Case Details
- Citation: [2021] SGPDPC 10
- Court: Personal Data Protection Commission
- Date: 2021-09-15
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: The National Kidney Foundation
- Legal Areas: Data Protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2021] SGPDPC 10
- Judgment Length: 10 pages, 2,249 words
Summary
In this case, the Personal Data Protection Commission (PDPC) investigated the National Kidney Foundation (the Organisation) for a data breach incident where a hacker gained unauthorized access to an employee's email account and potentially exfiltrated sensitive personal data of patients, employees, and third parties. The PDPC found that the Organisation failed to implement reasonable security arrangements to protect the personal data in the employee's email account, thereby contravening its obligations under the Personal Data Protection Act (PDPA).
What Were the Facts of This Case?
On 22 May 2020, the PDPC received a data breach notification from the National Kidney Foundation (the Organisation). The Organisation had discovered that on 17 May 2020, a hacker had gained access to the work email account of one of its employees ("Employee A") and had likely exfiltrated the personal data contained in the email account (the "Incident").
The Organisation is a prominent non-profit health organisation in Singapore that provides health services, including subsidised kidney dialysis. Employee A is an executive in the Organisation's Clinical Operations department, which deals with implementation of operations policies, budget planning, and working with the medical and nursing management team.
Investigations revealed that on 14 May 2020, Employee A received a phishing email containing a link that led to a website seeking his account credentials. The hacker is believed to have obtained Employee A's account credentials in this way. Thereafter, the hacker accessed Employee A's email account (the "Email Account") and synchronized the mailbox on 17 May 2020, likely downloading all the data stored in the Email Account.
The Email Account comprised 23,145 emails containing the personal data of approximately 500 individuals, including patients, employees, and third parties. The personal data included sensitive information such as age, bank account numbers, medical conditions, and financial details.
What Were the Key Legal Issues?
The key legal issue in this case was whether the Organisation had breached its obligation under section 24 of the Personal Data Protection Act 2012 (PDPA) to protect the personal data in its possession or under its control by taking reasonable security steps or arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks (the "Protection Obligation").
How Did the Court Analyse the Issues?
In determining whether the Organisation had breached its Protection Obligation, the PDPC considered the nature of the personal data in the Organisation's possession and the potential impact on the affected individuals if the data was compromised.
The PDPC noted that the Organisation, as a prominent non-profit health organization, routinely handles sensitive personal data of its patients, including medical data and financial information related to subsidies. Given the sensitivity of this data, the PDPC found that the Organisation had higher-level security needs that it needed to meet in order to discharge its Protection Obligation.
The PDPC highlighted that for employee email accounts containing sensitive personal data, such as the Email Account in this case, the Organisation should have conducted a risk assessment to identify the need for more robust authentication measures, such as two-factor authentication (2FA). The PDPC stated that where personal data held by an organization or its employees is sensitive and may cause damage to affected individuals if compromised, strong access control measures, including 2FA, are important safeguards.
The PDPC noted that the Organisation had implemented various security measures, such as a password policy, account lockout mechanism, and email filtering services. However, the PDPC found that these measures were insufficient, as the Organization had failed to implement 2FA or other robust authentication measures for the Email Account, which contained sensitive personal data.
What Was the Outcome?
Based on the above analysis, the PDPC determined that the Organisation had failed to implement reasonable security arrangements to protect the personal data in the Email Account from the risk of unauthorized access, thereby contravening its Protection Obligation under section 24 of the PDPA.
The PDPC ordered the Organisation to:
- Implement 2FA or other robust authentication measures for all employee email accounts that contain sensitive personal data;
- Conduct a comprehensive review of its data protection practices and implement appropriate measures to address any gaps;
- Provide training to all employees on data protection and cybersecurity best practices; and
- Pay a financial penalty of S$60,000.
Why Does This Case Matter?
This case is significant as it highlights the importance of organizations, particularly those handling sensitive personal data, to implement robust security measures to protect against unauthorized access. The PDPC's decision emphasizes that organizations must conduct risk assessments to identify employee accounts or systems that warrant stronger authentication controls, such as 2FA, based on the sensitivity of the personal data involved.
The case also serves as a reminder that the PDPA's Protection Obligation requires organizations to take a proactive and tailored approach to data security, rather than relying on generic or basic security measures. Organizations must continuously review and enhance their data protection practices to address evolving cybersecurity threats and ensure the confidentiality of the personal data in their possession.
For legal practitioners, this case provides guidance on the PDPC's expectations regarding reasonable security arrangements under the PDPA. It underscores the need for organizations to carefully consider the nature and sensitivity of the personal data they handle, and to implement security controls that are proportionate to the risks involved. The case also highlights the potential financial and reputational consequences for organizations that fail to meet their data protection obligations.
Legislation Referenced
- Personal Data Protection Act
- Personal Data Protection Act 2012
Cases Cited
- [2021] SGPDPC 10
Source Documents
This article analyses [2021] SGPDPC 10 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.