Case Details
- Citation: [2023] SGPDPCS 1
- Court: Personal Data Protection Commission
- Date: 2023-05-11
- Judges: N/A
- Plaintiff/Applicant: N/A
- Defendant/Respondent: Kingsforce Management Services Pte Ltd
- Legal Areas: Data Protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act
- Cases Cited: [2020] SGPDPC 15, [2023] SGPDPCS 1, [2023] SGPDPCS1 3, [2023] SGPDPCS1 4, [2023] SGPDPCS1 5
- Judgment Length: 5 pages, 890 words
Summary
This case involves an investigation by the Singapore Personal Data Protection Commission (the "Commission") into a data breach incident at Kingsforce Management Services Pte Ltd (the "Organisation"). The Organisation reported that its jobseeker database, containing approximately 54,900 records, had been accessed and the data sold on the RaidForums website. The Commission found that the Organisation had breached its protection obligation under the Personal Data Protection Act (PDPA) by failing to implement reasonable security measures to prevent unauthorized access and disclosure of the personal data in its possession.
What Were the Facts of This Case?
On 31 January 2022, the Commission was notified by the Organisation of the sale on RaidForums, on or about 27 December 2021, of data from its jobseeker database (the "Incident"). The affected database held approximately 54,900 jobseeker datasets, comprising name, address, email address, telephone number, date of birth, job qualifications, last and expected salary, highest qualification and other data related to job searches.
External cyber security investigators identified outdated website coding technology, with critical vulnerabilities, as the cause of the Incident. The Organisation admitted that work had not been completed on the website at launch due to contractual disputes with the developer. The Organisation subsequently engaged IT maintenance vendors in an effort to ensure the security of the website, but the maintenance had been ad-hoc and limited to troubleshooting functionality issues from bugs, glitches and/or when a page failed to load.
The Commission accepted the Organisation's request for handling under its expedited breach decision procedure. The Organisation voluntarily provided and unequivocally admitted to the facts set out in the decision, and to breach of section 24 of the PDPA.
What Were the Key Legal Issues?
The key legal issue in this case was whether the Organisation had breached its protection obligation under section 24(a) of the PDPA. Section 24(a) requires an organisation to "protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal, or similar risks."
The Commission identified two specific breaches of the protection obligation by the Organisation: (1) failure to provide sufficient clarity and specifications to its vendors on how to protect its database and personal data, and (2) failure to conduct reasonable periodic security reviews, including vulnerability scans, since the launch of its website.
How Did the Court Analyse the Issues?
In analysing the first breach, the Commission referred to its previous decision in Re Civil Service Club, where it had pointed out that organisations engaging IT vendors can provide clarity and emphasize the need for personal data protection by (a) making it part of their contractual terms, and (b) reviewing the requirements specifications to ensure that personal data protection is reflected in the design of the end-product. The Commission also noted that an organisation is expected to exercise reasonable oversight over its vendor during the course of the engagement to ensure the vendor is protecting the personal data.
Regarding the second breach, the Commission stated that the requirement for and scope of reasonable periodic security reviews had long been established in its published decisions, such as Re WTS Automotive Services Pte Ltd, Re Bud Cosmetics Pte Ltd, and Re Watami Food Service Singapore Pte Ltd. The Commission also referenced its Guide to Data Protection Practices for ICT Systems, which emphasizes the need to periodically conduct web application vulnerability scanning and assessments, post deployment, as a basic practice to ensure compliance with the Protection Obligation under the PDPA.
The Commission found that the Organisation had failed to meet these established standards and, as a result, had breached the Protection Obligation under section 24(a) of the PDPA.
What Was the Outcome?
In deciding the enforcement action, the Commission considered the Organisation's efforts towards website security, cooperation throughout the investigation, voluntary admission of breach of the Protection Obligation, and the prompt remediation taken. This included the immediate suspension of the Organisation's website and the engagement of a new developer to develop a new and enhanced web application.
The Commission directed the Organisation to submit a plan within 21 days to ensure regular patching, updates and upgrades for all software and firmware supporting its website(s) and applications through which personal data may be accessed. The Organisation was also required to outline the implementation steps and deadlines to ensure the entire implementation is completed within 60 days.
Why Does This Case Matter?
This case is significant for several reasons:
Firstly, it reinforces the Commission's established position that organisations engaging IT vendors must provide clear contractual terms and specifications to ensure the protection of personal data. Organisations cannot simply outsource their data protection obligations and must exercise reasonable oversight over their vendors.
Secondly, the case emphasizes the importance of conducting regular security reviews and vulnerability assessments, even after the initial deployment of a website or application. Organisations cannot simply rely on the initial security measures and must proactively monitor and address any emerging vulnerabilities.
Lastly, the case demonstrates the Commission's willingness to take enforcement action against organisations that fail to meet their data protection obligations, even where the organisation has cooperated and taken prompt remedial action. This sends a clear message to businesses that they must take their data protection responsibilities seriously and implement appropriate security measures to protect the personal data in their possession.
Legislation Referenced
- Personal Data Protection Act 2012
Cases Cited
- [2020] SGPDPC 15 (Re Civil Service Club)
- [2019] PDP Digest 317 (Re WTS Automotive Services Pte Ltd)
- [2019] PDP Digest 351 (Re Bud Cosmetics Pte Ltd)
- [2019] PDP Digest 221 (Re Watami Food Service Singapore Pte Ltd)
Source Documents
This article analyses [2023] SGPDPCS 1 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.