Case Details
- Citation: [2020] SGPDPCR 1
- Court: Personal Data Protection Commission
- Date: 2020-02-14
- Judges: Tan Kiat How, Commissioner
- Plaintiff/Applicant: N/A
- Defendant/Respondent: Chizzle Pte Ltd
- Legal Areas: Data protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2018] SGPDPC 12, [2018] SGPDPC 26, [2019] SGPDPC 1, [2019] SGPDPC 44, [2020] SGPDPCR 1
- Judgment Length: 8 pages, 1,627 words
Summary
In this case, the Personal Data Protection Commission (PDPC) affirmed its previous decision that Chizzle Pte Ltd (the "Organisation") had breached its obligations under the Personal Data Protection Act 2012 (PDPA) to make reasonable security arrangements to protect personal data in its possession. The Organisation had suffered a data breach where an unauthorized party gained access to its servers, deleted a database containing personal data, and left a ransom demand. The PDPC rejected the Organisation's arguments that it had taken sufficient security measures and imposed a financial penalty of $8,000, as well as other compliance directives.
What Were the Facts of This Case?
In the earlier decision of Re Chizzle Pte Ltd [2019] SGPDPC 44, the PDPC had found that the Organisation was in breach of section 24 of the PDPA. Briefly, an unauthorized party had gained access to the Organisation's servers, deleted a database (referred to as the "Chizzle Database") which contained certain personal data (referred to as the "Compromised Personal Data"), and left a ransom demand (the "Incident").
The PDPC had found that the Organisation failed to make reasonable security arrangements to protect the personal data in its possession and/or control. It directed the Organisation to pay a financial penalty of $8,000 and undertake various measures to ensure its compliance with the PDPA.
The Organisation has now submitted an application for reconsideration of the earlier decision (the "Application"). The Application appears to be a request for all the directions imposed to be lifted or, in the alternative, a reduction in the quantum of the financial penalty imposed.
What Were the Key Legal Issues?
The key legal issues in this case were:
1. Whether the Organisation was in breach of its obligations under section 24 of the PDPA to make reasonable security arrangements to protect personal data in its possession.
2. Whether the financial penalty of $8,000 imposed on the Organisation should be reduced.
How Did the Court Analyse the Issues?
On the first issue, the PDPC rejected the Organisation's arguments that it had taken appropriate security measures. The PDPC found that the matters raised by the Organisation, such as hosting its IT infrastructure on Amazon Web Services, implementing the Cloudflare tool, and using a complex password, did not demonstrate that it had fulfilled its obligations under section 24 of the PDPA.
The PDPC explained that the unauthorized access to the Organisation's system was through the phpMyAdmin tool, which was under the Organisation's direct control, and not a result of vulnerabilities at the hosting service level. The PDPC stated that the Organisation is not absolved from its failure to protect personal data merely because the security of its system was deliberately breached by an external malicious actor.
Furthermore, the PDPC found that the password used by the Organisation, while meeting recommended complexity rules, was in fact a weak password that was guessable and vulnerable to brute force attacks. The PDPC also noted that the Organisation had failed to conduct any security review of its system, as required by past PDPC decisions.
On the second issue, the PDPC rejected the Organisation's arguments for a reduction in the financial penalty. The PDPC stated that the matters raised by the Organisation, such as being an early-stage startup with insignificant revenues, promptly notifying the PDPC and consumers of the breach, and complying with the PDPC's directives, had already been taken into account in the earlier decision and did not warrant a further reduction.
The PDPC also rejected the Organisation's argument that it was a victim of a hacking and ransom attempt, stating that this does not absolve the Organisation from its obligations under the PDPA. The PDPC affirmed the directions in the earlier decision, including the $8,000 financial penalty, and stated that the timelines for the Organisation to comply with the directions shall take effect from the date of this reconsideration decision.
What Was the Outcome?
The PDPC affirmed the directions in the earlier decision, including the $8,000 financial penalty imposed on the Organisation. The PDPC rejected the Organisation's arguments that it had taken sufficient security measures and that the financial penalty should be reduced. The Organisation is required to comply with the directions set out in the earlier decision, with the timelines for compliance taking effect from the date of this reconsideration decision.
Why Does This Case Matter?
This case is significant for several reasons:
1. It reinforces the PDPC's strict interpretation of the "reasonable security arrangements" requirement under section 24 of the PDPA. The PDPC has made it clear that organizations cannot simply rely on industry-standard practices or the use of third-party service providers to absolve themselves of their data protection obligations. They must actively review and address the security vulnerabilities within their own systems and processes.
2. The case highlights the importance of conducting regular security reviews, even for organizations that may not consider themselves to be high-risk. The PDPC emphasized that a failure to conduct such reviews can lead to a breach of the PDPA, as the organization may miss critical security vulnerabilities.
3. The decision sends a strong message that organizations will be held accountable for data breaches, even if they are the victims of a deliberate hacking or ransomware attack. The PDPA requires organizations to implement appropriate security measures to protect personal data, regardless of the source of the breach.
4. The case provides guidance on the factors the PDPC will consider in determining the appropriate financial penalty for PDPA breaches. While the PDPC may take into account mitigating factors such as the organization's size and financial situation, these will not automatically result in a reduced penalty if the breach is serious and the organization has failed to fulfill its obligations under the PDPA.
Legislation Referenced
- Personal Data Protection Act
- Personal Data Protection Act 2012
Cases Cited
- [2018] SGPDPC 12
- [2018] SGPDPC 26
- [2019] SGPDPC 1
- [2019] SGPDPC 44
- [2020] SGPDPCR 1
Source Documents
This article analyses [2020] SGPDPCR 1 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.