Stylez Pte Ltd [2021] SGPDPC 8

Case Details

• Citation: [2021] SGPDPC 8
• Court: Personal Data Protection Commission
• Date: 2021-08-04
• Judges: Lew Chuen Hong, Commissioner
• Plaintiff/Applicant: -
• Defendant/Respondent: Stylez Pte Ltd
• Legal Areas: Data Protection – Protection obligation, Data Protection – Accountability obligation, Data Protection – Retention Limitation obligation
• Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
• Cases Cited: [2021] SGPDPC 8
• Judgment Length: 8 pages, 1,876 words

Summary

In this case, the Personal Data Protection Commission (PDPC) investigated Stylez Pte Ltd, the operator of the iCompare.sg quotation and service comparison portal, for breaches of the Personal Data Protection Act 2012 (PDPA). The investigation was prompted by a news report that data from the portal had been uploaded onto the Dark Web. The PDPC found that Stylez Pte Ltd had failed to implement reasonable security arrangements to protect the personal data in a testing database, had not developed and implemented adequate internal data protection policies, and had retained personal data beyond the purpose for which it was collected without justification. As a result, the PDPC imposed a financial penalty of $37,500 on the organization.

What Were the Facts of This Case?

Stylez Pte Ltd operated the iCompare.sg portal, which allowed users to obtain quotations and compare services. In July 2016, the organization created a new database containing data from the portal for the purposes of testing a new function in a separate test environment. This "Testing Database" contained records of the portal's renovation and interior design clients from 2009 to 2016, including their names, email addresses, and phone numbers.

Investigations revealed that the data in the Testing Database was accessed and uploaded onto the Dark Web sometime before December 2019. A total of 9,983 individuals' personal data was exposed in this incident. The organization's production and backup databases, which were hosted on separate servers, were not affected.

After being notified of the incident, the organization took several remedial actions, including deleting the Testing Database, running a malware scan, updating the server's operating system, and installing a website security scanning tool. The affected individuals were also notified.

What Were the Key Legal Issues?

The key legal issues in this case were whether Stylez Pte Ltd had breached its obligations under the PDPA, specifically:

1. The Protection Obligation: The requirement to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, or disposal.

2. The Accountability Obligation: The requirement to develop and implement policies and practices that are necessary for the organization to meet its obligations under the PDPA.

3. The Retention Limitation Obligation: The requirement to cease retaining data in a form that can identify the individual if the purpose of collection no longer exists, and if no business or legal reason exists for retention.

How Did the Court Analyse the Issues?

On the Protection Obligation, the PDPC found that Stylez Pte Ltd failed to implement reasonable security arrangements to protect the personal data in the Testing Database. Firstly, the database was stored in a publicly accessible directory on the server without any access controls, making it directly accessible from the internet and crawled by search engines. The organization incorrectly believed that activating an anti-indexing function would have been sufficient, failing to understand the difference between anti-indexing and access control.

Secondly, the privileged access to the server was not adequately secured. The IT administrator's account had a strong password, but there was no limit on the number of unsuccessful login attempts, making it vulnerable to brute-force attacks. Additionally, the password was stored in the administrator's email account in plain text, without any two-factor authentication.

Thirdly, the personal data in the Testing Database was stored in an unencrypted format for over two and a half years, which the PDPC found to be unacceptable, as production data should not be held in less secure development environments for extended periods.

On the Accountability Obligation, the PDPC found that while Stylez Pte Ltd had developed an external data protection policy, it failed to implement corresponding internal policies and documented practices to give effect to the standards it had communicated to customers and prospective customers. The organization's reliance on verbal reminders to staff was deemed inadequate.

Regarding the Retention Limitation Obligation, the PDPC rejected the organization's justification for retaining the Testing Database for business analysis purposes. The PDPC found that the stated purposes did not require the retention of data that could identify individuals, and that the data could have been aggregated or anonymized instead.

What Was the Outcome?

Based on the findings, the PDPC determined that Stylez Pte Ltd had breached the Protection Obligation, the Accountability Obligation, and the Retention Limitation Obligation under the PDPA. As a result, the PDPC imposed a financial penalty of $37,500 on the organization, to be paid in 12 monthly installments.

The PDPC considered several aggravating factors, including the large number of individuals affected, the age of the data (up to 10 years old), and the organization's misrepresentation of its internal data protection policies and practices. Mitigating factors included the organization's prompt remedial actions and its cooperation during the investigation.

Why Does This Case Matter?

This case is significant for several reasons. Firstly, it highlights the importance of implementing robust security measures to protect personal data, even in non-production environments. Organizations must understand the difference between anti-indexing and access control, and ensure that all data repositories are properly secured, regardless of their purpose.

Secondly, the case emphasizes the need for organizations to develop and implement comprehensive internal data protection policies and practices, not just external-facing policies. Mere verbal reminders to staff are insufficient to demonstrate compliance with the Accountability Obligation under the PDPA.

Lastly, the case underscores the PDPC's strict interpretation of the Retention Limitation Obligation. Organizations must carefully evaluate the continued need for retaining personal data and be prepared to justify any retention beyond the original purpose of collection, even if the data is used for other business purposes.

This decision serves as a valuable precedent for organizations in Singapore, highlighting the PDPC's expectations and the potential consequences of non-compliance with the PDPA. It is a clear reminder that data protection obligations must be taken seriously, and that organizations should proactively review and strengthen their data protection practices to avoid similar enforcement actions.

Legislation Referenced

• Personal Data Protection Act
• Personal Data Protection Act 2012

Cases Cited

• [2021] SGPDPC 8

Source Documents

• Original Judgment (PDF) — Singapore Law Watch
• Archived Copy (PDF) — Litt Law CDN

This article analyses [2021] SGPDPC 8 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.