Case Details
- Citation: [2021] SGPDPC 9
- Court: Personal Data Protection Commission
- Date: 2021-08-18
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: J & R Bossini Fashion Pte Ltd
- Legal Areas: Data Protection – Transfer Limitation obligation, Data Protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Regulations 2014
- Cases Cited: [2017] SGPDPC 6, [2019] SGPDPC 18, [2020] SGPDPC 20, [2020] SGPDPC 21, [2021] SGPDPC 9
- Judgment Length: 13 pages, 2,484 words
Summary
In this case, the Personal Data Protection Commission (PDPC) investigated J & R Bossini Fashion Pte Ltd ("the Organisation") for potential breaches of the Personal Data Protection Act 2012 (PDPA) following a ransomware attack that affected the IT systems of the Organisation's parent company, Bossini International Holdings Limited. The PDPC found that the Organisation had breached both the Transfer Limitation Obligation under Section 26 of the PDPA and the Protection Obligation under Section 24 of the PDPA.
What Were the Facts of This Case?
The Organisation is a Singapore subsidiary of Bossini International Holdings Limited, a Hong Kong-listed company. The Group's IT systems and infrastructure are centrally managed from Hong Kong. Prior to 2017, the Organisation collected personal data from customers and employees in Singapore, including names, NRIC numbers, contact details, and other sensitive information.
In July 2017, the Organisation transferred the customer data ("Customer Data") to a server in Hong Kong as part of a group-level consolidation exercise. The employee data ("Employee Data") remained stored on the Organisation's servers in Singapore. On or around 27 May 2020, the Group's network was compromised in a ransomware attack. The attackers gained access by exploiting a vulnerability in the Group's VPN software, which had not been patched for 9 months. The Customer Data of 154,213 Singapore customers, as well as the Employee Data of 120 employees, were encrypted and rendered inaccessible.
After the incident, the Organisation and its parent company took various remedial actions, including notifying affected customers, upgrading the VPN software, and engaging a third-party security operations centre to monitor the network.
What Were the Key Legal Issues?
The PDPC's investigation focused on two key issues:
1. Whether the Organisation had breached its Transfer Limitation Obligation under Section 26 of the PDPA when it transferred the Customer Data to Hong Kong in 2017 without ensuring the recipient was bound by legally enforceable obligations to provide a comparable standard of data protection.
2. Whether the Organisation had breached its Protection Obligation under Section 24 of the PDPA by failing to make reasonable security arrangements to prevent the unauthorized access and encryption of the Employee Data stored on its Singapore servers during the ransomware attack.
How Did the Court Analyse the Issues?
On the first issue, the PDPC found that the Organisation had failed to comply with Regulation 9(1)(b) of the Personal Data Protection Regulations 2014 (PDPR). This regulation requires an organisation transferring personal data outside of Singapore to take appropriate steps to ensure the recipient is bound by legally enforceable obligations to provide a standard of protection at least comparable to the PDPA.
The PDPC noted that the Organisation had simply transferred the Customer Data to its parent company in Hong Kong upon instruction, without taking any steps to ascertain whether the data would be accorded a comparable level of protection. There was no evidence of any intra-group contracts, binding corporate rules, or other legally binding instruments imposing such obligations on the Hong Kong recipient. Therefore, the PDPC determined that the Organisation had breached the Transfer Limitation Obligation.
On the second issue, the PDPC found that the Organisation had breached its Protection Obligation under Section 24 of the PDPA. The Employee Data stored on the Organisation's servers in Singapore was encrypted and rendered inaccessible during the ransomware attack. This was due to the Organisation's failure to implement reasonable security arrangements, as evidenced by the unpatched vulnerability in the Group's VPN software that allowed the attackers to gain access.
The PDPC emphasized that under Section 12 of the PDPA (the Accountability Obligation), the Organisation should have developed and implemented group-level policies and practices to ensure compliance with its data protection obligations, particularly for centralized IT functions and intra-group data transfers. The lack of such group-level policies and practices contributed to both the Transfer Limitation and Protection Obligation breaches.
What Was the Outcome?
Based on the findings, the PDPC determined that the Organisation had breached both the Transfer Limitation Obligation under Section 26 of the PDPA and the Protection Obligation under Section 24 of the PDPA. The PDPC did not impose any financial penalty, but directed the Organisation to review and enhance its data protection policies and practices to ensure compliance with the PDPA.
Why Does This Case Matter?
This case highlights the importance of organizations, particularly those operating as part of a corporate group, to have robust data protection policies and practices in place at the group level. The PDPC emphasized that group-level written policies, intra-group agreements, or binding corporate rules are essential to ensure consistent data protection standards across all members of the group, especially when it comes to centralized IT functions and intra-group data transfers.
The case also underscores the need for organizations to stay vigilant in maintaining the security of their IT systems and promptly addressing known vulnerabilities. The failure to patch the VPN software vulnerability for 9 months was a key factor that enabled the ransomware attack and the subsequent breach of the Protection Obligation.
Overall, this decision provides valuable guidance for organizations on their obligations under the PDPA, particularly in the context of cross-border data transfers and data security arrangements. It serves as a reminder that the PDPC takes a strict approach to enforcing the data protection principles, even in the absence of any financial penalty.
Legislation Referenced
- Personal Data Protection Act 2012
- Personal Data Protection Regulations 2014
Cases Cited
- [2017] SGPDPC 6
- [2019] SGPDPC 18
- [2020] SGPDPC 20
- [2020] SGPDPC 21
- [2021] SGPDPC 9
Source Documents
This article analyses [2021] SGPDPC 9 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.