A group of recent decisions from Singapore’s Personal Data Protection Commission (PDPC) reinforces the importance organisations must place on protecting personal data in their possession or control.  All seven decisions highlight failures to implement reasonable security measures to prevent cyberattacks and inadvertent disclosures.  Penalties ranged from warnings to a $26,000 fine.

The consistent theme running through these recent cases is poor software practices:  inadequate testing, failure to install patches, failure to conduct vulnerability testing, and poor password practices, among others.  One case emphasised the need to monitor and manage vendors carefully.  The PDPC stressed that extra care is required when personal data are involved.

The PDPC assesses mitigating and aggravating factors to determine a penalty appropriate to each case.  The PDPC views favourably organisations that accept responsibility for their breaches, take prompt remedial actions, self-report their violations to the PDPC and cooperate with the PDPC’s investigation.  Organisations that do not act in those ways, or that exhibit indifference or neglect towards their data protection obligations under the Personal Data Protection Act (PDPA), may find the PDPC levying greater penalties than they otherwise would.

The following table summarises the recent PDPC Decisions.

Disclaimer: This article is for general information only and does not constitute legal advice.