While technological innovations make business processes and the delivery of goods and services much quicker and more efficient, they also come with serious considerations on privacy and security issues. Whether your company is already using the latest technology or planning for extensive digital transformation, being equipped with the know-how and resources to maximise security for both internal and client data is of paramount importance.
Enforcement of PDPA
The Personal Data Protection Act (“PDPA”) was implemented to deal with protection of individuals’ data. Enforced by the Personal Data Protection Commission (“PDPC”) of Singapore, the PDPA consists of nine data protection obligations: consent, purpose limitation, notification, access and correction, accuracy, protection, retention limitation, transfer limitation, and openness. Several big companies in Singapore that experienced issues regarding data security, including L'Oréal Singapore and Creative Technology.
L'Oréal Singapore operated a website, developed and maintained by a third party vendor, which used a login portal that allowed customers to access their profile information, including their name, e-mail and postal addresses, mobile number, and date of birth. In trying to improve the website’s loading speed, the Company authorised the vendor to make the necessary changes without scoping the UATs (“User Acceptance Tests”) to cover the portal’s login and caching functions. This caused customers’ personal data being cached upon logging in to the website, disclosing these data to the next customer until the cache was cleared. Consequently, personal data of seven customers were leaked to unauthorised users.
Just this year, the PDPC issued a warning after finding L'Oréal Singapore in breach of Section 24 of the PDPA (the protection obligation), which requires an organisation to make reasonable security arrangements to protect customers’ personal data in its possession, so as to prevent unauthorised access, use, disclosure, copying, modification and other risks.
Creative Technology received a more severe judgment after an unknown hacker used SQL (“Structured Query Language”) techniques to obtain personal data of 484,512 users from the Company’s online support forum. In 2004, Creative operated and hosted a forum where users could exchange ideas and information on Creative’s products. Seven years later, the Company began using a third-party forum software called Bulletin to help operate and host the forum internally. However, Creative was unaware of Bulletin’s SQL vulnerability. This left information on the forum exposed to hackers using SQL techniques. Although its developers released patches to handle this issue in 2016, Creative failed to install them. In 2018, the forum was hacked. Creative was consequently fined S$15,000 by the PDPC for not adopting precautionary measures against data leaks and breaches.
Companies that rely on such technological innovations or even membership apps to stay connected with their customers must implement basic controls to ensure safety, security and privacy of their users’ data.
Pro’s tips for data protection
In order to ramp up data protection and security measures, and avoid running afoul of the PDPA, companies should ensure that their web and mobile app developers observe several best practices, beginning with writing a secure code.
Most hackers target bugs within a code so that they can reverse engineer it to gain access to personal data on a website or mobile app. Developers must use hard coding and signing so that their code is impossible to be hacked, yet easily updated and patched. They must make sure that they regularly test the system and fix identified bugs. Encryption is also necessary for all data exchanged on an app or a website to avoid cyber theft.
Developers who use third-party libraries should be especially cautious about testing the code before implementing it in their app, as some of these libraries can be highly insecure. Controlled internal repositories and policy controls can also help to tighten cybersecurity.
At the same time, companies should use only authorised APIs (“Application Programming Interfaces”) to avoid hackers from accessing privileges. Experts prefer central authorisation in order to maximise security.
With weak authentication being a major factor in security breaches, high-level or multi-factor authentication is also crucial. More web and mobile app developers are designing sites and apps that accept only strong alphanumeric passwords, with some even require them to be renewed periodically.
Other features of a multi-factor authentication include static passwords and dynamic OTPs (“One-time Passwords”). Google, for instance, uses two-step verification, whereby users logging in to their Gmail accounts can also adjust their Google settings to include either a phone prompt, text message or call, or security key.
Highly-sensitive mobile apps now require biometric authentication such as fingerprint or retina scan, and tamper-detection technology to send alerts to developers in case anyone tampers with their codes.
Additionally, the principle of least privilege (“POLP”) is also often employed by web and app developers as a way to limit access rights to perform a function. Under the POLP, users have the permission to read, write or execute only resources that are absolutely needed to complete their tasks. This Principle can also be used to restrict access rights for systems, devices, processes and applications to the bare minimal.
Outsource data protection
Companies like us offer data privacy and protection services to assist businesses with PDPA compliance, attaining DPTM (“Data Protection Trustmark”) certification, employee awareness training, and conduct reviews and analyses to implement solutions where needed.
Feel free to reach out to us and find out more and how our F&B, retail and consumer products team can assists you.
Partner & Deputy Industry Lead, F&B, retail and consumer products
T: +65 6715 1338
Yang Li Lian
Director & Industry Lead, F&B, retail and consumer products
T: +65 6594 7897