High-profile personal data security breaches have increasingly been the headlines of late. In December 2013, Target Corporation, a giant retailing company in the United States, disclosed that hackers had gained unauthorised access to payment card data. Subsequent investigations revealed that the stolen information included names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.
Earlier this year, the South Korean Financial Services Commission suspended the operations of three credit card firms for three months, after an employee of a third party contractor engaged by the firms used a portable hard drive device to steal credit card data. About 20 million customers were said to be affected by the firms' data breach.
In April, it was announced that the Monetary Authority of Singapore ("MAS") had taken "appropriate supervisory actions" against Standard Chartered Bank ("SCB") as a result of 647 private banking clients' data that were stolen through a server of the bank's third-party service provider. The MAS also reminded financial institutions to implement robust controls to safeguard customer information.
These cases show that no organisation that collects or processes personal data is immune from data security risks.
In Singapore, section 24 of the Personal Data Protection Act ("PDPA") requires organisations to protect personal data in its possession or control by making reasonable security arrangements. It is not specified what security arrangements are considered "reasonable", and understandably so. Non-binding Advisory Guidelines to the PDPA ("Guidelines") recognise that there is no 'one size fits all' solution to comply with this obligation. Examples of security arrangements are administrative measures, physical measures, technical measures or a combination of these.
Implementing technical measures to address current vulnerabilities and threats is critical. The Guidelines provide that such measures include ensuring that computer networks are secure, adopting appropriate access controls, encrypting personal data and installing appropriate computer security software. Recently, a US federal judge granted permission to the US Federal Trade Commission to sue Wyndham Worldwide Corporation, an international hotel management company, for failing to take similar technical measures, such as using firewalls and strong user IDs and passwords, as well as up-to-date operating systems and security updates. These alleged lapses led to more than 619,000 consumer payment card accounts being hacked and more than US$10.6 million in fraud loss.
Organisations must also anticipate potential vulnerabilities and threats in a dynamic cyber-environment, so that existing security arrangements do not become obsolete. The Guidelines provide that organisations should update computer security and IT equipment regularly. In January 2013, Sony Network Entertainment Europe Limited ("Sony Network") was fined £250,000 by the United Kingdom Information Commissioner's Office ("UKICO") following the hacking of the "PlayStation" network platform that compromised the personal information of millions of customers. The UKICO found that although Sony Network had tried to protect account passwords, it failed to ensure that its service provider kept up with technical developments despite the technical resources available.