We have seen a continual increase in the number of data breaches enforcement cases over the year in Singapore.
Within the first 9 months of this year, already 26 companies have been fined a total of S1.28 millions compared to 23 cases and S$141,000 for the whole of 2018. Even if we exclude the $1 million fine for the SingHealth and IHIS case, at $280,000, it already doubles that of 2018. (Straits Times 2019 09 22 https://www.straitstimes.com/tech/data-privacy-breaches-fines-hit-new-annual-high)
I did an analysis of the enforcement cases this year and found that about 80% of these were in breach of Section 24 of the PDPA – failure to properly protect the data under one’s care. Another common breach is Section 12 – failure to implement policies, processes and training of staff on data protection.
These breaches are not due to hacking but to lacking in processes, training and awareness. For examples, a network engineer changed a firewall rule without thinking carefully and without approval which let in a ransomware, or an employee sent out emails to a list of customers in the “copy” field instead of “bcc” field.
Many cases are traced to third party vendors. They could be freelancers or companies that built the web sites and systems. Worse, in many of the ruling by PDPC, it was found that too many contracts were vague in roles and responsibilities.
Effective IT operations and outsourcing management are essential to ensure PDPA compliance.
*****
Young Technology Consulting are experience in helping businesses to address the fundamentals for PDPA compliance by addressing the IT operations and outsource vendor management aspect of operations.