Case Details
- Citation: [2019] SGPDPC 26
- Court: Personal Data Protection Commission
- Date: 2019-07-22
- Judges: Tan Kiat How, Commissioner
- Plaintiff/Applicant: N/A
- Defendant/Respondent: Genki Sushi Singapore Pte. Ltd.
- Legal Areas: Data protection – Protection obligation
- Statutes Referenced: Organisation had failed to comply with its obligations under the Personal Data Protection Act
- Cases Cited: [2016] SGPDPC 22, [2018] SGPDPC 4, [2018] SGPDPC 9, [2019] SGPDPC 26
- Judgment Length: 15 pages, 3,194 words
Summary
In this case, the Personal Data Protection Commission (PDPC) found that Genki Sushi Singapore Pte. Ltd. (the "Organisation") had failed to implement reasonable security arrangements to protect the personal data of its employees, in breach of its obligations under the Personal Data Protection Act 2012 (PDPA). The Organisation's server, which contained sensitive employee data including NRIC numbers, FINs, passport numbers, and bank account details, was the target of a ransomware attack that resulted in the unauthorised encryption of the data. The PDPC determined that the Organisation's security measures were inadequate, particularly given the sensitive nature of the personal data involved, and imposed a financial penalty on the Organisation.
What Were the Facts of This Case?
Genki Sushi Singapore Pte. Ltd. is a sushi chain restaurant that used an off-the-shelf payroll software application called "TimeSoft" to manage its internal operations. The TimeSoft application included a web portal and a database that stored the personal data of the Organisation's current and former employees, including their names, NRIC/FIN numbers, bank account information, gender, marital status, dates of hire and birth, and salary details.
The TimeSoft application and the employee data were hosted on a local server belonging to the Organisation (the "Server"). On 30 August 2018, the Organisation's IT personnel discovered that the Server was unresponsive. After investigating, the Organisation confirmed that the Server had been the target of a ransomware attack, resulting in the encryption of most of the files hosted on it, including the employee data files.
The ransomware attack affected the personal data of approximately 360 current and former employees of the Organisation. In addition to the data mentioned above, the attack also affected the passport numbers, addresses, telephone numbers, mobile numbers, names of relatives, emergency contact details, and countries of birth for some employees. There was no evidence that the encrypted data was exfiltrated or disclosed to unauthorised parties.
What Were the Key Legal Issues?
The key legal issue in this case was whether the Organisation had breached its obligations under section 24 of the Personal Data Protection Act 2012 (PDPA) to protect the personal data in its possession or under its control by taking reasonable security steps or arrangements.
Specifically, the PDPC had to determine whether the security arrangements implemented by the Organisation to safeguard the sensitive employee data hosted on its Server were reasonable, given the nature of the personal data involved.
How Did the Court Analyse the Issues?
In assessing the reasonableness of the Organisation's security arrangements, the PDPC considered several factors, including the nature of the personal data, the form in which it was collected (electronic), and the potential impact on individuals if the data was obtained, modified, or disposed of by unauthorised parties.
The PDPC noted that the employee data files contained sensitive personal information such as NRIC/FIN numbers, passport numbers, bank account details, and salary details. It emphasized that a higher standard of protection is required for more sensitive personal data, as explained in previous PDPC decisions such as Re Aviva Ltd [2018] SGPDPC 4.
The PDPC also referred to the guidance in Re The Cellar Door Pte Ltd and Global Interactive Works Pte Ltd [2016] SGPDPC 22, which stated that "reasonable security arrangements" for IT systems must be sufficiently robust and comprehensive to guard against possible intrusion or attack. This requires an "all-round" security of the system, with adequate protection measures and coverage, even if they do not need to be "perfect".
Applying these principles, the PDPC found that the Organisation had failed to implement such "all-round" security measures for its Server, which was accessible via the internet by all its branches and contained sensitive employee data. The PDPC highlighted several deficiencies in the Organisation's security arrangements, including the lack of encryption for the TimeSoft database, inadequate firewall settings, and the absence of an intrusion prevention system and regular vulnerability assessments.
What Was the Outcome?
Based on its findings, the PDPC concluded that the Organisation had breached its obligations under section 24 of the PDPA to protect the personal data in its possession. As a result, the PDPC imposed a financial penalty of S$35,000 on the Organisation.
The PDPC noted that the Organisation had taken some remedial actions after the incident, such as replacing the Server, implementing additional security measures, and engaging external vendors for security services. However, the PDPC emphasized that these post-incident actions did not excuse the Organisation's failure to have reasonable security arrangements in place at the time of the ransomware attack.
Why Does This Case Matter?
This case is significant as it reinforces the PDPC's stance on the importance of implementing robust and comprehensive security measures to protect sensitive personal data, particularly in the context of IT systems and networks.
The decision highlights that organisations must take into account the sensitivity of the personal data they handle and implement a higher standard of protection for more sensitive information, such as NRIC/FIN numbers, passport details, and financial data. Merely having some security measures in place may not be sufficient if there are significant gaps or weaknesses that could be exploited by malicious actors.
The case also serves as a reminder to organisations to regularly review and update their security arrangements to address evolving threats, such as ransomware attacks. Proactive measures, including vulnerability assessments, intrusion prevention systems, and comprehensive backup and recovery plans, are crucial to safeguarding personal data and mitigating the impact of potential security incidents.
Overall, this decision reinforces the PDPC's commitment to holding organisations accountable for their data protection obligations and underscores the need for businesses to prioritize the security of the personal information in their possession.
Legislation Referenced
- Personal Data Protection Act 2012
Cases Cited
- [2016] SGPDPC 22 - Re The Cellar Door Pte Ltd and Global Interactive Works Pte Ltd
- [2018] SGPDPC 4 - Re Aviva Ltd
- [2018] SGPDPC 9 - Re Habitat for Humanity Singapore Ltd
- [2019] SGPDPC 26 - Genki Sushi Singapore Pte. Ltd.
Source Documents
This article analyses [2019] SGPDPC 26 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.