Woman using smartphone and laptop with icon graphic Cyber security network of connected devices and personal data security from Shutterstock.com

PDPC imposes S$8,000 fine on law firm for incorrect disclosure of clients’ personal data via emails

The Personal Data Protection Commission (PDPC) has issued an S$8,000 fine against a law firm after an administrative staff was found sending email correspondences meant for a client to an incorrect email address by mistake on two separate occasions in 2017.

A third email correspondence was mistakenly sent by Matthew Chiong Partnership’s Managing Partner and Data Protection Officer to the client with an attachment, which had mistakenly contained the names of two other clients of the firm.

Citing Commissioner Tan Kiat How’s grounds of decision, Deputy Commissioner Yeong Zee Kin stated in a case report on Mon (3 Jun) that Matthew Chiong Partnership that the real estate and property law firm was found to have breached its Protection Obligation and Openness Obligation under Section 24 of the Personal Data Protection Act 2012 (PDPA).

Sensitive personal information such as the client’s bank name, the NRIC numbers of the both the client and her sister, the loan account number of the bank, repayment information and collateral information were among the personal data that were wrongly disclosed as a result of the lapse.

“The disclosure of such information could have led to harm to the Complainant [the client affected by the data breach] and Sister [the client’s sister], as such financial information could have exposed the Complainant and Sister to the risk of fraud and identity theft.

“As such, the personal data of the Complainant and Sister which had been disclosed, when taken as a whole, constituted sensitive personal data,” according to the Commission.

The Deputy Commissioner added in his report: “Since the Organisation is in the business of providing legal services, and handles large volumes of personal data on a day to day basis, the Organisation and its staff members should be vigilant in its handling of personal data.”

“The fact that the same administrative staff managed to send the emails to the incorrect email address on two separate occasions within a period under one month […] despite being told of the mistake demonstrated that a culture of care and responsibility towards the handling of the personal data had not been sufficiently ingrained within the Organisation,” stressed the Deputy Commissioner in his report.

The Commission had also rejected the firm’s argument that the lapse was “a one-off mistake”.

Citing Re Furnituremart.sg [2017] SGPDPC 7, in which it was found that the organisation lacked the necessary policies and practices to protect personal data, the Commissioner concluded that Matthew Chiong Partnership’s mistake cannot be considered a “one-off inadvertent disclosure”, as it was found that the firm has failed to “implement reasonable security arrangements”.

“In response to the Commissioner’s request of the details of the Organisation’s security arrangements, the Organisation stated that:

(i) all employees were briefed on the need to keep private and confidential personal data of their clients on a regular basis; and

(ii) all employees were advised to cut and paste email addresses of clients from a legitimate source of information or click the “Reply” function to the email sent from a client rather than typing in the email addresses.

“However, the Organisation was unable to provide any evidence of such briefings to its employees,” the Commission’s report revealed.

The Commission added that a law firm such as Matthew Chiong Partnership must be subject to “a higher level of care and responsibility”, given that “a law firm and the staff handling conveyancing matters handle sensitive personal data on a day-to-day basis” and thus could have anticipated “risks of inadvertent disclosure of sensitive personal data”.

The Commission also found that “internal”, “verbal” staff briefings were insufficient in fulfilling the firm’s obligations under Section 12 of the PDPA, given that “an organisation should have some form of written policy or practice in place in relation to protecting personal data, especially if the process is complex or if the organisation frequently deals with sensitive personal data on a daily basis”.

“A well-drafted written policy has the advantage over verbal instruction of being a resource that can generally be subsequently relied upon to provide clarity about the appropriate procedures and controls to employees and help minimize the chance for any misunderstanding or miscommunication.

“This may take the form of written standard operating procedures in dealing with personal data, which would set out the operational process of how employees should deal with personal data to prevent data protection breaches,” suggested the Commission.