[TMT] Legal Exposure Of A Company In The Event Of A Data Breach

• Law Firm: Lee Hishammuddin Allen & Gledhill
• Subject Matter: Corporate/Commercial Law, Privacy, Technology, Corporate and Company Law, Data Protection, Security
• Author: Mr G. Vijay Kumar
• Published date: 05 June 2023

In our previous article, we discussed measures a company should consider taking in response to a data breach.¹ In this article, we will expand the discourse to the potential liabilities a company may be exposed to, and the measures available to reduce the risks of being held liable in the event of a data breach.

Potential Liabilities under the Personal Data Protection Act 2010 ('PDPA')

Under the PDPA, as a data user, a company is obligated to adopt reasonable measures to safeguard any personal data that is being stored or processed. It is also incumbent upon the company to establish and implement a viable security policy. This policy must include provisions for specific security measures such as anti-virus and anti-malware softwares, as well as access control protocols.²

The consequences of a company being held liable for breach of its obligations under the PDPA due to a data breach is considered severe. The company may be prosecuted and upon conviction be liable to a fine not exceeding RM300,000. Additionally, individuals held responsible for the breach may be liable to imprisonment up to a term not exceeding 2 years.³

In the case of Fei Fah Medical Manufacturing Pte Ltd,⁴ the personal data of users including user IDs and passwords, telephone numbers, and email addresses were exposed publicly on a website following a data breach. The company, despite having engaged an IT firm to oversee the security protocols of their website and servers, was still found to be in breach of the Singapore Personal Data Protection Act 2012 ('Singapore PDPA') by the Data Protection Commission of Singapore. This was due to evidence which showed that the company had simply left its responsibilities to the third-party IT firm to implement any security features they deemed fit and thus, the company had limited knowledge of the security measures implemented on its website and servers. As a consequence of the breach, the Data Protection Commission of Singapore ordered the company to pay a fine of SGD 5,000, in addition to other penalties.

A data breach may occur even with the most comprehensive data security systems in place. In such circumstances, in order to reduce the risk of being liable following a data breach, a company should ensure that they have complied with the requirements to implement reasonable security measures as discussed above. In addition, if the company has appointed a third-party IT vendor, the company must nevertheless periodically undertake the necessary...