Case Details
- Citation: [2019] SGPDPC 43
- Court: Personal Data Protection Commission
- Date: 2019-11-19
- Judges: Mr Tan Kiat How, Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: (1) MSIG Insurance (Singapore) Pte Ltd, (2) Globalsign.in Pte Ltd
- Legal Areas: Data protection – Protection obligation, Data protection – Retention limitation obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2017] SGPDPC 12, [2017] SGPDPC 18, [2017] SGPDPC 12, [2019] SGPDPC 4, [2019] SGPDPC 10, [2019] SGPDPC 17, [2019] SGPDPC 2, [2019] SGPDPC 20, [2019] SGPDPC 28, [2019] SGPDPC 3
- Judgment Length: 10 pages, 3,520 words
Summary
This case concerns a data breach incident involving MSIG Insurance (Singapore) Pte Ltd ("MSIG") and its service provider Globalsign.in Pte Ltd ("GSI"). The Personal Data Protection Commission ("PDPC") found that while MSIG had taken reasonable steps to protect the personal data of its customers, GSI had failed to implement adequate security measures to safeguard the personal data stored on its email marketing platform. As a result, the PDPC determined that GSI had breached its obligations under the Personal Data Protection Act 2012 ("PDPA").
What Were the Facts of This Case?
MSIG, an insurance provider, had engaged GSI to send marketing emails to its customers via GSI's "Global2Mail Online Marketing Web Application" (the "G2M") platform. MSIG provided GSI with a list of email addresses and, in some cases, the first and last names of its customers for this purpose.
On 18 August 2017, the administrator account of the G2M platform was accessed without authorization. The intruder was able to access the email addresses and names of individuals (the "Compromised Data") stored on the G2M platform. On 19 August 2017, the G2M platform was used to send spam emails to 359,364 email addresses, including 149,172 email addresses belonging to MSIG's customers (the "Impacted Customers").
After the incident, MSIG and GSI jointly engaged a cybersecurity consultant to investigate. The investigation found that the spam emails did not contain any phishing or malware content, and users who clicked on the links in the emails were simply redirected to a website about winning a lottery.
What Were the Key Legal Issues?
The key legal issues in this case were:
- Whether the Compromised Data included personal data under the PDPA.
- Whether MSIG and GSI had breached their obligations under section 24 of the PDPA to make reasonable security arrangements to protect the personal data in their possession or under their control.
How Did the Court Analyse the Issues?
On the first issue, the PDPC found that the Compromised Data included personal data, as it contained the email addresses and, in some cases, the first and last names of MSIG's customers. The PDPC also noted that even email addresses that did not contain names could be considered personal data if they could be used to identify individuals, such as through an internet search.
On the second issue, the PDPC examined the obligations of MSIG and GSI separately. For MSIG, the PDPC found that the company had complied with its obligations under section 24 of the PDPA. MSIG had imposed security requirements on GSI under their agreement, had the right to inspect and audit GSI, and had followed up with GSI to ensure that the personal data provided was purged after each marketing campaign.
However, the PDPC found that GSI had not made the appropriate security arrangements and was therefore in breach of section 24 of the PDPA. Specifically, GSI had not implemented measures to regularly change passwords for its administrator and client accounts, did not have proper logging mechanisms to track changes to the administrator account, and did not enforce strong password requirements for users.
What Was the Outcome?
Based on its findings, the PDPC determined that GSI had breached its obligations under section 24 of the PDPA and directed the company to implement the following measures:
- Implement a password policy that requires regular password changes for all user accounts, including the administrator account.
- Implement logging mechanisms to track changes to the administrator account and other user accounts.
- Enforce strong password requirements for all user accounts.
- Engage an independent third-party to audit its information security practices and implement any recommendations.
The PDPC did not find MSIG in breach of the PDPA, as the company had taken reasonable steps to ensure the protection of its customers' personal data.
Why Does This Case Matter?
This case highlights the importance of organizations, particularly those that handle personal data, to have robust security measures in place to protect against data breaches. The PDPC's decision emphasizes that while organizations can outsource certain data processing activities, they remain responsible for ensuring that their service providers implement appropriate security controls.
The case also provides guidance on the specific security measures that organizations should consider, such as regular password changes, strong password requirements, and effective logging mechanisms. These measures are crucial for preventing unauthorized access to personal data and ensuring compliance with the PDPA.
More broadly, this case underscores the PDPC's commitment to enforcing the PDPA and holding organizations accountable for data protection failures, even when the breach occurs at the level of a third-party service provider. It serves as a reminder to all organizations handling personal data in Singapore to prioritize data security and take proactive steps to mitigate the risk of data breaches.
Legislation Referenced
- Personal Data Protection Act
- Personal Data Protection Act 2012
Cases Cited
- [2017] SGPDPC 12
- [2017] SGPDPC 18
- [2017] SGPDPC 12
- [2019] SGPDPC 4
- [2019] SGPDPC 10
- [2019] SGPDPC 17
- [2019] SGPDPC 2
- [2019] SGPDPC 20
- [2019] SGPDPC 28
- [2019] SGPDPC 3
Source Documents
This article analyses [2019] SGPDPC 43 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.