Is Protecting Your Customers’ Data Really That Important?

JTJB Legal Update February 2015

In the movie “Black Hat”, a convicted prisoner was freed from prison to help to apprehend a hacker who had destroyed a nuclear plant. The real reason behind all these was to manipulate the stock market involving millions of dollar by members of the underworld. For those in the information security business, Black Hat is also the name of a convention where information security professionals gather to exchange views amongst other things.

Unfortunately in real life, stealing data by criminal gangs is a profitable business but damaging for the victims in the process. For example in Sony’s recent hacking of its movie “The Interview” the estimated loss from that incident ranges between USD 83 million to USD 100 million. This however is much lower than USD 171 million incurred when Sony’s Play Station network was hacked in 2011. In any typical situation where data is breached, the real cost is not known until at least 6 months later as the company needs to carry out post incident remedial action after a breach.

In a recent 2014 study of 250 organizations from 11 countries by the Ponemon Institute which has been studying the cost of data breach for the last 9 years, the average cost is about USD 3.5 million per company for stolen or lost data. Closer to home last year 300,000 members’ personal details from the karaoke chain K Box were hacked and posted on several sites.  Similarly 12 customers of the local telco M1 personal information were exposed on the online pre-order form for the new iPhone.

There are 2 important consequences a company may face after suffering a data breach:

1) Severe reputational loss 

A company will suffer serious reputational loss if there is a breach of data through either their inability or neglect in keeping their customers’ data safe. In a 2012 survey of 843 executives in the US, it has been estimated that the brand value of their companies fell 17% to 31% following a data breach.

Neither is it hard to imagine this in our local context: If you use your credit card at a local store or supermarket, and your credit card details are stolen after that visit, it is likely you would hesitate to visit the store or supermarket again. This is especially so if that same credit card is also used to pay for your GIRO services. This is because as a security precaution you need to cancel that credit card. Next, you have to inform all your service providers in the GIRO services linked to the card and pay these GIRO service providers in cash instead. To do that you have to literally go to all your service providers and queue up at their counters to work out the administrative details and pay for the services consumed. You will soon be wondering why you are going through these inconveniences for that store or supermarket, and you are likely to find an alternative to them quickly.

2) Regulatory actions

Apart from reputational and loss of current and potential businesses, the company may also be prosecuted by the Personal Data Protection Commission. This is because under the Personal Data Protection Act 2012 an organization has a positive duty to protect the personal data in its possession or under its control.   It is also important to bear in mind the wide coverage for an offence under this Act:

(a) Both the company itself and an officer of the company through neglect or connivance can be charged under the Act for any data breach;

(b) An employer can be liable for the act of the employee regardless whether the employer is aware of the employee’s action leading to a breach of data. So for example, if the employee accidentally releases the personal data of the customers to a third party, the employer is still liable under the Act; and

(c) The company may mount a defence if the employer has taken positive steps to prevent such a possibility such as training the staff or through installing data protection software in their systems. The general penalty upon conviction per offence under the Act is a fine not exceeding $10,000 or imprisonment for a term not exceeding 3 years of imprisonment or to both.

In sum, data is the new “oil” for today’s commerce and losing your customers’ data in any form or manner can be fatal to your company. Just because there is low risk of fire, does not mean that we can dismantle the fire department because when a fire strikes, we wish that the fire department is just next door.

This update is for general information only and is it not intended to constitute legal advice. JTJB has made all reasonable efforts to ensure the information provided is accurate at the time of publication.

Contributed by:
K. K. Lim
Head, Corporate Compliance and Data Protection

KK joined JTJB in January 2015 to start up and head the Firm’s new practice area of corporate compliance and data protection.
He was formerly Chief Privacy Officer and Corporate Counsel (Asia Pacific) of a US healthcare research corporation. KK is also a member of the Institute of Internal Auditors (IIA Singapore) and an accredited mediator of the Singapore Mediation Centre. He has completed the Singapore Bar examination and is awaiting his call to the Singapore Bar.