PERIODIC SECURITY REVIEWS ARE KEY
In its judgment, the PDPC said it has repeatedly emphasised the need for organisations to conduct periodic security reviews of their IT systems.
While Agape had done this, the reviews did not cover the file server because it was a legacy feature unique to Agape’s engagement by Fullerton Health. Agape thus did not review and assess the file server’s security implication and risks.
When the data was breached, the password for the file server had also been inadvertently disabled for about 20 months. The cause could not be established.
This led to the file server becoming an “open directory listing on the internet with no password protection, and highly vulnerable to unauthorised access, modification and similar risks over an excessive period of time”, said the PDPC.
Before the password was disabled in December 2019, it had been shared between the inmates in order to access the file server. There was also no expiry date set for the password.
Meanwhile, Fullerton Health was obliged to exercise reasonable oversight of Agape’s data processing activities by regularly monitoring its personal data handling processes, said the PDPC.
As for whether Fullerton Health was aware of the uploading of customer data to Agape’s file server, and whether it permitted this, the PDPC said there was insufficient evidence to make a finding.
However, the fact remained that Fullerton Health knew Agape was engaging inmates. Fullerton Health should have made reasonable inquiries to determine how the customer data would be stored and transmitted, the PDPC said.
IMPACT OF INCIDENT WAS “AMPLIFIED”
In determining what financial penalty to impose, the PDPC noted that through the SharePoint system, Fullerton Health had inadvertently disclosed personal data only intended for its employees’ internal use.
Agape did not need this data to provide its services. The PDPC said this led to the “impact of the incident being amplified”.
Fullerton Health was also the data controller and “bore the ultimate responsibility to exercise due diligence and reasonable supervision over Agape”, added the PDPC.
It considered the fact that Fullerton Health’s annual turnover, based on its latest available audited accounts, was almost 50 times higher than Agape’s.
In terms of mitigating factors, the PDPC noted that both had taken prompt remedial actions when the data breach came to light. They have also taken steps to prevent the incident from happening again.
In October last year, the maximum amount that a company can be fined for a data breach was increased to either 10 per cent of its annual turnover in Singapore or S$1 million, whichever is higher.
Previously, organisations that violate the Personal Data Protection Act would face a financial penalty of up to S$1 million.
Stay connected with us on social media platform for instant update click here to join our Twitter, & Facebook
We are now on Telegram. Click here to join our channel (@TechiUpdate) and stay updated with the latest Technology headlines.
For all the latest For News Update Click Here
