Legal Exposure Of A Company In The Event Of A Data Breach
In our previous article, we discussed measures a company should consider taking in response to a data breach.1 In this article, we will expand the discourse to the potential liabilities a company may be exposed to, and the measures available to reduce the risks of being held liable in the event of a data breach.
Potential Liabilities under the Personal Data Protection Act 2010 (“PDPA”)
Under the PDPA, as a data user, a company is obligated to adopt reasonable measures to safeguard any personal data that is being stored or processed. It is also incumbent upon the company to establish and implement a viable security policy. This policy must include provisions for specific security measures such as anti-virus and anti-malware softwares, as well as access control protocols.2
The consequences of a company being held liable for breach of its obligations under the PDPA due to a data breach is considered severe. The company may be prosecuted and upon conviction be liable to a fine not exceeding RM300,000. Additionally, individuals held responsible for the breach may be liable to imprisonment up to a term not exceeding 2 years.3
In the case of Fei Fah Medical Manufacturing Pte Ltd,4 the personal data of users including user IDs and passwords, telephone numbers, and email addresses were exposed publicly on a website following a data breach. The company, despite having engaged an IT firm to oversee the security protocols of their website and servers, was still found to be in breach of the Singapore Personal Data Protection Act 2012 (“Singapore PDPA”) by the Data Protection Commission of Singapore. This was due to evidence which showed that the company had simply left its responsibilities to the third-party IT firm to implement any security features they deemed fit and thus, the company had limited knowledge of the security measures implemented on its website and servers. As a consequence of the breach, the Data Protection Commission of Singapore ordered the company to pay a fine of SGD 5,000, in addition to other penalties.
A data breach may occur even with the most comprehensive data security systems in place. In such circumstances, in order to reduce the risk of being liable following a data breach, a company should ensure that they have complied with the requirements to implement reasonable security measures as discussed above. In addition, if the company has appointed a third-party IT vendor, the company must nevertheless periodically undertake the necessary verifications to ensure that the IT vendor has complied with the regulatory requirements. The company should also maintain proper records of regular system maintenance, periodic reviews and updates to anti-virus software, penetration testing and any other system security related information as evidence to prove that they have complied with the obligations under the PDPA so as to not be held liable in the event of a data breach.
Potential Liabilities due to claims brought by Customers
When a company is found to be in violation of the PDPA, it will only be subject to the penal sanctions under the PDPA. However, the customers, i.e., victims of a data breach, are not entitled to seek compensation arising from a data breach incident under the PDPA. Nevertheless, customers impacted by a data breach may initiate legal action in the civil courts to seek redress for violations of their privacy.
Though the right to privacy is recognised as a constitutional right under Article 5(1) of the Federal Constitution, the right only protects individuals against acts by the Parliament, Government and/or its agencies. As such, a claim for breach of constitutional right under Article 5(1) of the Federal Constitution cannot be sustained against private companies for data breaches.
However, the affected customers may sue the company in tort under causes of action such as breach of confidence / breach of privacy. To succeed in these claims, the most crucial element to be proven is whether the information disclosed by the data breach was confidential. As such, in the event of a potential claim, companies should seek professional legal advice on what defences may be available to them in law based on the particular facts of the case. If a company is found liable for breach of privacy, the court will award damages to the customer.5 The amount of damages awarded will depend on the loss suffered by the customer as a consequence of the breach.
Potential Liabilities arising from Ransomware Attacks
In the past, hackers typically acquire personal data through cyberattacks and subsequently sell the stolen data to third parties for financial gain. However, cyber criminals appear to increasingly employ ransomware attacks lately, where they could secure a ransom directly from the affected data users. This is supported by the latest statistics which indicate a 16% year-on-year rise of detected ransomware attacks in 2022.6
Click here to continue reading. . .
Footnotes
1. You may access our previous article here:
2. Code of Practice for licensees under the Communications and Multimedia Act 1998
3. Section 5 of the Personal Data Protection Act 2010
4. Fei Fah Medical Manufacturing Pte Ltd [2016] SGPDPC 3
5. Maslinda bt Ishak v Mohd Tahir bin Osman & Ors [2009] 6 MLJ 826; Lee Ewe Poh v Dr Lim Teik Man & Anor [2011] 1 MLJ 835
6. Surin Murugiah, 'Ransomware attacks in Malaysia up 16% y-o-y in 2022, says Trend Micro' (Theedgemarkets, 8th March)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.