PINC Interactive Pte. Ltd [2022] SGPDPC 1

Case Details

• Citation: [2022] SGPDPC 1
• Court: Personal Data Protection Commission
• Date: 2022-02-04
• Judges: Lew Chuen Hong, Commissioner
• Plaintiff/Applicant: -
• Defendant/Respondent: PINC Interactive Pte. Ltd.
• Legal Areas: Data Protection – Protection obligation, Data Protection – Accountability obligation
• Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
• Cases Cited: [2019] SGPDPC 31, [2022] SGPDPC 1
• Judgment Length: 8 pages, 2,020 words

Summary

In this case, the Personal Data Protection Commission (PDPC) found that PINC Interactive Pte. Ltd. (the Organisation) breached its obligations under the Personal Data Protection Act 2012 (PDPA) by failing to implement reasonable security arrangements to protect the personal data of its users, and by lacking adequate data protection policies and practices.

The key issues were the Organisation's failure to secure personal data stored on its employees' personal devices, and its decision to use real user data in a staging environment without proper access controls. The PDPC imposed a financial penalty of $12,500 on the Organisation after considering both aggravating and mitigating factors.

This case highlights the importance of organisations taking comprehensive measures to protect personal data, including implementing robust security practices and having clear data protection policies in place to guide employees.

What Were the Facts of This Case?

The website www.pincstyle.com was created and managed by PINC Interactive Pte. Ltd. (the Organisation) at the relevant time. In February 2020, the PDPC received feedback about a Twitter post that revealed the personal data of users of the website had been exposed.

Investigations revealed that in October 2019, a database comprising 252,813 records, including the personal data of 3,916 actual users, was accessed and exfiltrated from the Organisation's staging servers (the "Staging Database"). The Staging Database contained a mix of real user data and synthetic "dummy" data.

The PDPC identified two likely causes of the incident. First, the Organisation's developers had retained copies of the Staging Database on their personal devices, and the database was compromised when the developers' computers were breached. Second, the Organisation had not required authentication to access the Application Programming Interface (API) that pointed to the Staging Database, despite the database containing real user data.

After the incident, the Organisation took remedial actions such as updating the API with new authentication keys, limiting access to the authentication keys, initiating a password reset for affected users, and instructing developers to delete their local copies of the Staging Database.

What Were the Key Legal Issues?

The key legal issues in this case were whether the Organisation had breached its obligations under the PDPA, specifically:

1. The Protection Obligation (section 24 of the PDPA): The PDPC examined whether the Organisation had made reasonable security arrangements to protect the personal data in the Staging Database from unauthorized access, disclosure, or similar risks.

2. The Accountability Obligation (section 12(a) of the PDPA): The PDPC considered whether the Organisation had developed and implemented the necessary data protection policies and practices to meet its obligations under the PDPA.

How Did the Court Analyse the Issues?

Regarding the Protection Obligation, the PDPC found that the Organisation failed to implement reasonable security arrangements in several ways:

First, the Organisation allowed its employees (the developers) to store local copies of the Staging Database on their personal devices, without implementing any additional security requirements. The PDPC noted that this constituted a breach of the Protection Obligation, as the Staging Database contained the personal data of real users.

Second, the Organisation merely instructed its employees to use strong passwords on their personal devices, but did not verify or monitor the security measures implemented by the developers. The PDPC highlighted that the Organisation was unable to provide details on the antivirus software and updates used by the developers.

Third, the PDPC found that the Organisation breached the Protection Obligation by using real user data in the Staging Database, but failing to require authentication for access to the Staging API. The PDPC noted that the Organisation should have either used 100% synthetic data or anonymized the real user data in the Staging Database if it did not wish to require authentication.

Regarding the Accountability Obligation, the PDPC found that the Organisation did not have any data protection policies or practices in place for its "non-technical" employees who had access to "public user data". The PDPC emphasized the critical role that data protection policies and practices play in increasing awareness and ensuring accountability of an organisation's obligations under the PDPA.

What Was the Outcome?

Based on the findings, the PDPC determined that the Organisation had breached both the Protection Obligation and the Accountability Obligation under the PDPA.

In determining the appropriate financial penalty, the PDPC considered aggravating factors, such as the Organisation's failure to implement adequate security measures for the personal data stored on its employees' devices, as well as mitigating factors, such as the Organisation's cooperation during the investigation and the implementation of remedial actions.

After considering the Organisation's representations, the PDPC imposed a reduced financial penalty of $12,500 on the Organisation.

Why Does This Case Matter?

This case is significant for several reasons:

1. It emphasizes the importance of organisations taking comprehensive measures to protect personal data, including implementing robust security practices and having clear data protection policies in place to guide employees.

2. The case highlights the PDPC's stance that organisations cannot simply rely on instructing employees to use strong passwords or install antivirus software on their personal devices. Organisations have a duty to verify and monitor the security measures implemented by their employees to ensure the adequate protection of personal data.

3. The decision reinforces the PDPC's view that using real user data in non-production environments, such as staging or testing environments, without proper access controls, is a breach of the Protection Obligation. Organisations should use synthetic or anonymized data in such environments to mitigate the risks of data breaches.

4. The case underscores the PDPC's emphasis on the critical role of data protection policies and practices in ensuring that organisations and their employees are aware of and can comply with their obligations under the PDPA.

This judgment serves as a valuable precedent for organisations to review and strengthen their data protection practices, particularly in relation to securing personal data stored on employee devices and the use of real user data in non-production environments.

Legislation Referenced

• Personal Data Protection Act
• Personal Data Protection Act 2012

Cases Cited

• [2019] SGPDPC 31
• [2022] SGPDPC 1

Source Documents

• Original Judgment (PDF) — Singapore Law Watch
• Archived Copy (PDF) — Litt Law CDN

This article analyses [2022] SGPDPC 1 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.