Recent developments in cyber security and data protection laws for organisations

Lam Chung Nian of WongPartnership in Singapore looks at the city’s attempts to tackle cyber security

Organisations in Singapore are facing increased legal, business and reputational risks from cyber security attacks and data breaches. At the Asia Cyber Risk Summit 2016, the Monetary Authority of Singapore cited PricewaterhouseCoopers’ 2015 Global State of Information Security survey, which found that over 100,000 cyber-attacks occurred every day in the world in 2013 (a 66% increase every year on average over the previous four years).

Against this backdrop, there have been some significant developments in cyber security laws in Singapore. The authorities have been active in enforcing breaches of Singapore’s data protection regulatory framework, certain new laws will be passed, and other laws will be amended.

PDPC releases grounds of decisions for breach of data protection obligations

On April 21 2016, the Personal Data Protection Commission (PDPC) released nine decisions against 11 organisations detailing actions taken for breaches of the Personal Data Protection Act (Act 26 of 2012) (PDPA). Various penalties, directions and warnings were imposed and/or issued on such organisations, including penalties ranging from S$5,000 to S$50,000.

In Singapore, organisations are generally required to comply with the PDPA in respect of any collection, use or disclosure of personal data in Singapore, unless relevant statutory exceptions apply. Amongst other things, an organisation is required to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks (the “Protection Obligation”).

Cyber-attacks and data breaches can quickly expose an organisation’s failure to comply with the Protection Obligation, as was the case in the decision against K Box Entertainment Group (K Box) and Finantech Holdings (Finantech) (Case No: DP-1409-A100, [2016] SGPDPC 1). K Box had been hacked in 2014 and personal data of more than 300,000 of its members had been leaked to the public.

In the K Box decision, K Box was held to have failed to effectively manage its data intermediary to protect personal data. K Box had “never emphasised the need for data protection and [Finantech’s] obligation towards K Box under the PDPA or informed Finantech of its data protection obligation after September 2014”, and “did not include any contractual clauses that required Finantech to comply with a standard of protection in relation to the personal data transferred to it that is at least comparable to industry standards”. To comply with the Protection Obligation, an organisation cannot delegate all responsibility for protection of personal data to its vendors without actively managing them as data intermediaries.

Other decisions highlighted poor data handling practices which organisations should steer away from:

• The Singapore Computer Society was given a warning (Case No: DP-1504-A390, [2016] SGPDPC 9) for poor data handling practices of (i) not protecting its registration list with a password, and (ii) sending such a registration list in the same email as a draft invite to the public (such that there was a high risk of an employee inadvertently forwarding the entire registration list outside the organisation).
• In the decision against K Box, personal data of over 90,000 members was sent via an unencrypted Excel file through Gmail;
• In the decision against Full House Communications (Case No: DP-1503-A368, [2016] SGPDPC 8), a warning was issued for failure to protect personal data by enabling the auto-fill function for drop-down boxes, for a lucky draw form which was to be filled up on the spot using the organisation’s laptop; and
• In the decision against Fei Fah Medical Manufacturing (Case No: DP-1409-A145, [2016] SGPDPC 3), the PDPC cautioned against encryption of passwords using a common MD5 hash.

The PDPC also gave examples of failures to make “reasonable security arrangements” as part of the Protection Obligation, such as:

• In the decision against Metro (Case No: DP-1504-A421, [2016] SGPDPC 7), not addressing SQL injection vulnerabilities which had been highlighted in earlier IT security audits;
• In the decision against the Institution of Engineers Singapore (IES) (Case No: DP-1411-A213, [2016] SGPDPC 2), vulnerabilities such as cross site scripting and SQL injections were not addressed, and IES did not take reasonable security arrangements such as storing passwords in encrypted form, conducting audits on outsourcing vendors and conducting penetration testing;
• In the decision against Challenger Technologies and Xirlynx Innovations (Case No: DP-1409-A103, [2016] SGPDPC 6), the failure to sample and proof read e-statements before they were sent out; and
• in the decision against K Box, the failure to enforce the password policy, not removing unused accounts, failure to utilise newer versions of software libraries, and failure to conduct audits on database security.

Organisations should be careful not to repeat these lapses.

New cyber security legislation to be tabled in 2017; amendments to the CMCA

The Minister-in-Charge of Cyber Security, Dr Yaacob Ibrahim announced in Parliament on April 11 2016 that a new Cyber Security Act (CSA) would be introduced in 2017. The intent of the CSA is to ensure that operators take proactive steps to report incidents and to secure Singapore’s critical information infrastructure. The CSA will also provide Singapore’s Cyber Security Agency with wide powers to enable it to manage cyber security incidents and raise the standards of cyber security providers in Singapore.

The Senior Minister of State for Home Affairs, Desmond Lee stated in Parliament on April 6 2016 that the Computer Misuse and Cybersecurity Act (CMCA) will continue to be reviewed. The intent of the amendments is to tackle the increasing number and changing tactics of cybercrimes and to address their transnational nature.

Conclusion

Given the recent PDPC enforcement decisions, organisations may wish to exercise prudence in the handling and protection of personal data to reduce exposure to legal risks from lapses in cyber security.

The proposed amendments to existing legislation and new legislation may potentially impose new obligations on organisations to report and prevent incidents, which could in turn lead to greater cyber security in Singapore, and are to be welcomed.

Lam Chung Nian
Partner
WongPartnership
Singapore

About the author

Chung Nian heads the intellectual property, technology and media, telecommunications and data protection practices. His experience covers all aspects of transactional, enforcement and advisory work including complex investment and joint venture agreements, franchising, IP due diligence, and IP asset acquisitions, divestments and other arrangements in the context of corporate mergers and acquisitions, public and private fund-raising exercises.

He has been appointed to the World Intellectual Property Organisation’s Panel of Film and Media Mediators, Arbitrators and Experts and is the Vice Chair of the International Bar Association Communications Law Committee; Hon Secretary of the Asian Patent Attorney Association (Singapore Chapter); member of the International Trademark Association; and the Intellectual Property Committee of the Law Society of Singapore.
Chung Nian graduated from the National University of Singapore. He is admitted to the Singapore Bar and to the Roll of Solicitors of England and Wales, and is a registered patent agent in Singapore.