Case Details
- Citation: [2019] SGPDPC 16
- Court: Personal Data Protection Commission
- Date: 2019-06-11
- Judges: Tan Kiat How, Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: DS Human Resource Pte. Ltd.
- Legal Areas: Data protection – Openness obligation, Data protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act 2012
- Cases Cited: [2016] SGPDPC 10, [2017] SGPDPC 1, [2017] SGPDPC 18, [2018] SGPDPC 26, [2019] SGPDPC 16
- Judgment Length: 10 pages, 2,085 words
Summary
This case highlights the risks companies face when using default settings of open-source software without properly assessing the security features. The Personal Data Protection Commission (PDPC) found that DS Human Resource Pte. Ltd. (DSHR) breached its obligations under Sections 12 and 24 of the Personal Data Protection Act 2012 (PDPA) by failing to implement reasonable security arrangements to protect the personal data in its possession and by not having any data protection policies or internal guidelines.
The PDPC imposed a financial penalty on DSHR for its failures, emphasizing that a lack of technical knowledge is not a mitigating factor and that organizations must ensure appropriate security settings are configured to protect personal data, regardless of the software used.
What Were the Facts of This Case?
DSHR is a company that specializes in outsourcing part-time staff to the food and beverage industry in Singapore. Individuals interested in applying for part-time jobs would enter their personal data into DSHR's mobile application. This personal data was stored in a MongoDB database hosted on an Amazon Web Services (AWS) server.
On 24 February 2018, DSHR discovered that its database had been accessed without authorization and that the personal data of approximately 2,100 individuals had been deleted. The hacker demanded payment of 0.25 bitcoins in exchange for restoring the database, but even after DSHR made the payment, the hacker did not restore the deleted data. DSHR did not have a backup and was unable to recover the deleted personal data.
The personal data stored in DSHR's database included sensitive information such as NRIC numbers, bank account details, and images of NRIC cards. After the incident, DSHR took various remedial actions, such as changing passwords, restricting connections to its AWS server, and engaging consultants to perform vulnerability and penetration testing.
What Were the Key Legal Issues?
The key legal issues in this case were whether DSHR had complied with its obligations under Sections 12 and 24 of the PDPA.
Section 12 of the PDPA requires organizations to develop and implement data protection policies and practices. Section 24 of the PDPA requires organizations to protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, or disposal.
How Did the Court Analyse the Issues?
The PDPC found that DSHR had failed to comply with its obligations under Section 24 of the PDPA. The PDPC identified several reasons for this failure:
1. DSHR used the default settings of the MongoDB database software without assessing whether they provided reasonable security arrangements to protect the personal data. The default settings allowed remote connections through the internet, exposing the personal data stored in the database.
2. DSHR failed to refer to available information and documentation on securing the MongoDB software, such as MongoDB's own security manual and checklist, which could have helped DSHR implement appropriate security measures.
3. The personal data stored in the database included sensitive information, such as bank account details, which required stronger security measures. However, DSHR did not address the need for such measures and instead relied on the default, insecure settings.
4. DSHR did not have any security or access controls, such as password protection, to the database, resulting in the personal data being exposed to the internet.
The PDPC also found that DSHR had breached its obligations under Section 12 of the PDPA by not having any data protection policies or internal guidelines that specify the rules and procedures for the collection, use, and disclosure of personal data.
What Was the Outcome?
Based on its findings, the PDPC directed DSHR to pay a financial penalty. The PDPC acknowledged DSHR's efforts to automate its business processes and the director's initiative in doing so, but emphasized that a lack of technical knowledge cannot be a mitigating factor. The PDPC maintained the financial penalty, stating that the security features or reliability of the MongoDB software were not the issue, but rather DSHR's failure to ensure the appropriate security settings were configured to protect the personal data.
Why Does This Case Matter?
This case is significant for several reasons:
1. It highlights the importance of organizations, even small and medium enterprises (SMEs), taking proactive steps to secure personal data, regardless of the software or technology they use. The use of default settings without proper assessment can expose personal data to significant risks.
2. The case emphasizes that a lack of technical knowledge is not a valid excuse for failing to comply with data protection obligations. Organizations must either develop the necessary expertise internally or engage competent service providers to ensure appropriate security measures are in place.
3. The decision underscores the PDPC's stance that the protection of sensitive personal data, such as financial information, requires stronger security measures. Organizations cannot simply rely on the default settings of software solutions without considering the sensitivity of the data involved.
4. The case serves as a reminder to organizations, particularly SMEs, that they must develop and implement data protection policies and practices to comply with the PDPA. Failing to do so can result in enforcement actions and financial penalties.
Legislation Referenced
- Personal Data Protection Act 2012
Cases Cited
- [2016] SGPDPC 10
- [2017] SGPDPC 1
- [2017] SGPDPC 18
- [2018] SGPDPC 26
- [2019] SGPDPC 16
Source Documents
This article analyses [2019] SGPDPC 16 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.