The decisions published by the Personal Data Protection Commission (PDPC) in August 2023 highlight the need for organisations to undertake the following measures:
Between November 2022 and March 2023, a registered real estate salesperson sent approximately 6,120 unsolicited text marketing messages to 1,224 telephone numbers registered on the No Text Message Register of the DNC. The marketing messages were intended to advertise the salesperson’s real estate services.
The PDPC found that before sending the text messages, the salesperson did not obtain valid confirmation that the recipient telephone numbers were not listed on the DNC Registry. Though the salesperson obtained the telephone numbers prior to the PDPA’s enactment on 2 January 2014, the PDPC found no evidence that the salesperson obtained clear and unambiguous consent from any owner of the telephone numbers, whether before or after the PDPA’s enactment. The salesperson thus breached the duty to check the DNC Registry.
However, the PDPC only issued a warning because the salesperson was cooperative with the PDPC’s investigations and he showed a willingness to comply with other regulatory requirements, including providing his information as sender and providing recipients an unsubscribe option.
The other case decided by the PDPC dealt with an organisation’s breach of the obligation to protect personal data in its possession or control (Protection Obligation). E-Commerce Enablers runs an online platform that provides cashbacks, coupons, voucher codes and discount comparisons for its customers. At the time of the incident, E-Commerce Enablers hosted its customer database on virtual servers in an Amazon Web Services (AWS) cloud environment. The AWS key used to manage E-Commerce Enablers’ cloud environment was only accessible by a Site Reliability Engineering Team (SRE). In June 2019, the AWS key was inadvertently committed to software code in a private repository on GitHub by an SRE member. Though it was discovered two days later and intended to be replaced by a new key, an SRE member failed to fully disable the AWS key and remove it from GitHub’s commit history. In September 2020, a malicious actor accessed the AWS key and exfiltrated E-Commerce Enablers’ customer storage servers. The data, which included customers’ names, mobile numbers, NRIC numbers and bank account numbers, were later offered for sale on Raidforums, a marketplace for hackers.
The PDPC found that E-Commerce Enablers breached the Protection Obligation. Not only did E-Commerce Enablers lack robust processes to manage the AWS key, but it also failed to conduct periodic security reviews of the AWS keys. E-Commerce Enablers should not have placed sole reliance on its employees to protect personal data, as implementing other testing or independent verification practices could have detected the need to properly rotate or delete the compromised AWS key. Furthermore, upon discovery of the incident, E-Commerce Enablers took 15 days to conduct a key rotation which prolonged the data breach exposure. Due to E-Commerce Enablers’ inadequate protection measures and delayed remediation response, the PDPC issued a financial penalty of S$74,000.
Data collected before the PDPA’s enactment should be used in compliance with the PDPA. Organisations must also ensure that they develop and implement stringent measures to protect personal data which they process in order to prevent their unauthorised use and to promptly detect and remedy any security incidents.
OrionW regularly advises clients on data protection matters. For more information about how to comply with the Personal Data Protection Act 2012, or if you have questions about this article, please contact us at info@orionw.com.
Disclaimer: This article is for general information only and does not constitute legal advice.
