC 27 Deputy Commissioner’s Directions 15 Given my findings that the Organisation is in breach of section 24 of the PDPA, I am empowered under section 29 of the PDPA to issue the Organisation such directions as it deems fit to ensure compliance with the PDPA. This may include directing the Organisation to pay a financial penalty of such amount not exceeding S$1 million. 16 Taking into account the limited scope of the unauthorised disclosure, I do not think that a financial penalty is warranted and instead make the following directions: a. The Organisation is to conduct a review of its procedures to prevent the use of discarded or unwanted documents containing personal data within 30 days from the date of this Decision; b. The Organisation is to develop a training programme to ensure that all of its staff is aware of and will comply with the requirements of the PDPA when handling personal data within 60 days from the date of this Decision; c. The Organisation is to require all staff who have not attended data protection training to attend such data protection training in accordance with the training programme set out at (b) above within 30 days of the development of the training programme; and d. The Organisation is to inform the Commission of the completion of each of the above within 7 days of implementation. YEONG ZEE KIN DEPUTY COMMISSIONER PERSONAL DATA PROTECTION COMMISSION 6 of 6 ",Directions,db40f6c2dd8921428c1fe911f5570123eecd69e8,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,174,174,1,952,"A financial penalty of $20,000 was imposed on WTS Automotive Services for failing to make reasonable security arrangements to prevent the unauthorised disclosure of its customers’ personal data.","[""Protection"", ""Financial Penalty"", ""Others"", ""vehicle repair and maintenance""]",2018-12-13,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision---WTS-Automotive-Services-Pte-Ltd---131218.pdf,Protection,Breach of Protection Obligation by WTS Automotive Services,https://www.pdpc.gov.sg/all-commissions-decisions/2018/12/breach-of-protection-obligation-by-wts-automotive-services,2018-12-13,"PERSONAL DATA PROTECTION COMMISSION [2018] SGPDPC 26 Case No DP-1706-B0834 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And WTS Automotive Services Pte. Ltd. … Organisation ________________________________________________________ GROUNDS OF DECISION ________________________________________________________ WTS Automotive Services Pte. Ltd. [2018] SGPDPC 26 Tan Kiat How, Commissioner – Case No DP-1706-B0834 13 December 2018 Background 1 This matter involves WTS Automotive Services Pte. Ltd. (the “Organisation”), a company which provides vehicle repair and maintenance services at Kaki Bukit and Gul Circle in Singapore. On 9 June 2017, a complaint was lodged by a member of the public (“Complainant”) with the Personal Data Protection Commission (“Commission”), alleging that a URL link to the Organisation’s customer database, which contained the personal data of the Organisation’s customers, was publicly accessible over the Internet (the “Incident”). The Commissioner sets out below his findings and grounds of decision based on the investigations carried out in this matter. Material Facts 2 The Complainant had been searching for a company address via Google’s search engine, when he chanced upon the URL link to the Organisation’s Kaki Bukit customer database, which contained the personal data of 2,472 of its Kaki Bukit customers. The personal data that was disclosed included the names, NRIC and FIN numbers, residential addresses, contact numbers, email addresses and car plate registration numbers of the Organisation’s Kaki Bukit customers. The Complainant proceeded to lodge a complaint with the Commission on 9 June 2017. Upon receiving the complaint, the Commission commenced an investigation into this matter. 3 During the course of the investigation, the Organisation represented that it had implemented a Backend Electronic Job Card System (“Backend System”) which ran as a web WTS Automotive Services Pte. Ltd. [2018] SGPDPC 26 application over the Internet since December 2013. The Backend System was set up for internal use only and was meant to allow the Organisation’s staff to, amongst other things, store and access the personal data of the Organisation’s customers. The Backend System was developed and maintained by ZNO International (Pte.) Limited (“ZNO”) from October 2013. Subsequently, QGrids was responsible for the maintenance of the Backend System from March 2016. The Organisation represented that the publicly accessible URL link to the Organisation’s Kaki Bukit customer database was part of the Backend System. 4 During the course of the investigation, the Commission also found that there were two other databases that were part of the Backend System, which similarly contained personal data and were also publicly accessible, as follows: (a) the Organisation’s Gul Circle customer database, which contained the names, NRIC and FIN numbers, residential addresses, contact numbers, email addresses and car plate registration numbers of 2,223 of the Organisation’s Gul Circle customers; and (b) the Organisation’s master car database, which contained 3,764 records with the names of car owners, and the details of their cars, such as a car’s make, model, plate number, colour, chassis number, registration number, transmission type and mileage. 5 All three URL links to the Organisation’s three databases will collectively be referred to as the “Compromised URL Links”. The Compromised URL Links were all webpages which provided data export functions, i.e. they allowed data to be exported into Microsoft Excel spreadsheets. By clicking on any of the Compromised URL Links, the corresponding Microsoft Excel spreadsheet would be generated and provided to a user. As the Microsoft Excel spreadsheets would subsequently be saved in the backend server, the Microsoft Excel spreadsheets could be discovered and indexed by search engines. 6 Notably, the Organisation admitted during the course of the investigation that the webpages of the Backend System were all secured by authentication mechanisms, save for the Compromised URL Links. The Organisation represented that the authentication mechanisms for the Compromised URL Links were “left out by ZNO unintentionally” during the development of the Backend System. With no authentication mechanisms to limit access to the 2 WTS Automotive Services Pte. Ltd. [2018] SGPDPC 26 Compromised URL Links, search engines were able to discover and index these Compromised URL Links, rendering the respective databases publicly accessible over the Internet. 7 After the Organisation was notified by the Commission of the unauthorised disclosure of its Kaki Bukit customers database on 15 June 2017, the Organisation represented that it had taken the following steps to prevent the reoccurrence of the unauthorised disclosure of personal data: (a) added Robots.txt to discourage search engines from crawling webpages of the Organisation’s Backend System; (b) secured all webpages in the Organisation’s Backend System with login mechanisms; (c) removed the Compromised URL Links from Google and Bing search engines; and (d) migrated the Backend System to a local server and configured it to be only accessible within the Organisation’s Local Area Network instead of the Internet. Findings and Basis for Determination 8 At the outset, the information that was disclosed via the Compromised URL Links (names, NRIC and FIN numbers, residential addresses, contact numbers, email addresses, car plate registration numbers and details of cars, such as a car’s make, model, plate number, colour, chassis number, registration number, transmission type and mileage) constitutes personal data as defined in section 2(1) of the Personal Data Protection Act 2012 (No. 26 of 2012) (“PDPA”), as the Organisation’s customers and/or car owners could be identified from such information disclosed or is information that is about these identified customers and/or car owners. 9 The issue for determination is whether each of the Organisation, ZNO and QGrids had complied with the obligation under section 24 of the PDPA to implement reasonable security arrangements to protect personal data in its possession or under its control. 3 WTS Automotive Services Pte. Ltd. 10 [2018] SGPDPC 26 Section 24 of the PDPA provides: “An organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.” [Emphases added.] As a preliminary issue, the meaning of the terms “possession” and “control” under section 24 of the PDPA is considered. Whilst the definition of “possession” is not defined in the PDPA, the distinction between “possession” and “control” had been explained in Re Cellar Door Pte Ltd [2016] SGPDPC 22 at [17] as: “it is possible for the same dataset of personal data to be in the possession of one organisation, and under the control of another. For example, in a situation where the organisation transfers personal data to its data intermediary, the organisation could remain in control of the personal data set while, simultaneously, the data intermediary may have possession of the same personal data set.” 11 Notably, in Re Cellar Door Pte Ltd, it was found that even though the organisation was not in direct possession of the personal data that was held in the data intermediary’s servers, it was still obliged to implement reasonable security arrangements to protect the personal data as it had control over such data. 12 As to the definition of “control”, AIG Asia Pacific Insurance Pte. Ltd. [2018] SGPDPC 8 at [18] states that: “[w]hile there is no definition of “control” in the PDPA, the meaning of control in the context of data protection is generally understood to cover the ability, right or authority to determine (i) the purposes for; and/or (ii) the manner in which, personal data is processed, used or disclosed.” [Emphasis added.] 4 WTS Automotive Services Pte. Ltd. 13 [2018] SGPDPC 26 Against this backdrop, the issue for determination is whether each of the Organisation, ZNO and QGrids had possession or control of the personal data contained in the Compromised URL Links, so as to trigger the obligation to implement reasonable security arrangements to prevent its unauthorised disclosure under section 24 of the PDPA. Whether ZNO had the obligation to protect personal data under section 24 of the PDPA 14 ZNO was the IT vendor engaged by the Organisation to develop, host and maintain the Backend System. While the Organisation claims that it had asked ZNO to include authentication mechanisms to limit access to the data found in the Compromised Links, the only evidence that the Organisation relied upon was the statement of its General Manager. Even if we take the Organisation’s case at its highest and it is found that ZNO was indeed asked to implement authentication mechanisms, ZNO would not be in breach of the PDPA given that it had delivered the Backend System (save for one module which was not relevant to the Incident) in 2013. After the relevant PDPA provisions came into force on 2 July 2014, the onus is on the Organisation to review its existing systems and to put in place enhancements to ensure that the standards of protection under the PDPA are met. In this regard, the Commissioner finds that ZNO did not have the obligation under section 24 of the PDPA. Whether QGrids had the obligation to protect personal data under section 24 of the PDPA 15 As of March 2016, QGrids had been engaged by the Organisation for the purposes of application and data migration from ZNO’s web hosting services to Vodien Internet Solutions Pte. Ltd. (“Vodien”), a third party Singapore-based web hosting company which provides, amongst other services, domain registration and web hosting services, and subsequently, to take over the maintenance of the Backend System from ZNO. QGrids had possession of the personal data which is the subject of this decision in migrating the Backend Server to Vodien, and would have had to ensure that such personal data was protected. However, the data breach that occurred in this case was not a result of the migration of the Backend Server or QGrids role with respect to this. In this regard, the Commissioner finds that QGrids does not have the obligation under section 24 of the PDPA to implement reasonable security arrangements to protect the personal data contained in the Compromised URL Links. 5 WTS Automotive Services Pte. Ltd. [2018] SGPDPC 26 Whether the Organisation had the obligation to protect personal data under section 24 of the PDPA 16 With regards to the development of the Backend System, the Organisation represented that it had “[specified] to ZNO that the website and system should be protected with login mechanism and role-based authorisation feature; however, these requirements were given verbally during requirement analysis and were not recorded in any document”. Also, while the Organisation represented that it had tested the Backend System before it was delivered to the Organisation by ZNO, the user acceptance test was not documented by either the Organisation or ZNO. 17 The Commissioner takes this opportunity to reiterate the importance of clarifying the obligations of an organisation and a service provider and thereafter documenting these in writing and prior to the provision of services, as set out in Re Smiling Orchid (S) Pte Ltd and others [2016] SGPDPC 19 at [51]: “[t]here must be a clear meeting of minds as to the services that the service provider has agreed to undertake, and this should be properly documented. Data controllers should follow through with the procedures to check that the outsourced provider is indeed delivering the services.” 18 Presently, there is an absence of objective evidence showing that the Organisation had given specific requirements that login mechanism and role-based authorization was required. Equally, there is no evidence that this requirement was communicated, documented or – crucially – included within the scope of User Acceptance Tests. Post 2 July 2014 when the PDPA came into full force, the Organisation should have reviewed its systems to ensure that the standards of protection expected under the PDPA are met. The Commission also recognises that “personal data of individuals may be exposed if the website or database in which it is stored contains vulnerabilities. There needs to be a regular review to ensure that the website collecting personal data and the electronic database storing the personal data has reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks”.1 The Commission considers that it is good practice for an organisation to “conduct regular ICT security audits, scans and tests to detect 1 PDPC, Guide to Data Protection Impact Assessments (published 1 November 2017), at [8.3]. 6 WTS Automotive Services Pte. Ltd. [2018] SGPDPC 26 vulnerabilities”.2 Against the above backdrop, the Organisation retained full responsibility for implementing reasonable security arrangements to protect the personal data contained in the Compromised URL Links. The Commission found that the Organisation did not take any steps towards protecting the personal data in its possession or under its control to prevent any unauthorised disclosure of the personal data contained in the Compromised URL Links. Additionally, it should have conducted regular IT security checks to ensure that the Backend System did “not contain any web application vulnerabilities that could expose the personal data of individuals collected, stored or accessed via the website through the Internet”.3 19 Although access to the Backend System was only intended for staff of the Organisation, considering how the Backend System was accessible from the Internet, it would have been important for the Organisation to conduct IT security checks to detect vulnerabilities in the Backend System. The Commission takes the view that “[t]esting the website for security vulnerabilities is an important aspect of ensuring the security of the website. Penetration testing or vulnerability assessments should be conducted prior to making the website accessible to the public, as well as on a periodical basis (e.g. annually).” 4 In this regard, the Organisation represented that “there [was no] penetration testing performed prior to [the Commission notifying the Organisation about the unauthorised disclosure of personal data on 15 June 2018]”. 20 Given the absence of any security arrangements to protect personal data against unauthorised disclosure, the Commissioner finds that the Organisation has contravened section 24 of the PDPA. Representations 21 The Organisation made representations following the issuance of a preliminary Grounds of Decision. The Commissioner has considered the representations made and is of the view that the representations made do not justify any change in his decision or the directions 2 PDPC, Guide to Securing Personal Data in Electronic Medium (revised 20 January 2017) at [6.1]. PDPC, Guide on Building Websites for SMEs (revised on 20 January 2017), at [4.2.1]. 4 PDPC, Guide on Building Websites for SMEs (revised on 20 January 2017), at [5.6.1]. 3 7 WTS Automotive Services Pte. Ltd. [2018] SGPDPC 26 made. The Commissioner sets out below the points raised in the representations together and the reasons for rejecting the representations. 22 The Organisation in its representation states that they implemented a role based authorisation feature and a login mechanism. These facts have already been taken into consideration. The Organisation’s claims that it had instructed its vendor to protect the system with a login mechanism and a role based authorisation feature are considered in paragraph 18 above. Even on the assumption that instructions for a role based authorisation feature and a login mechanism was properly given, the authentication mechanisms were not implemented with respect to the Compromised URL Links and any alleged instructions were not documented. As stated in paragraph 17, such instructions should be documented in writing to clarify the obligations of an organisation and a service provider. 23 The Organisation also states in its representations that they had expected its vendor ZNO to conduct all the necessary audits as it was still developing the backend system even after the relevant data protection provisions under the PDPA came into force on July 2014 and that the disclosure resulted from a programming flaw. This has already been considered at paragraph 14 above. Further, organisations should take note that while they may delegate work to vendors to comply with the PDPA, the organisations’ responsibility for complying with statutory obligations under the PDPA may not be delegated. In this case, the Organisation simply did not put in place any security arrangements to ensure that it complies with its obligations under section 24 of the PDPA. 24 The final point made by the Organisation in its representations is that it had no technical expertise to identify technical flaws and had no reason to suspect that the compromised URL links would be published on the Internet. In the present case, the gravamen lies in the lack of awareness and initiative on the part of the Organisation, as owner of the system, to take its obligations and responsibilities under the PDPA seriously. It is unrealistic to expect all organisations to have the requisite level of technical expertise to manage increasingly complex IT systems. But a responsible organisation would have made genuine attempts to engage competent service providers and give proper instructions. In this case, it is the paucity of evidence of such instructions, purportedly made by the Organisation, that stands out. Likewise, there was no evidence that it had conducted adequate testing of the system. Pertinently, while these lapses may have been more excusable before 1 July 2014, there is no excuse for the 8 WTS Automotive Services Pte. Ltd. [2018] SGPDPC 26 Organisation not to have initiated (and properly documented) a review of the system for compliance with the PDPA. The responsibilities of ownership do not require technical expertise. Directions 25 Having found that the Organisation is in breach of section 24 of the PDPA, the Commissioner is empowered under section 29 of the PDPA to give the Organisation such directions as he deems fit to ensure compliance with the PDPA. 26 In assessing the breach and determining the directions to be imposed on the Organisation, the Commissioner took into account the following mitigating factors: (a) the Organisation was generally cooperative, forthcoming and prompt in providing responses to the Commission during the investigation; and (b) the Organisation took immediate remedial actions to rectify and prevent the recurrence of the data breach. 27 The Commissioner also took into account the aggravating factor that the Organisation showed a lack of accountability with respect to the Backend System and its obligation to protect the personal data that was stored on it. Not only did the Organisation fail to document the instructions given to ZNO to implement login mechanism and role-based authorisation features for the Backend System, the Organisation had also failed to document the user acceptance test. While the system was developed and delivered before the PDPA came into full force, the Organisation knowing full well that its practices left a lot to be desired from a security standpoint, ought to have audited its systems before 2 July 2014 to ensure that its practices are PDPA compliant. The failure to do so reflected the Organisation’s lack of accountability in ensuring that it had made reasonable security arrangements to protect the personal data on the Backend System, as well as to prevent any unauthorized disclosure or similar risks to such data. 28 In consideration of the relevant facts and circumstances of the present case, the Commissioner hereby directs the Organisation to pay a financial penalty of S$20,000 within 30 days from the date of this direction, failing which interest, at the rate specified in the Rules 9 WTS Automotive Services Pte. Ltd. [2018] SGPDPC 26 of Court in respect of judgment debts, shall be payable on the outstanding amount of such financial penalty. YEONG ZEE KIN DEPUTY COMMISSIONER FOR COMMISSIONER FOR PERSONAL DATA PROTECTION 10 ",Financial Penalty,307dccae9f3fe07fcf0b183cff56b8e28dc80153,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"