Penalties for data breaches should hit firms harder in the pocket
Harsher fines make for stronger deterrents, and this is crucial, given the increasing digitalisation of businesses.
The recent data breaches at Lazada and Eatigo, as well as privacy lapses at other tech firms in Singapore, affirm the need for stiffer financial penalties and regulation by the authorities.
Singapore's amended data protection law, passed in Parliament on Monday, gives the Personal Data Protection Commission (PDPC) the power to impose harsher fines and to hold organisations accountable. This will bring the city-state up to speed with other jurisdictions.
Under the key changes to the bill, a company that infringes the Personal Data Protection Act (PDPA) can be fined up to 10 per cent of its annual turnover in Singapore or S$1 million, whichever is higher. The current cap for financial penalties is S$1 million.
What this means is that there is now greater scope for fines to act as stronger deterrents to companies that are lax in their cyber-security and data-privacy practices.
This is crucial as increasing digitalisation of businesses has led to data breaches becoming a real and pervasive threat.
Just last week, personal information from 1.1 million RedMart accounts was found to have been stolen from e-commerce firm Lazada and put up for sale on an online forum.
Online restaurant reservation platform Eatigo was also affected, with 2.8 million accounts potentially compromised.
The database, which was last updated more than 18 months ago, included names, phone numbers, e-mail and mailing addresses, and encrypted passwords.
The two cases are just the latest in a string of incidents this year. Other companies that have either suffered data-privacy lapses or were fined this year include Grab, Razer, ShopBack, RedDoorz, the Central Depository, SPH Magazines and Creative Technology.
With data breaches having potentially devastating consequences for the individuals affected, measures should be put in place to ensure that financial penalties are more than just a slap on the wrist for companies.
While some research has shown that data breaches can lead to reputational damage and loss of revenue for firms, this cannot be the main factor keeping companies in check. Tech giants and legacy organisations have their means of retaining their customers and attracting more, even when trust has been eroded.
Charmian Aw, a technology and data lawyer at Reed Smith, said that it is increasingly common for privacy watchdogs to adopt a "percentage of revenue" methodology in data-breach penalty frameworks.
The European Union's General Data Protection Regulation (GDPR) sets forth a fine of either up to 20 million euros (S$31.7 million) or up to 4 per cent of global turnover, or up to 10 million euros or 2 per cent of global turnover, depending on the severity of the violation. (Singapore's new framework will use domestic, not global, revenue).
In Australia, proposed amendments to the data-privacy law will increase the maximum penalty of A$2.1 million to A$10 million (from S$2.02 million to S$9.62 million), or three times the value of any benefit obtained through the misuse of information, or 10 per cent of the company's annual turnover in Australia.
Ms Aw said: "So our PDPA will soon be more aligned with global standards on the imposition of financial penalties for breaches of data protection law."
Member of Parliament Desmond Choo raised the concern that the higher fines might create the impression that Singapore's data-privacy laws are much harsher than its neighbours, leading foreign companies to choose other Asian cities for its operations.
In response, Communications and Information Minister S. Iswaran said that financial penalties will be proportionate to the severity of the data breach.
Millions of dollars
In Europe, fines under the GDPR can go up to millions of dollars. Last month, British Airways was fined ï¿½20 million (S$35.3 million) by the UK's Information Commissioner's Office (ICO) for a 2018 data breach that affected more than 400,000 customers. This was even after the economic impact of Covid-19 on the airline was taken into account.
Singapore's most high-profile breach was a cyber attack in June 2018, which compromised the personal data of 1.5 million medical patients, including Prime Minister Lee Hsien Loong. For that, technology vendor Integrated Health Information Systems was fined S$750,000; SingHealth was fined S$250,000.
Source: Business Times © Singapore Press Holdings Ltd. Permission required for reproduction.