Singapore regulator decision reminds entities of duty to monitor vendors

Even though RAIDForums was seized in early 2022, data leaks and breaches on the site are still having repercussions for entities. On May 11, the Singapore Personal Data Protection Commission (PDPC) issued a decision involving Kingsforce Management Services Pte Ltd. On January 31, 2022, the firm had notified the PDPC that on or about December 27, 2021, data from its jobseeker database had been seen for sale on RAIDForums. According to the decision released by the PDPC, that database held approximately 54,900 jobseeker datasets, comprising name, address, email address, telephone number, date of birth, job qualifications, last and expected salary, highest qualification, and other data related to job searches. Outdated website coding technology, with critical vulnerabilities, was determined by external investigators to be the cause of the Incident. The PDPC’s decision and identification of violations by Kingsforce included the following explanation: The Organisation admitted work had not been completed on the website at launch owing to contractual disputes with the developer. The Organisation subsequently engaged IT maintenance vendors in an effort to ensure the security of the website. However, maintenance had been ad-hoc and limited to troubleshooting functionality issues from bugs, glitches and/or when a page failed to load. In breach of the Protection Obligation, the Organisation failed to provide sufficient clarity and specifications to its vendors on how to protect its database and personal data. In Re Civil Service Club, the Commission had pointed out that organisations that engage IT vendors can provide clarity and emphasize the need for personal data protection to their IT vendors by a) making it part of their contractual terms, and b) reviewing the requirements specifications to ensure that personal data protection is reflected in the design of the end-product.1 Further, post-execution of the contract, an organization is also expected to exercise reasonable oversight over its vendor during the course of the engagement to ensure that the vendor is protecting the personal data by adhering to the stipulated requirements. Kingsforce was also found in violation for failing to conduct reasonable periodic security reviews, including vulnerability scans, since the launch of its website. After noting Kingforce’s cooperation and incident response, the PDPC decided on a corrective action plan without any monetary penalty. The decision and plan can be accessed at the PDPC’s website. But how many times have you seen any U.S. regulator take action because an organization has failed to adequately monitor its vendor or ensure that the vendor is protecting the personal data by adhering to any contractual obligations like patching promptly or conducting periodic pentests, etc.?