Signup for LITT - Agentic AI for legal, regulatory & Compliance Knowledge work.
Submit Article
Legal Analysis. Regulatory Intelligence. Jurisprudence.
Search articles, case studies, legal topics...
Singapore
By Sushant Shukla 4 min read

HMI Institute of Health Sciences Pte. Ltd. [2021] SGPDPC 4

Analysis of [2021] SGPDPC 4, a decision of the Personal Data Protection Commission on 2021-05-20.

Case Details

  • Citation: [2021] SGPDPC 4
  • Court: Personal Data Protection Commission
  • Date: 2021-05-20
  • Judges: Lew Chuen Hong, Commissioner
  • Plaintiff/Applicant: -
  • Defendant/Respondent: HMI Institute of Health Sciences Pte. Ltd.
  • Legal Areas: Data Protection – Protection obligation
  • Statutes Referenced: Personal Data Protection Act
  • Cases Cited: [2017] SGPDPC 12, [2020] SGPDPC 15, [2020] SGPDPCR 1, [2021] SGPDPC 4
  • Judgment Length: 13 pages, 3,338 words

Summary

In this case, the Personal Data Protection Commission (PDPC) found that HMI Institute of Health Sciences Pte. Ltd. (the Organisation) failed to implement reasonable security arrangements to protect the personal data of its employees and trainees, in contravention of section 24 of the Personal Data Protection Act (PDPA). The Organisation's file server was affected by a ransomware attack, which encrypted and denied access to various files containing the personal data of approximately 110,080 trainees and 253 employees. The PDPC determined that the Organisation's failure to adequately regulate remote access to the server through an open Remote Desktop Protocol (RDP) port was a key factor that led to the unauthorised access and compromise of the personal data.

What Were the Facts of This Case?

On 4 December 2019, a file server (the "Server") belonging to HMI Institute of Health Sciences Pte. Ltd. (the "Organisation") was affected by a ransomware attack. The ransomware encrypted and denied access to various files on the Server, including files containing personal data of the Organisation's staff and trainees (the "Incident").

The Server was set up in 2014 and was located in Singapore. It was owned by the Organisation but maintained by the Organisation's appointed IT solution service provider (the "Vendor"). The Server stored personal data in Microsoft Word or Excel files, most but not all of which were password-protected.

The Server was protected by a firewall that blocked all connections, except for those through port 3389, a standard port which was used for the Remote Desktop Protocol ("RDP Port"). The RDP Port was used by the Vendor for remote management and/or troubleshooting purposes. According to the Organisation, the RDP Port was kept open from sometime in 2014 up to the date of the Incident on 4 December 2019 (i.e. for more than four (4) years) to allow the Vendor quick and easy access.

The Server only had one administrator account which was shared by the Organisation's IT administrator and at least three other employees of the Vendor. By use of this administrator account, the Vendor could access the Server remotely through the RDP Port and view, change, or delete all the data in the Server.

The key legal issue in this case was whether the Organisation had contravened section 24 of the Personal Data Protection Act (PDPA), which requires an organisation to protect personal data in its possession or under its control by taking reasonable security steps or arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks (the "Protection Obligation").

Specifically, the PDPC had to determine whether the Organisation had failed to implement reasonable security arrangements to protect the personal data of its employees and trainees that was stored on the Server.

How Did the Court Analyse the Issues?

The PDPC found that the Organisation failed to implement reasonable security arrangements to protect the personal data stored on the Server, in contravention of section 24 of the PDPA.

The PDPC noted that even though the Organisation had engaged the Vendor to maintain the Server, the responsibility to protect the personal data fell squarely on the Organisation, as it owned the Server and was in possession and control of the personal data at all material times.

The PDPC identified the Organisation's failure to adequately regulate remote access to the Server via the open RDP Port as a key factor that led to the unauthorised access and compromise of the personal data. The PDPC explained that while there is no strict requirement for the RDP Port to always be closed, organisations should regularly review and assess the potential risks of keeping such public-facing ports open, especially where a large volume of personal data or sensitive personal data is involved.

The PDPC noted that in this case, the Organisation kept the RDP Port open for more than four years to allow the Vendor quick remote access for recovery and maintenance work. However, the PDPC found that the Organisation should have considered other measures to secure the RDP access, such as using a different port, restricting access to specific IP addresses, using an RDP gateway, and conducting log reviews for unusual activity.

The PDPC also highlighted that where an organisation holds a high volume of personal data and/or highly sensitive personal data, the default approach should be to close all ports, including RDP Ports, and only open them when necessary with sufficient security measures in place.

What Was the Outcome?

Based on its findings, the PDPC concluded that the Organisation had contravened section 24 of the PDPA by failing to implement reasonable security arrangements to protect the personal data stored on the Server.

The PDPC did not impose a financial penalty on the Organisation, as it found that the Organisation had taken prompt remedial actions after the Incident, including decommissioning the affected Server, notifying the affected individuals and the authorities, and implementing various security measures to prevent a recurrence.

Why Does This Case Matter?

This case provides important guidance on the reasonable security arrangements that organisations must implement to fulfill their protection obligation under section 24 of the PDPA, particularly in the context of remote access to systems containing personal data.

The PDPC's decision emphasizes that organisations must carefully assess the risks associated with keeping public-facing ports, such as RDP ports, open, and implement appropriate security measures to mitigate those risks, especially when dealing with large volumes of personal data or sensitive personal data. This includes considering alternative access methods, restricting access, and conducting regular log reviews.

The case also underscores that organisations cannot simply outsource their data protection responsibilities to third-party service providers. Even when an organisation engages a vendor to maintain its IT infrastructure, the organisation remains responsible for ensuring the reasonable protection of the personal data in its possession or under its control.

This decision serves as a valuable reference for organisations in Singapore on the practical steps they must take to fulfill their data protection obligations and avoid potential enforcement action by the PDPC.

Legislation Referenced

  • Personal Data Protection Act

Cases Cited

  • [2017] SGPDPC 12
  • [2020] SGPDPC 15
  • [2020] SGPDPCR 1
  • [2021] SGPDPC 4

Source Documents

This article analyses [2021] SGPDPC 4 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.

Written by Sushant Shukla
Topics
Singapore SLW Case Law Data Protection – Protection obligation
Share this article
𝕏 in f

More in

Legal Wires

Legal Wires

Stay ahead of the legal curve. Get expert analysis and regulatory updates natively delivered to your inbox.

Success! Please check your inbox and click the link to confirm your subscription.
Already a member? Sign in