5 Areas in Which Businesses Can Learn From K Box’s Breach of the PDPA

The Personal Data Protection Commission (“PDPC”) recently published its inaugural decision, which concerned data breaches by K Box Entertainment Group Pte. Ltd. (“K Box”) and Finantech Holdings Pte. Ltd. (“Finantech”). This article extracts the salient insights from the PDPC’s findings that can serve as learning points for businesses.

Personal data of 317,000 K Box members published online

K Box is an operator of several karaoke studios in Singapore. Prior to 2014, it had secured Finantech’s services as a third party IT vendor to “revamp, manage and host” K Box’s website, and to “develop K Box’s Content Management System (“CMS”)”.

On 16 September 2014, it was revealed in an article on the website “The Real Singapore” that the personal data of approximately 317,000 K Box members had been published online on another website that was accessible to the public. This alleged breach of data privacy led several individuals to file complaints to the PDPC.

K Box and Finantech’s breaches of the PDPA

The PDPC initiated an investigation into the matter, and eventually arrived at the following conclusions:

  • K Box had neglected to make reasonable security arrangements, in accordance with section 24 of the Personal Data Protection Act (“PDPA”), to protect its customers’ personal data.
  • K Box had failed to appoint a Data Protection Officer (“DPO”) (in accordance with s 11(3) of the PDPA), and to implement policies and practices (in accordance with s 12(a)) that would ensure that it fulfilled its obligations under the PDPA.
  • Finantech was a data intermediary of K Box because it had access to, stored, and was able to retrieve K Box’s customer data. Therefore, it was obliged to protect such data under s 24 of the PDPA.
  • Finantech had neither implemented the necessary security measures to prevent the unauthorised access to K Box’s customer data, nor advised K Box about the importance of having such measures.

In light of the aforementioned findings, the PDPC ordered (a) that K Box pay a financial penalty of $50,000, and appoint a DPO; and (b) that Finantech pay a penalty of $10,000.

There are several areas in which businesses can learn from K Box’s breach. These include the following:

1. Invest in security infrastructure and the conduct of audits

  • Besides purporting to have robust data protection policies and practices in place, businesses should make the effort to translate such words into action. This can be achieved by making the necessary investments in its security infrastructure, as well as conducting audits to ensure that any policies in place governing data privacy are enforced company-wide.
  • While K Box stated that it had “secure server practices such as access controls and data protection policies”, as well as a password policy all along, these policies and practices were not effectuated in reality.
    • Prior to 16 September 2014, K Box had yet to remove the unused accounts (which facilitated access to the CMS) of former staff who had left the company.
    • Also, K Box was still relying on an older version of software, notwithstanding the software’s numerous known vulnerabilities that cyber perpetrators could easily exploit to pilfer data.
    • Additionally, K Box did not conduct any audits to ascertain if its password policy was being enforced.
  • These three factors eventually undermined the effectiveness of the company’s IT security infrastructure.

2. Policies and safeguards in monitoring the movement of personal data

  • Businesses should implement policies, as well as put in place both physical and online systems to regulate and monitor the movement of customers’ personal data out of the businesses’ premises and computer system respectively.
  • Documents that are dispatched electronically which contain such data should be password-protected or encrypted to guard against any interference by third parties.
  • In the case of K-Box, it had received emails from Finantech, which consisted of customers’ personal data, that were unencrypted. While the leakage of data was not directly attributed to the dearth of protection of such emails, the PDPC highlighted such a practice as being an area of concern.

3. Contractual clauses requiring levels of protection that comport with industry standards

  • When dealing with third party data intermediaries, businesses should ensure that there are contractual clauses which oblige these vendors to adhere to a level of protection that is on par with industry standards, with regard to the personal data transferred from the businesses to the vendor.
  • In addition, businesses should frequently highlight to their intermediaries the importance of data privacy and protection, as well as remind them about their obligations under the PDPA.

4. Familiarisation with the law and the appointment of a DPO

  • Businesses should take the initiative to become acquainted with the details of the PDPA. Such knowledge capabilities can be built by appointing an individual to be the DPO and to oversee all aspects of data privacy and protection within the organisation.

5. Accountability and transparency in situations concerning data breaches

  • In the unfortunate instance where there has been a data breach, businesses should implement measures promptly to counter the effects of the breach, as well as inform the parties whose data have been leaked about the incident.
  • Also, during any subsequent investigations conducted by the PDPC, businesses should be “forthcoming in providing information”, instead of giving just “bare facts”.
  • These moves are important because they may be considered by the PDPC as mitigating factors when it decides on the directions to give.

Better to be safe than sorry

While the costs of strengthening security infrastructure and implementing data protection measures may seem prohibitive at the outset, they are necessary costs that businesses have to incur to ensure compliance with the PDPA.  A failure to heed the lessons elucidated above might be even costlier, especially since the PDPC has the discretion to impose a financial penalty of 10% of the organisation’s annual turnover in Singapore for organisations with annual local turnover exceeding S$10 million, or up to S$1 million (whichever is higher) for any breaches of data privacy.