What can happen when you breach the protection obligation?
Every organisation has this obligation under the Personal Data Protection Act (PDPA) to provide security measures to ensure that the personal data that it collects, uses, or discloses are protected. This is the Protection Obligation of the PDPA.
Under Section 24 of the said Act, organisations must ensure that there will be no unathorised access, collection, use, disclosure, copying, modification, disposal or similar risks of the data under its possession and management, or else face consequences such as imposition of hefty fines as provided in previous cases decided.
It is important for organisations to follow this obligation since, aside from the hefty financial penalty that they may be made to pay, the owners of those personal data that was breached may be greatly affected. This is where the trust of the customers or potential clients will be lost and could greatly impact profit.
It should be noted that the organisation cannot comply this obligation in a “one-size-fits-all” approach and the organisation should consider adopting security measures that are reasonable and appropriate in the circumstances, such as taking into account the nature of the personal data, the form in which the personal data has been collected (e.g., physical or electronic), and the possible impact on the individual if an unauthorised person obtained, modified, or disposed of the personal data. This was discussed in the case of Cognita Asia Holdings, an international independent schools group based in Singapore.
Breach of Protection Obligation by Cognita Asia Holdings
On June 16, 2021, Cognita Asia Holdings notified the PDPC that the servers of three schools had been subjected to a ransomware attack. This affected the personal data of 1,260 individuals, 1,195 of which are students.
Upon investigation, it was found that the bad actor gained initial access to one of the school’s networks through a VPN Session with compromised administrator account credentials.
It was further unraveled that although the company employed a VPN, it was found out that the existing configuration of the VPN merely required a username and password authentication.
With the kind of personal data that was collected and processed by Cognita, such as photographic identification documents of students as well as salary and bank account information of employees, the organisation should’ve added more securities other than username and password authentication.
According to the PDPC, in view of the nature of personal data that it holds, the organisation should’ve had a higher level of security and stronger access control for its administrator accounts, such as multi-factor authentication for VPN connection to its administrator accounts, to protect such personal data.
For breaching the Data Protection Obligation, Cognita was made to pay a financial penalty of S$26,000. This would not have happened if they complied with this obligation with the due diligence required of them, such as in the case of QCP Capital, an investment firm focused on digital economy trading.
Protection Obligation compliance of QCP Capital
On August 30, 2021, QCP Capital notified the PDPC that a personal data breach occurred through an unauthorised access of employee accounts and exfiltration of customer personal data.
With this incident, the personal data of 675 individuals were exfiltrated, affecting their name, NRIC number, date of birth, address, passport scan, passport number, photograph, email address, phone number, Telegram, and WeChat IDs, whitelisted address, and trading records.
Upon investigation, it was found that the organisation had provided and made reasonable security arrangements to protect personal data in its possession and/or control in relation to the incident.
The organisation also had an internal monitoring system in place, which allowed the organisation to detect, escalate the anomalous transaction, flag and suspend the trading account affected.
The organisation also took prompt and extensive remedial action to mitigate the incident’s effects and enhance its security measures’ overall robustness. This included notifying the affected individuals, layering access controls, and introducing mandatory hardware key access authentication.
With this, the PDPC held that PCP Capital is in compliance with the Protection Obligation under section 24 of the PDPA and cannot be held liable for the unauthorised access by the threat actor(s) involved.
Takeaways we can get from these cases
Organisations should always remember that whenever there is a breach of the Protection Obligation under the PDPA, this could mean a hefty financial penalty that the organisation might face from the PDPC. Aside from this, the organisation could also suffer a tarnished reputation that could end up losing the business.
Moreover, a breach could also mean a disruption of the normal business run, such as in the case of Cognita Asia Holdings, where the personal data of its customers from its servers were encrypted. Without ample security laid in place and backups for these data, the company may not be able to operate, thus losing profit.
With this said, it is important for organisations not to take compliance with the Protection Obligation lightly. Suppose there are any accounts and networks that need to be protected from bad actors. In that case, organisations must see to it that due diligence is practiced by not only having a simple password and a username as security measures, but it must also have a level of security that is reasonable to the type of personal data that the organisation handles.
Breaches happen, and it does not have to be the organisation to handle the consequences. As long as the organisation had complied diligently on its part in the compliance of the Protection Obligation, a breach does not automatically mean a financial penalty, as shown in the case of PCP Capital.
How a Data Protection Officer (DPO) can help
It cannot be stressed enough how a DPO can help, either in-house or outsourced. The Protection Obligation is the most common obligation under the PDPA that organizations, especially SMEs, violate. Of course, when Organizations fail to observe such obligation, a financial penalty can be imposed by the PDPC. To ensure that this will never happen to your organization, a DPO can help.
A Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Furthermore, every Organization’s DPO should be able to curb any instances of cyber threats and instances of data breaches as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity.
For instance, at Privacy Ninja, we regularly conduct a penetration testing to see if the organization’s systems can be exploited or taken advantage of and patch it up as quickly as possible before any bad actor can do it. Although this is not part of our DPO scope of work, it is valuable cybersecurity facet that our clients also harness to optimize their compliance journey.
DPOs complement the efforts of organizations in making sure that the personal data collected and used is accurate. This is because when there is an instance that the obligation has been breached, DPOs ensure that a protocol for dealing with it has been established and can be employed.
As a consumer who provides my very own sensitive information to each organization I encounter or have a transaction with, I would feel safe if an organization would take the extra mile to ensure that my data is correct and concise, as it affects me whenever a decision is made.
With the unstoppable digitalisation of every service in Singapore and the world, the strict compliance of organisations to the Protection Obligation is very much expected to safeguard the interests of everyone.
With this said, organisations should see to it that their safeguards are in place to ensure that no breach will occur at the height of the pressure they are under toward compliance. They should also ensure that the level of protection needed is appropriate to the kind of personal data the organisation collects, uses, or discloses for its business operations.