The “I did not know!” Defence and “Do I really need not have A Personal Data Protection Policy in My Organisation, I didn’t think I needed it”?
That is exactly what the management of “Bud Cosmetics Pte Ltd” (“Bud Cosmetics”) told the Commissioner of the Personal Data Protection Commission in Re Bud Cosmetics Pte Ltd [2019] SGPDPC 1.
This argument was of course rejected completely as ignorance of the law is no excuse, said the Commissioner.
The Commissioner then directed that Bud Cosmetics:
- pay a financial penalty of $11,000 within 30 days,
- engage a duly qualified personnel to conduct a security audit of its Website and IT systems, and
- develop an IT security policy to guide its employees on the security of personal data of its Website and IT System within 60 days.
For failing to take necessary steps, Bud Cosmetics suffered unnecessary and troubling costs and expenses, not to mention unwanted stress to the management facing the PDPC.
What Happened?
Here is what happened. The PDPC received a complaint from an individual about a member’s list containing personal data on the internet. There were at least 2300 names and personal data exposed on the internet.
Bud Cosmetics is an organic and natural skincare retailer specialising in natural skin care brands. It had an online store and a Website. Customers of Bud Cosmetics had to set up membership accounts on its Website. (sound familiar!) There was also a physical database (“Offline”) that was retained from its point-of-sale system. On-line database contained over 1,000 members since 2012 and this list had grown to about 2,400 registered members on the Online database.
Like most organisations, Bud Cosmetics sent email blasts and e-newsletters to its customers from both the Online database and Offline database.
On or about 6 April 2017, the affected individual complained that there was personal data of 2,300 members exposed on the internet and the individual’s data was one of it (much to this person’s distress). If you must know, the members list was exposed because there was a cyberattack on Bud Cosmetics host server in Australia and US and all was revealed because one of the image folders holding the data was unsecured.
To be fair to Bud Cosmetics, they took some steps to ensure that after the cyberattack, they improved security by adding “Sitelock” and other features and conducted daily scans of its Website. Bud Cosmetics tried to blame it on the cyberattack and that it happened in 2012. The Commissioner did not buy this explanation.
Organisations Must Take Proactive Steps to Comply
The Commissioner explained that the data disclosed in the Member’s List was definitely personal data under the PDPA as anyone could identify the individual from the data. It is interesting to note that the Commissioner said that although the PDPA came into force on 2 July 2014, Bud Cosmetics’ duty was to take proactive steps to comply with its obligations and not apply only to new personal data that may come into its possession but any existing personal data held in its possession or control.(emphasis added).
Privacy Policy Insufficient – How employees handle personal data is important
Bud Cosmetics tried to explain that it had a privacy policy on its Website (“Privacy Policy”) at the time of the incident. Another interesting point is that the Privacy Policy only notified customers as to how the company would use and process their personal data but did not set out the procedures or practices as to how the company and its employees should handle and protect the personal data.
Bud Cosmetics thought (quite incorrectly) that PDPA only prohibited organisations from sending marketing messages to Singapore telephone numbers that were registered with the Do Not Call Registry. They admitted that they did not implement any data protection policies or practices on personal data. It was unaware of its Data Protection Obligations under the PDPA and it had just started considering a Data Protection Policy because other companies were beginning to have them in their website.
Formalised Data Protection Training For Employees
This is when the Commissioner said that ignorance of the law is no excuse and its lack of obligations under the PDPA cannot excuse its breach. It is also clear that data protection training was grossly missing in this organisation and more importantly, employees would have been better able to protect privacy when they were able to recognise issues to personal information. In Bud Cosmetics, they did not provide any formalised data protection training for its employees. (Is it a question of not knowing how or what training to provide to the employees?)
Carrying Out Vulnerability Scans Or Penetration Tests On Websites
The Commissioner asked if Bud Cosmetics took reasonable security steps to prevent unauthorised access as set out in section 24 of the PDPA. They had the control of the data and were responsible for ensuring the security of the Website. They should have conducted periodic penetration testing or vulnerability assessments and promptly fixed to prevent data breaches. Again like most SMEs, the management never considered the adequacy of the security of its Website or IT systems. The Commissioner commented that Bud Cosmetics never conducted any vulnerability scans or penetration tests to ensure that its Website was sufficiently protected.
We ponder exactly how many SMEs and online providers and retailers actually carry out vulnerability scans and penetration tests on a regular basis. We think the numbers are very small. Most SMEs and some larger organisations would also assume that our website host would have in place all the security to look after our website requirements. In Re Bud Cosmetics Pte Ltd [2019] SGPDPC 1 that duty, among other things, fell squarely on the organisation to have checked for “bugs” and “cracks” in its Website. Again, in smaller organisations, this exercise to test Website would not be so automatic and to some organisations unheard of. Larger organisation have the resources, we think they would not have any excuses not to invest in IT security.
Overseas IT Vendors – Make Sure that Their Standard Of Protection is Equal or Better Than Our PDPA
Lastly, Bud Cosmetics case discusses about choosing IT vendors who are overseas. Bud Cosmetics had website hosting services in Australia and US. Companies have a duty under section 26 of the PDPA to ensure that recipients of personal data outside of Singapore have legally enforceable obligations to provide the same if not better standards of protection captured in the PDPA. If your information was going overseas, the bottomline is that you would have to extremely careful as the breaches carried overseas could still land your organisation in trouble.
Concluding Comments
Many SME companies, like Bud Cosmetics, all have this false sense of security that their websites would be taken care off by their website hosting IT providers. Contented to merely placing simple privacy policies on their Website, they assume that it would take care of the problem. Many more organisations think that compliance with PDPA is not the organisation’s problem but to be solved by other parties.
Bud Cosmetics learnt it the hard way. They were fined $11,000 (which is no small amount), and directed to engage qualified personnel to conduct a security audit and to develop an IT security policy. More expenses and time engaged in correcting the errors. Could this have been avoided or did the obligation still fall heavily on training employees to recognise the PDPA obligations? Was it due to the inevitable cyberattack in 2012 such that Bud Cosmetics could not have done anything significant. Was the Commissioner too harsh on Bud Cosmetics for focusing on the business especially when the PDPA only became a hot button topic in Singapore from July 2014. After all these lapses happened in 2012, less was known about cyberattacks and personal data protection.
Have a question or need legal advice?
If you have a legal question regarding legal issues concerning intellectual property, you can request for a Quick Consult with Anil Lalwani or other lawyers. With Quick Consult, you can check out in minutes and for a transparent, flat fee from S$49, the lawyers will call you back on the phone within 1-2 days to answer your questions and give you legal advice.
This article is written by Anil Lalwani from DL Law Corporation.
This article does not constitute legal advice or a legal opinion on any matter discussed and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and practice in this area. If you require any advice or information, please speak to a practicing lawyer in your jurisdiction. No individual who is a member, partner, shareholder or consultant of, in or to any constituent part of Interstellar Group Pte. Ltd. accepts or assumes responsibility, or has any liability, to any person in respect of this article.