The following case reiterates the need for a proper password protection policy and periodic security checks to guard against data breaches under Singapore’s Personal Data Protection Act (“the Act).
Singapore Red Cross Society (“Red Cross”) ran a website that permitted the community to schedule appointments to donate blood. To this end, Red Cross kept personal records of people including their names, contact details, e-mail addresses and blood types (“the data”). The data was kept in Red Cross’s database.
On 9 May 2019, Red Cross informed the Personal Data Protection Commission (“PDPC”) of a data breach that compromised the data of about 4,297 persons from the database (“the Incident”).
Red Cross promptly took the following measures:
- Took out the function that enabled making appointments to briefly stop gathering data; and
- Enhanced its protocols to comply with the Act.
Red Cross understood that it had breached its protection obligation by not taking enough action to protect the data. In particular, Red Cross had not adequately monitored the vendor’s work on its website. The password management policy did not require strong passwords. The failure to carry out periodic security checks resulted in an administrative tool that was used to manage the database remaining connected after the website was fully operational. This oversight coupled with the allowance of weak passwords left the website vulnerable to unauthorised access.
Red Cross also understood that it had breached the retention limitation obligation under the Act by keeping data of about 900 persons. Red Cross only told its vendor to remove some parts of such data, and failed to supervise this purging exercise.
The PDPC considered Red Cross’s submissions and reduced the amount of the fine imposed, given:
- Red Cross’s early confession;
- Red Cross’s prompt and wide-ranging actions to address the data breach, including lodging a police report, telling all affected persons about the Incident, and removing the database from its website; and
- Red Cross’s implementation of better security measures including detaching important systems from the website and testing them, educating staff on passwords, improving standard operating procedures, and closely monitoring vendor conduct.
In this exceptional case, the PDPC reduced the financial penalty to $5,000.
By: Denise Mirandah
A version of this article first appeared on the GALA Blog. For more information, please visit http://blog.galalaw.com/.