Singapore data leak should prompt companies to review security measures, says expert

Out-Law News | 17 Sep 2014 | 3:57 pm | 1 min. read

The first data leak in Singapore to be reported in the media since the introduction of new data protection laws in the country should serve to warn businesses about their obligations to the security of personal data they are responsible for under the new regime, an expert has said.

Earlier this week Channel News Asia reported that the data of more than 317,000 customers of K Box Singapore, a karaoke entertainment provider, had been emailed to some media outlets in the country.

Customer information including K Box members' phone numbers, email addresses, dates of birth and marital status was among the data leaked, Channel News Asia reported.

In a statement reported by the news outlet, Sinagpore's data protection watchdog, the Personal Data Protection Commission (PDPC), said the Personal Data Protection Act in Singapore requires companies to take steps to preserve the security of personal information.

Data protection law specialist Bryan Tan of Pinsent Masons MPillay, the Singapore joint law venture partner of Pinsent Masons, said: "We note that the data breach has drawn the attention of the regulators even though these were the result of malfeasance on the part of third parties. It must be remembered that while organisations are required to only use collected personal data with consent, which is not the case here, they also have a separate duty to undertake reasonable security measures."

Under the Personal Data Protection Act, organisations are obliged to "protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks".

The PDPC has a range of sanctions open to it should businesses fail to adhere to rules set out under the Act. One option includes ordering businesses to pay a fine of up to SIN$1 million ($800,000).

In a separate recent case, Singapore mobile operator M1 confirmed that a "potential security breach" within its ordering system had been identified and fixed. The company had temporarily suspended orders from consumers for Apple's new iPhone devices "as a precaution to protect our customers' personal information".

"M1 places the utmost priority in protecting our customer data and privacy and has implemented strict processes and procedures to safeguard customer information including regular security audits," M1 said in a statement, according to a report by ZDNet. "We will be conducting a full review on this incident, and we sincerely apologize for the inconvenience caused."