Victim of a Data Breach? Here’s What You Can Do
In 2019, American citizen Mikhy Farrera-Brochez stole and leaked confidential information of 14,200 people with HIV online from the Singapore Ministry of Health (MOH). This included their names, contact details, and medical information. Farrera-Brochez had been able to obtain this information from his partner, who was head of MOH’s National Public Health Unit and had access to the HIV Registry. While not strictly arising from a cyberattack, it remains that sensitive information was leaked to the masses.
That was in 2019. Three years later in 2022, Starbucks Singapore’s database was breached by cyberattacks. While highly sensitive information such as credit card information remained protected, the names and addresses of some 330,000 customers’ data were breached and put up for sale on an online forum.
Unfortunately, Singapore is now ranked 6th in the world for having the most databases exposed to the Internet. Consequently, Singapore’s data remains susceptible to breaches from cyberattacks or via other means. A study corroborates this, showing that cyberattacks in Singapore have seen a 145% year-on-year increase in 2021.
Against such a backdrop, what can you do if you suspect that you have been a victim of a data breach? Most citizens are aware of the Personal Data Protection Act (PDPA). It is the chief legislative defence Singapore provides for its citizens. However, are there other possible avenues for victims to seek legal recourse? This article explores:
What is a Data Breach?
The PDPA provides clear guidelines on the collection, use and disclosure of personal data by organisations.
The PDPA defines a data breach as such:
- Unauthorised access, collection, use, disclosure, copying, modification or disposal of personal data (e.g. cyberattacks, data leaks); or
- Loss of any storage medium or device on which personal data is stored in circumstances where the unauthorised access, collection, use, disclosure, copying, modification or disposal of the personal data is likely to occur (e.g. losing a thumb drive or storage card containing customers’ personal data).
Additionally, the PDPA defines ‘personal data’ as data that either can allow others to identify you, or aid others in identifying you when read with other information. Some examples of personal data that can be stolen or misused include:
- Your personal details (i.e. full name, NRIC number);
- Your contact details (i.e. phone number, email address); or
- Your sensitive information (i.e. credit card information, bank account numbers, passwords)
What are Some Potential Legal Remedies Available?
What legal options do you have when you are a victim, or suspect yourself a victim, of a data breach? This section explores the various legal remedies available to you, as well as the limitations, if any, of these remedies.
Filing a complaint with the PDPC
One of the legal remedies available is to file a complaint with the Personal Data Protection Commission (PDPC). The PDPC acts as Singapore’s main authority in personal data protection matters. One of its key functions is to enforce the PDPA .
It must be noted, however, that the PDPC requires that you liaise with the organisation concerned (i.e. the organisation that is allegedly responsible for the data breach) before lodging a complaint. A template is provided by the PDPC for contacting the organisation about your concerns.
Should the organisation continue to be unresponsive for 10 days, you may then proceed to file a complaint with the PDPC. However, should you wish to request to access, or correct, personal data stored with the organisation, you may only file a complaint with the PDPC after 30 days of non-responsiveness from the organisation has lapsed.
After filing your complaint, the PDPC will then investigate the matter with the organisation concerned. On finding that an organisation is in breach of the relevant PDPA provisions, the PDPC is empowered to order the organisation to:
- Stop collecting, using or disclosing personal data in contravention of the PDPA;
- Destroy personal data collected in contravention of the PDPA;
- Provide access to or correct the personal data; and/or
- Pay a financial penalty.
The PDPC is also empowered to impose financial penalties on finding that the organisation had breached specific PDPA provisions, either intentionally or negligently. These specific provisions relate to:
- General rules with respect to the protection of and accountability for personal data (Part 3 of the PDPA);
- Collection, use and disclosure of personal data (Part 4 of the PDPA);
- Access to and correction of personal data (Part 5 of the PDPA);
- Care of personal data (Part 6 of the PDPA); or
- Notification of data breaches (Part 6A of the PDPA).
Under the PDPA, organisations could face a financial penalty of 10% of their annual turnover if their annual local turnover exceeds S$10 million, or up to S$1 million, whichever is higher.
In 2019, the PDPC imposed a total financial penalty of $1,000,000 on Integrated Health Information Systems and Singapore Health Services for breaching their data protection obligations under the PDPA. In 2022, the PDPC imposed a financial penalty of $60,000 for failing to protect the personal data of its customers under the PDPA.
However, it is understandable that the remedies the PDPC offers might not be satisfactory to victims who have personally suffered loss or damage from the data breach. As such, the other legal remedies below may be more favourable in such cases.
Private action under the PDPA
You may wish to file a lawsuit against the organisation directly for your losses and recover any damages arising due to the data breach. This would be well within your rights, as civil liability arises under the PDPA for data breaches where the victim suffers loss or damage. In other words, you may sue the organisation directly for a failure to protect your personal data – a duty which is owed to you.
Specifically, under section 48O(1) of the PDPA, a person who suffers loss or damage directly as a result of a contravention by an organisation with regard to Part 4 – Part 6A of the PDPA, will be entitled to a right of action for relief in civil proceedings. These include situations where the organisation had:
- Collected personal data without individuals’ consent or disclosed individuals’ data without their consent
- Denied access or corrections requests from individuals with respect to their personal data
- Had unreasonably low standards of security arrangements for protection of personal data it has collected (that led to the data breach)
- Delayed or failed to notify the PDPC of data breaches
Following which, the PDPC will be involved in finding whether the organisation has in fact contravened the relevant PDPA provisions.
However, should the organisation appeal against the PDPC’s findings, any civil proceedings can only commence after the final decision from the Data Protection Appeal Panel (DPAP). The DPAP is appointed under the PDPA and acts as a final avenue of appeal should either party feel that the PDPC’s decision with respect to their matter is unsatisfactory. After lodging an appeal, the DPAP will nominate three or more Panel members to form a Committee that will discuss and make a decision on the matter.
Do note that the PDPA does not provide for the types of losses and damages that are claimable. As such, case law has interpreted it as referring to the heads of loss or damage under common tort law. These include:
- Pecuniary (Economic) losses;
- E.g. monetary losses, loss of income
- Damage to property; and
- E.g. Destruction or corruption of databases, rendering them useless or out of commission
- Personal injuries (including psychiatric illness).
- E.g. Depression arising from highly sensitive personal data being leaked to the public
Though the general principle of common law is that emotional or mental distress is not actionable (i.e. emotional or mental distress does not qualify as damages or losses suffered), case law has adopted a wide interpretation to include emotional or mental distress as an actionable head of loss or damage.
Notably, in a 2022 Singapore Court of Appeal case, an employer sought an injunction restraining the respondent from using certain personal data belonging to the appellant and other customers, and an order for the respondent to destroy said data. The respondent was a former employee who had used personal data (e.g., names and email addresses) obtained in the course of his previous employment to contact his former employer’s customers, including the appellant. In arriving at its decision, the court underwent a purposive interpretation of the PDPA before concluding that emotional or mental distress falls within the scope of “loss or damage” claimable under the PDPA.
Pursuant to civil proceedings, the court is empowered and granted a blanket authority under the PDPA to grant any relief as it sees fit. This includes remedies such as:
- i.e. Court order to restrict or compel the organisation to do as instructed. This is up to the court’s discretion
- Declarations; and/or
- i.e. Court’s unequivocal decision regarding whether the organisation had contravened PDPA provisions
- i.e. Compensation for losses suffered by the individual whose data was leaked
Compensation for breach of contract
Alternatively, you may file for damages arising from a contractual breach. An example of such a claim would be that the organisation has held your data in a manner inconsistent with its obligations under a contract between you and them, or is otherwise in breach of contract. The PDPC has provided some examples of such clauses that may arise in a contractual agreement between the individual and the organisation processing his personal data.
That being said, this legal remedy is applicable only in cases where there exists a contract between the victim of the data breach and the organisation. An example of this would be the contractual agreement between users of a cloud service and the cloud service itself. For instance, Unify, a German-based cloud and high performance computing company, expressly provides in its agreement with users that it shall take appropriate measures to protect its customers’ personal data.
The remedies that can be claimed for contractual breaches relating to data breaches include:
- Damages (arising from the contractual breach);
- A potential option to terminate the contract (with the organisation); and
- An order of specific performance of the contract (in respect of the data protection provision in cases of data breaches). In essence, the court will compel the organisation to comply with the terms of the agreement in relation to data protection.
That being said, organisations may have included a limitation of liability clause, or an exclusion clause in the stipulated contract. If given effect:
- Exclusion clauses will completely exclude liability from the organisation with respect to the data breach; and
- Limitation of liability clauses will partially exclude liability (i.e. the organisation can be held liable up to a fixed sum).
This would limit the damages you can claim for the organisation’s role in the data breach.
In such a case, a potential recourse available is relying on the Unfair Contract Terms Act (UCTA) to argue that the clauses should not be given effect. The UCTA serves to prevent excessive avoidance of civil liability arising from breaches in contract, among other things. As limitation of liability clauses seek to restrict the damages claimable in respect of the contractual breach, such clauses would fall within the UCTA’s ambit.
Ultimately, it is up to the court’s discretion whether to give effect to such clauses. The primary question that the court will consider then is whether these clauses are reasonable. While none of these immediately qualify the clause as unreasonable, some factors that the court will take into account include:
- Relative bargaining powers between the parties;
- The court will consider if the individual and the organisation were approaching the agreement on equal terms, which is usually not the case as there may be unequal bargaining power
- Absence of negotiations between the parties or presence of protest by one party; and
- If the organisation had presented the agreement as-is and there was no room for the individual consumer to negotiate, the court will likely look more favourably towards the individual
- Availability of reasonable alternatives for both parties:
- If the individual has no other alternatives for the service the organisation provides, the court will take this factor into account in favour of the individual
These all are considered in totality to determine whether the clause can be deemed reasonable in restricting the organisation’s/company’s liability. Should the court strike off the clause, you will be able to claim the full extent of your loss or damages.
In summary, should you have reason to believe that you are a victim of a data breach, the first step is to request more information from the organisation itself or try to resolve the matter with the organisation before escalating your case to the courts. Indeed, there is a possibility of the matter being resolved without the need for litigation.
However, should the organisation be unresponsive or provide an unsatisfactory response/outcome, there are three main legal remedies that you can rely on:
- Filing a complaint with the PDPC, who will investigate the matter further
- Filing a civil lawsuit on grounds of a statutory tort for losses and damages resulting from the data breach
- Filing a civil lawsuit on grounds of a contractual breach for losses and damages resulting from the data breach.
Do note that these legal remedies are fact-specific. For instance, filing a civil lawsuit on grounds of a contractual breach will not be applicable in cases where there is no contract between you and the organisation.
Nevertheless, should you wish to take action against the organisation responsible for a data breach, you may wish to contact a data protection lawyer to advise you on the strength of your case and remedies likely available to you.
Alternatively, should you wish to commence civil proceedings or a claim under contractual breaches, you may wish to consult a disputes resolution lawyer for further advice and to discuss the best approach to take depending on the circumstances of your case.
- What is a Nominee Director, How to Appoint and Other FAQs
- Independent Directors: Who are They and What is Their Role?
- Board of Advisors: Who Are They and What Is Their Role?
- Appointing Company Directors in Singapore: Eligibility, Process etc.
- Managing Director vs CEO in Singapore: Roles and Obligations
- Guide to Directors' Remuneration in Singapore
- Directors' Duties in Singapore
- Shadow Directors: Who are They and What Duties Do They Owe to the Company?
- How to Remove a Director from a Company in Singapore
- Removal and Resignation of Company Auditor in Singapore
- Appointing a Company Secretary: Roles and Responsibilities
- Appointing an Authorised Representative for Foreign Companies in Singapore
- Process Agents in Singapore
- Share Buybacks in Singapore: Procedure, Cost and More
- How to Split Shares (or Stocks) in a Singapore Company
- 2 Ways to Remove a Singapore Company Shareholder ASAP
- What are Treasury Shares? Guide for Singapore Companies
- Guide to Paid-Up Capital in Singapore (Is $1 Enough?)
- Preparing a Register of Shareholders for a Singapore Company
- How to Issue Shares in a Singapore Private Company
- Guide to Transferring Shares in a Singapore Private Company
- Your Guide to Share Certificates in Singapore: Usage and How to Prepare
- Shareholder Rights in Singapore Private Companies
- Shareholder Roles and Obligations in Singapore Companies
- Dividend Payments Guide for Singapore Business Owners
- Share Transmission: What Happens If a Shareholder Dies in Singapore?
- How to Reduce the Share Capital of Your Singapore Company
- Buy-Sell Agreements: How to Write & Fund Them in Singapore
- Oppression of Minority Shareholders
- Is Your Business Collaboration Competition Law-Compliant?
- Explained: Registered Filing Agent for Singapore Businesses
- Transfer Pricing Obligations of Singapore Companies
- Adhering to Trading Sanctions and Restrictions in Singapore
- Cyber Hygiene Compliance Guide for Singapore Companies
- Corporate Social Responsibility For Businesses in Singapore
- Essential Regulatory Compliance Guide for Singapore Companies
- Dormant Companies and Their Filing Obligations in Singapore
- Anti-Money Laundering Regulations and Your Business: What You Need to Know
- Price-Fixing, Bid-Rigging and Other Anti-Competitive Practices to Avoid
- Legally Conducting Lucky Draws for Singapore Businesses
- Restaurant Inspection and Food Safety Rules in Singapore
- Does Your Company Need a Legal Team (In-House Counsel)?
- Acqui-Hiring of Singapore Companies: How Does It Work?
- How to Change the Name of Your Singapore Company
- Can Directors be Liable for Company Debts in Singapore?
- Company Loans to Directors/Shareholders in Singapore
- 3 Types of Insurance Every Singapore Business Needs
- Creating and Registering Charges in Singapore: Guide for Companies
- Guide to Effective Business Continuity Planning in Singapore
- Business Asset Sale & Disposal in Singapore: How Do They Work?
- Business Partnership Disputes in Singapore: How to Resolve
- How to Commence a Derivative Action on Behalf of a Company in Singapore
- Business Will: How to Pass on Your Business to Your Successors in Singapore
- Record-Keeping Requirements for Singapore Companies
- Company Constitutions in Singapore and How to Draft One
- Company Memorandum and Articles of Association
- Company Resolutions: What are They?
- Board Resolutions in Singapore
- Minutes of Company Meeting in Singapore: How to Record
- How to Set Up a Register of Controllers
- How to Set Up a Register of Nominee Directors
- Guide to Filing Financial Statements for Singapore Business Owners
- Filing Annual Returns For Your Business
- Carbon Tax in Singapore: What is the Rate and Who Must Pay?
- Laws and Penalties for GST Evasion in Singapore
- 6 Common Taxes in Singapore For Individuals & Businesses
- Singapore Corporate Tax: How to Pay, Tax Rate, Exemptions
- Start-Up Tax Exemption Guide for New Singapore Companies
- GST Registration: Requirements and Procedure in Singapore
- What is Withholding Tax and When to Pay It in Singapore
- Singapore Influencers: Here's How to Calculate Your Income Tax
- Tax Investigation of Tax-Evading Business Owners in Singapore
- Small Business Accounting Services in Singapore
- Company Audits in Singapore: Requirements and Exemptions
- Suspect a PDPA Data Breach? Here's What to Do Next
- Must You Notify PDPC About a Data Breach in Your Business?
- Data Room: Should Your Singapore Company Set Up One?
- Victim of a Data Breach? Here’s What You Can Do
- Summary: Your Organisation's 10 Main PDPA Obligations
- Essential PDPA Compliance Guide for Singapore Businesses
- PDPA Consent Requirements: How Can Your Business Comply?
- Is It Legal for Businesses to Ask for Your NRIC in Singapore?
- Here's a 7-Step Plan for Companies to Prevent Unauthorised Disclosure When Processing and Sending Personal Data
- Cloud Storage of Personal Data: Your Business’ Data Protection Obligations
- GDPR Compliance in Singapore: Is it Required and How to Comply
- Appointing a Data Protection Officer For Your Business: All You Need to Know
- How Can Companies Dispose of Documents Containing Personal Data?
- Check the Do-Not-Call Registry Before Marketing to Singapore Phone Numbers
- How to Legally Install CCTVs for Home/Business Use in Singapore
- Is Web Scraping or Crawling Legal in Singapore?
- Legal Options If Employees Breach Confidentiality in Singapore
- Social Media Marketing: Legal Guide for Singapore Businesses
- Your Guide to E-commerce Website Terms of Service in Singapore
- Dealing with Defamation of Your Business: Can You Sue?
- Sending Email Newsletters That Comply With Singapore Law
- A legal guide to drafting a social media policy for your company
- Your Guide to a Media Release Form in Singapore
- Your Guide to an Influencer Marketing Agreement in Singapore
- Outdoor Advertising: How to Legally Display Public Ads in Singapore
- A Guide to Digital Bank Regulation in Singapore
- Applying for a Major Payment Institution Licence in Singapore
- Applying to the MAS FinTech Regulatory Sandbox
- Payment Services Act Licensing Guide for Fintech Businesses
- How to Get a Payment Service Provider Licence in Singapore
- Financial Adviser's Licence Guide for Singapore Businesses
- Capital Markets (CMS) Licence Requirements in Singapore
- How to Offer E-Wallet Services in Singapore: Licensing Guide
- Digital Payment Token Services Licence Guide in Singapore
- How to Legally Offer Crypto Services in Singapore
- How to Restore a Struck-Off Company in Singapore
- Claw-Back of Assets From Unfair Preference and Undervalued Transactions
- Should You Save or Close Your Zombie Company in Singapore?
- Voluntary Suspension of Business in Singapore: How to Handle
- Winding Up a Singapore Company: Grounds and Procedure
- Closing Your Singapore Business: What You Need to Settle
- Striking Off a Company
- Restoring a Company That was Struck Off Without You Knowing
- Dissolution of partnerships in Singapore
- What Should a Creditor Do When a Company Becomes Insolvent?
- How to File a Proof of Debt Against a Company in Liquidation
- Validation of Payments Made by Companies Being Wound Up