The Law Society of Singapore [2023] SGPDPC 4

Case Details

• Citation: [2023] SGPDPC 4
• Court: Personal Data Protection Commission
• Date: 2023-03-14
• Judges: Yeong Zee Kin, Deputy Commissioner
• Plaintiff/Applicant: -
• Defendant/Respondent: The Law Society of Singapore
• Legal Areas: Data Protection – Protection obligation
• Statutes Referenced: Personal Data Protection Act, Legal Profession Act
• Cases Cited: [2016] SGPDPC 191, [2018] SGPDPC 265, [2019] SGPDPC 3, [2020] SGPDPC 9, [2020] SGPDPCR 1, [2022] SGPDPC 3, [2023] SGPDPC 4
• Judgment Length: 11 pages, 2,631 words

Summary

In this case, the Personal Data Protection Commission (PDPC) investigated the Law Society of Singapore (the Organisation) following a ransomware attack that encrypted the personal data of its members. The PDPC examined whether the Organisation had breached its obligation under the Personal Data Protection Act (PDPA) to make reasonable security arrangements to protect the personal data in its possession.

The PDPC found that while the Organisation had taken some security measures, it had failed to implement adequate password policies and conduct regular security reviews, thereby breaching its protection obligation under the PDPA. However, the PDPC determined that the Organisation was not responsible for the failure to patch a known vulnerability in its VPN system, as it had reasonably relied on its IT vendor to perform this task.

The case highlights the importance of organisations maintaining robust data protection practices, including strong password policies and regular security assessments, even when relying on third-party service providers for IT support.

What Were the Facts of This Case?

The Law Society of Singapore is a body corporate established under the Legal Profession Act 1966 that represents members of the legal profession in Singapore. The Organisation stored the personal data of its current and former members, including their full names, residential addresses, dates of birth, and NRIC numbers.

On 4 February 2021, the Organisation notified the PDPC of a ransomware attack on its servers that had encrypted and denied the Organisation access to the personal data of its members. The PDPC commenced an investigation to determine whether the Organisation had breached its obligations under the PDPA.

The investigation revealed that the threat actor had gained access to the account of the Organisation's IT administrator (the "compromised admin account") and used it to create a new account with full administrative privileges. The threat actor then executed the ransomware attack, encrypting the contents of the Organisation's servers.

The Organisation had implemented various security measures, including a secure VPN solution, antivirus/malware detection software, and password complexity requirements. It had also engaged an IT vendor to provide support services, including maintenance of the VPN system.

What Were the Key Legal Issues?

The key legal issue in this case was whether the Organisation had breached its obligation under Section 24 of the PDPA to protect the personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks (the "Protection Obligation").

Specifically, the PDPC investigated three potential attack vectors that could have led to the threat actor gaining access to the compromised admin account: brute-force attacks, phishing emails, and exploitation of a vulnerability in the Organisation's VPN system.

How Did the Court Analyse the Issues?

The PDPC's analysis focused on whether the Organisation had discharged its Protection Obligation under the PDPA.

Regarding the vulnerability in the VPN system, the PDPC found that the Organisation had reasonably relied on its IT vendor to perform the necessary software patching, as this responsibility had been explicitly outsourced to the vendor by contract. The PDPC recognized that organisations may need to depend on vendors' technical expertise in certain areas and that the Organisation had put in place a system to monitor the vendor's activities. Therefore, the PDPC concluded that the Organisation had not breached its Protection Obligation in this regard.

However, the PDPC found that the Organisation had breached its Protection Obligation in other aspects. Specifically, the PDPC determined that the password for the compromised admin account, "Welcome2020lawsoc," was a weak password vulnerable to dictionary attacks, despite meeting the Organisation's own password complexity requirements. The PDPC emphasized that a password's strength should be assessed not just by its technical complexity, but also by its susceptibility to common attacks.

Additionally, the PDPC found that the Organisation had failed to conduct reasonable periodic security reviews to identify and address potential vulnerabilities, which was a breach of its Protection Obligation under the PDPA.

What Was the Outcome?

Based on its findings, the PDPC concluded that the Organisation had breached its Protection Obligation under the PDPA by failing to implement adequate password policies and conduct regular security reviews, despite having taken other security measures.

The PDPC, however, determined that the Organisation was not responsible for the failure to patch the vulnerability in its VPN system, as it had reasonably relied on its IT vendor to perform this task.

Why Does This Case Matter?

This case is significant for several reasons:

First, it underscores the importance of organizations maintaining robust data protection practices, even when relying on third-party service providers for IT support. While the PDPC recognized that organizations may need to depend on vendors' technical expertise in certain areas, it emphasized that organizations must still exercise reasonable oversight and have clear contractual arrangements to ensure the vendor's performance.

Second, the case highlights the need for organizations to assess the strength of their password policies beyond just technical complexity. The PDPC's finding that the Organization's password policy was inadequate, despite meeting technical requirements, serves as a reminder that password security should also consider common attack vectors and susceptibility to dictionary attacks.

Finally, the case reinforces the PDPC's expectation that organizations must conduct regular security reviews to identify and address potential vulnerabilities, even if they have implemented other security measures. This ongoing assessment and improvement of data protection practices is crucial for organizations to fulfill their obligations under the PDPA.

Overall, this decision provides valuable guidance for organizations in Singapore on the practical steps they must take to fulfill their data protection obligations, particularly in the context of relying on third-party service providers and maintaining robust password policies and security review processes.

Legislation Referenced

• Personal Data Protection Act 2012
• Legal Profession Act 1966

Cases Cited

• [2016] SGPDPC 191 - Re Smiling Orchard (S) Pte Ltd and Ors
• [2018] SGPDPC 265
• [2019] SGPDPC 3 - Singapore Health Services Pte. Ltd and Integrated Health Information Systems Pte Ltd
• [2020] SGPDPC 9
• [2020] SGPDPCR 1 - Chizzle Pte Ltd
• [2022] SGPDPC 3
• [2023] SGPDPC 4 - The Law Society of Singapore

Source Documents

• Original Judgment (PDF) — Singapore Law Watch
• Archived Copy (PDF) — Litt Law CDN

This article analyses [2023] SGPDPC 4 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.