The operator of the popular e-commerce website Love Bonito was recently penalised by the Personal Data Protection Commission (“PDPC”) for failing to comply with the protection obligation under the Personal Data Protection Act 2012. This note discusses one key aspect of the ruling of the PDPC – the implementation of 2-factor authentication protocols.
In December 2019, Lovebonito Singapore Pte Ltd, the operator of the Love Bonito retail website notified the PDPC of a data breach, as a result of which the personal data of some 5,561 of its customers were exfiltrated by an unknown party.
In the investigation that followed, the PDPC found that the company’s IT security protocols to be inadequate of Love Bonito and determined that the company had failed to comply with the protection obligation under the Personal Data Protection Act 2012. As a consequence, the company was initially ordered to pay a penalty of S$29,000 but the quantum of the penalty was reduced to S$24,000 (following the acceptance by the PDPC of certain representations in mitigation).
This case is of particular importance because of the comments of the PDPC in relation to the implementation of 2-Factor Authentication (“2FA”) protocols for administrative accounts. 2FA of course generally refers to a security protocol whereby the identity of a user is authenticated by means of a combination of 2 distinct elements. Typically, this would be something the user will know (such as his account password), coupled with some other features that only the user will have (such as a code sent by text message to the user’s mobile phone, a code generated from an application on the user’s mobile device, or even the user’s biometric information).
The protection obligation of the PDPA is contained in section 24. This provides that an organisation must make reasonable security arrangements to protect all personal data that is either in its possession or under its control, from unauthorised access (or other similar risks) or from loss.
In the present case, the PDPC was particularly influenced by the fact that the company could have but did not implement 2- factor authentication protocols as a mandatory element for administrative accounts that had access to sensitive personal data.
Referring to its 2021 Handbook on How to Guard against Common Data Breaches and to its 2021 Guide to Data Protection practices for ICT Systems, as well as guidance issued by other privacy regulators in the UK, Canada, and Australia, the PDPC decided that henceforth, the adoption of 2FA protocols would be expected to be the baseline standard for administrative accounts that will have access to sensitive personal data or to a large quantity of personal data.
This means that an organisation must implement 2FA protocols in relation to administrative accounts and remote access accounts that would have access to information systems hosting sensitive personal data or a large quantity of personal data. An organisation that fails to do so would be presumed to have breached section 24 of the PDPA and it will be for that organisation to show cause against being penalised.
For further information, please contact:
Eric Chan, Partner Shooklin & Bok