Breaking Down PDPC’s February 2023 decisions: CPR Vision Management and Redmart
The February 2023 PDPC decisions have been published on PDPC’s official website. For this month, two (2) cases have been issued covering the directions given to CPR Vision Management and the no penalty for RedMart.
It should be noted that the Personal Data Protection Act (PDPA) aims to balance the organizations’ needs to use data for legitimate purposes with the protection of individuals’ personal information as it is tasked with the administration and enforcement.
In doing so, the decisions conducted by PDPC are published on their website, which is open to all who want to read the latest data security standards set by the PDPC. With this, for the better observance of organizations with such standards, it is their duty to be kept updated with the latest PDPC decisions and undertakings.
Let’s have a look at the February 2023 cases with the latest cybersecurity updates to date.
February 10: The directions issued to CPR Vision Management
On October 29, 2021, L’Oreal Singapore and L’Occitane Singapore notified the PDPC of a ransomware attack on their CRM system vendor, CPR Vision Management. CPR Vision Management is a data intermediary that helped process the personal data collected by L’Oreal and L’Occitane.
The ransomware attack affected a server and three network-attached storage (NAS) devices in the office network. The Incident compromised the personal data of approximately 84,000 L’Occitane customers and nearly 35,000 L’Oreal customers.
Investigations revealed that the threat actor first gained access to the office network via a compromised user account VPN connection before executing the ransomware attack. CPR Vision Management admitted that its endpoint security solution would have been able to detect and block the unauthorised entry attempts to the office network.
However, the organisation failed to extend the deployment of this protection solution to the affected office network as it is earmarked to be decommissioned. CPR Vision Management also admitted that it is in breach of the Retention Limitation Obligation. This is because the affected data is legacy content and should have been deleted together with the domain controller server earmarked for decommissioning.
Fortunately, the PDPC only gave directions to follow considering the CPR Vision Management’s upfront admission of liability, and there was no evidence to suggest that data exfiltration or modification had occurred.
February 10: No financial penalty issued to RedMart
Our next case of PDPC decision involves RedMart. On May 31, 2021, the PDPC was notified that the online supermarket was collecting images of the physical NRICs and other identification documents of suppliers making deliveries to its warehouses. This practice did not appear to be in compliance with the PDPA.
Investigations revealed that RedMart operated two warehouses which were used to store goods and products they sold. With suppliers regularly visiting the warehouses, the Lazada-owned e-commerce implemented measures to regulate visitors’ access to these warehouses.
Security checkpoints there used an organisation-issued tablet computer to take photographs of visitors’ NRIC or other IDs. Prior to the Incident, there were no notices at the warehouses’ security checkpoints informing visitors of the purpose of the collection of ID photographs.
With this lapse identified, RedMart took some steps to remediate the Incident, and the PDPC gave directions to follow. Since the directions from the PDPC had been complied with, no financial penalty was imposed against RedMart.
What did we get from these cases?
- Conducting security audits for your organisation should not be sloppy. It must cover every nook and cranny of your organisation’s system, especially in those servers which contain personal data.
- Your upfront admission of your lapses as an organisation can come a long way. Do not think twice about coming clean and admitting something that could help expedite the process of investigations on data breaches.
- When collecting the personal data of individuals, it is important for the Organisation to secure proper consent and notify them of the purpose of such collection. This is especially true when collecting NRICs. Failure to do so would risk the organisation being liable to a financial penalty of up to S$1,000,000.
- Failure to observe the obligations under the PDPA does not automatically equate to a financial penalty.
- Appointing a Data Protection Officer (DPO), a mandatory role in every Organisation, can help. Note that they can be in-house or outsourced to professional PDPA service providers such as Privacy Ninja.
Your appointed DPO can work with you on your PDPA compliance, ensuring that there will be policies in place to make sure that the handling of personal data is PDPA compliant.
A Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Furthermore, every Organization’s DPO should be able to curb any instances of PDPA noncompliance as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity.
DPOs complement organizations’ efforts to ensure that the organisation’s methods of collecting personal data comply with the PDPA. It also ensures that policies are set in place to make sure that there will be no instances of data breaches in the future.
Don’t wait any longer to ensure your organisation is PDPA compliant. Take our free 3-minute PDPA Compliance Self-audit checklist now, the same “secret weapon” used by our clients to keep them on track. Upon completion, we will send you the results so you can take the necessary action to protect your customers’ data. Complete the free assessment checklist today and take the first step towards protecting your customers’ personal data.