With the dramatic increase of cyber threats during the pandemic, multiple data leaks were reported by major internet service providers and various government agencies within the span of a year. When examining the details of the breaches, it is evident that many of them occurred on the end of external vendors, which were targeted and exploited by attackers.
Outsourcing in the field of IT and cybersecurity is commonplace, as few companies have the resources and manpower to handle these aspects in-house. What should companies take note of in outsourcing arrangements where work involving the storage or processing of personal data is conducted by an external vendor?
Largest cyber-attack in Singapore
It would be instructive to refer to the case of Re Singapore Health Services Pte. Ltd. & Integrated Health Information Systems Pte. Ltd. [2019] SGPDPC 3, the largest cyber-attack on SingHealth’s patient database system which resulted in a data breach involving the personal data of 1.5 million patients.
A committee of inquiry convened by the Singapore government to examine the attack found that the Integrated Health Information System (‘IHiS’), SingHealth’s vendor and the technology outsourcing arm of hospitals in Singapore, lacked adequate levels of cybersecurity awareness, resources, and training to properly respond to the attack on SingHealth’s system.
More importantly, in finding that SingHealth had breached its obligations under data protection law, Singapore’s Personal Data Protection Commission (‘PDPC’) noted in its grounds of decision on the data breach that SingHealth personnel were overly dependent on IHIS in the immediate aftermath of the cyber-attack and failed to take the initiative to understand the significance of the information regarding suspicious activity provided by IHIS.
The decision of the PDPC further stated: “There should be a clear meeting of minds as to the services the service provider has agreed to undertake and organisations must follow through with procedures to check that the outsourced provider is delivering the services.” While work may be delegated to a vendor, the responsibility for complying with statutory obligations under data protection laws remain with the company as a data controller and may not be delegated. It is also the responsibility of the company to ensure that the vendor is able to comply with requirements under data protection law, and to proactively monitor the vendor’s performance.
Lessons drawn
The decision of the PDPC demonstrates that in spite of the provisions of security, operational, and notification obligations for personal data that comes into a vendor’s possession, which is typically accompanied by explicit data breach indemnification and limitation of liability language, the company cannot completely excuse itself from liability in the event of a data breach.
In addition, while a vendor may be contractually compelled to assist the company in fixing vulnerabilities, preventing additional data loss, and investigating the matter in the event of a data breach, it is the company who has to shoulder the ramifications of the data breach, such as complying with breach notification requirements, working with the authorities, and handling customer relations and the media.
While contract remains the primary means and, indeed, the bare minimum by which a company may protect personal data entrusted to a vendor, companies should take the following steps to ensure their preparedness for a potential data breach:
- Understand the nature and amount of personal data held by the company and conduct data protection impact assessments to identify and minimise data protection risks;
- Assemble a data breach response team and define their roles and responsibilities in breach detection, containment, and handling;
- Conduct tabletop exercises to simulate real-time crisis management, such as a phishing attack;
- Develop a data breach incident plan which sets out the procedure for breach containment and response, taking into account reporting and notification obligations and including a strategy for internal and external communications; and
- Conduct training and promote awareness amongst employees on how to tackle potential data breach incidents.
In conclusion, contracts alone may not be enough to mitigate data protection-related risks. The consequences of failing to put in place robust and comprehensive measures can be serious, ranging from fines and damages from claims brought by affected individuals to irreversible harm to the company’s reputation. At the same time, a company needs to balance compliance against costs and strive to future-proof its protective frameworks in an uncertain business environment with fast-evolving cyber and data protection threats. This is where collaborating with savvy legal professionals can help a company achieve a win-win outcome.
