Lazada’s Personal Data Breach and Rethinking Cost-Benefit Analysis of PDPA Compliance

Lazada’s Data Breach

Lazada reported that its Redmart customers’ personal data had been illegally accessed and sold online. The stolen data includes names, phone numbers, email and mailing addresses, encrypted passwords and partial credit card numbers of 1.1 million accounts.

The Personal Data Protection Commission (PDPC) has been informed. If Lazada is eventually found to have failed to put in place reasonable security arrangements to protect the personal data, it will be subject to penalties. 

Yet, one wonders how effective the penalties are on making organisations, especially large profit-making ones, from taking users’ personal data seriously

Breaches by other tech companies

Considering that companies who purport technology as the core driver of their business e.g. in e-commerce and digital services deal with a significant amount of consumers’ personal data as a matter of its core business, one would expect that they would take personal data seriously. Is this the case? 

Take, for example, Ninja Van. In Ninja Logistics Pte Ltd [2019] SGPDPC 39, it was found to have knowingly allowed 1.26 million individuals’ data to be at risk of disclosure or unauthorised access–including their name, address, the Tracking ID, and/or the name and signature of the person who had accepted the delivery. The fine was $90,000. That’s 7 cents per individual. 

Ninja Van is valued at about $750 million in 2020 based on its Series D funding round of S$395 million. What’s the cost of getting the technological infrastructure secure before the application can go live? It likely costs way more. Did consumers or customers turn elsewhere after the PDPC decision? One wonders. 

In Grabcar Pte Ltd [2020] SGPDPC 14, the PDPC noted that it was the second time the company made the same error albeit on a different system. It proceeded with the application update without adequate risk assessment of the vulnerability of personal data exposure. About 21,500 individuals’ data was involved. It was fined only $10,000. 

Simply put, it is possible that for some of these companies, the cost-benefit analysis weighs in favour of taking the risk of personal data breaches than security

Of course, there is the outlier case of Singapore Health Services Pte. Ltd. & Ors. [2019] SGPDPC 3, involving SingHealth and IHIS, where personal data of more than 1.5 million of SingHealth’s patients and outpatients, including medical records, were accessed and copied following a cybersecurity attack on its system by hackers. What made it more embarrassing was that Prime Minister Lee Hsien Loong’s medical data was among that data. Given the highly sensitive nature of the data and the scale, the penalties were $250,000 and $750,000 respectively. 

In other cases where the personal data breach appears to be more a matter of ignorance and one-time mistakes, fines in the similar range as Grabcar Pte Ltd [2020] SGPDPC 14 were imposed. For example, in The Travel Corporation (2011) Pte. Ltd. [2019] SGPDPC 42, an employee lost her laptop which contained personal data. Through the incident, it was found that the organisation failed to implement adequate policies and to appoint a Data Protection Officer, and it was fined $12,000. Even so, this raises the same question. Is it cheaper to breach the PDPA in such a case than to incur the necessary costs to engage consultants and/or undertake a review and implementation of data protection systems? 

Comparing Singapore with the European Union’s GDPR 

Under Singapore’s Personal Data Protection Act (PDPA), the maximum fine is $1 million. With recent proposed amendments to the PDPA, companies with more than $10 million turnover may also possibly face a fine of up to 10% of annual gross turnover. This would possibly give the Act more teeth. 

In comparison, under the European Union’s General Data Protection Regulation (GDPR), Article 83(4), GDPR stipulates fines of up to 10 million euros, or up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher for less severe violations. For especially severe violations, Article 83(5), GDPR, stipulates fines of up to 20 million euros, or up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher

The largest penalties imposed under the GDPR have been substantially more than what we see in Singapore, with EUR 50 million on Google and EUR 35.2 million on retail giant H&M. (See GDPR enforcement cases here.)

In the British Airways case, the Information Commissioner’s Officer (ICO) initially fined a whopping GBP 183 million for failing to put in place adequate security measures, resulting in personal data of 400,000 customers being unlawfully accessed. The fine was later reduced to GBP 20 million in the light of the economic impact of the Covid-19 pandemic.

Conclusion 

One hopes that a firmer stance on certain types of companies and businesses will be taken. The amendments to the PDPA on maximum penalty may be the signal for this . We need a culture where organisations, especially for profit companies who deal with significant amounts of personal data will recalibrate their cost-benefit analysis and take users’ personal data seriously with adequate security measures and risk assessments. 

One Reply to “Lazada’s Personal Data Breach and Rethinking Cost-Benefit Analysis of PDPA Compliance”

  1. Agreed – the fines have to be a % of revenues or it will be seen as a cost of doing business. More precisely – a contingent or probability-weighted cost of doing business, so effectively less than the nominal amount of the fines.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.