pdpc_undertakings_version: 39
This data as json
| _id | _item | _version | _commit | id | organisation | url | timestamp | description | pdf-url | pdf-content | _item_full_hash |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 39 | 38 | 1 | 1007 | 5 | StarMed Specialist Centre Pte Ltd | https://www.pdpc.gov.sg/undertakings/undertaking-by-starmed-specialist-centre-pte-ltd | 2021-02-18 | Background The Personal Data Protection Commission (the “Commission”) received a data breach notification on 7 February 2020 from StarMed Specialist Centre Pte Ltd (“StarMed”), informing that ransomware had infected one of its servers and encrypted a database containing 373 patients’ personal data. The personal data consisted of the name, NRIC number, date of birth, gender, electrocardiogram data and treadmill stress test data. It was established that StarMed had not implemented the necessary security measures at the time of the incident. A Remote Desktop Protocol (“RDP”) Port had been left open, which likely enabled the unauthorised access to the database. In addition, both the server and database had weak login credentials and passwords. Remedial Actions After the incident, StarMed disabled the RDP Port and all public facing connections on the firewall. It also formalised its internal password SOPs into a written password policy. Additionally, StarMed rolled out several group-led IT security enhancement initiatives, including the implementation of a secured wide-area network and cybersecurity protection suite. StarMed will also continue to bolster staff awareness on cybersecurity issues through further training at its Cyber Security Awareness workshops, conducted by an external cybersecurity consultant. Undertaking The Commission considered the circumstances of the case and accepted an undertaking from StarMed to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 12 October 2020 (the “Undertaking”). The Undertaking provides that StarMed was to: (a) review password policies relating to StarMed’s servers and IT equipment storing personal data; (b) review process of login authentication on StarMed’s servers and IT equipment storing personal data; (c) review the need for an alert system in the event of multiple failed account login attempts to StarMed’s server and IT equipment storing personal data, including logging such attempts; (d) once the Commission approves the proposed implementation plan, comply with every obligation set out in the implementation plan; (e) appoint individuals of sufficient authority to oversee compliance with the Undertaking and to report the status of compliance to the Commission; and (f) provide a status report to the Commission at a time requested by the Commission confirming whether StarMed has fulfilled each of the specific measures set out in the implementation plan. StarMed has since provided the Commission with the status report referred to at para 5(f) above. The Commission has reviewed the matter and determined that StarMed has complied with the terms of the Undertaking. Please click here to view the Undertaking. | https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/undertakings/undertaking---starmed.pdf | VOLUNTARY UNDERTAKING (“Undertaking”) TO THE PERSONAL DATA PROTECTION COMMISSION This Undertaking is given to the Info-communications Media Development Authority designated as the Personal Data Protection Commission under section 5(1) of the PDPA (hereinafter referred to as the “Commission”), by: StarMed Specialist Centre Pte Ltd UEN: 201629251M Registered Address: 7 Temasek Boulevard #12-10 Suntec Tower One Singapore 038987 (hereinafter referred to as the “Organisation”). By signing this Undertaking, the above-named Organisation acknowledges the matters stated herein and undertakes to the Commission in the terms set out herein. 1. DEFINITIONS 1.1 In this Undertaking: (a) “Commission’s Letter” means the letter dated [Date] from the Commission to the Organisation, concerning its investigation under the PDPA, including the appendices thereto; (b) “Data Protection Provisions” means the provisions in Parts III to VI of the PDPA; and (c) “PDPA” means the Personal Data Protection Act 2012 (No. 26 of 2012). 2. ACKNOWLEDGEMENTS 2.1 The Organisation hereby acknowledges the following matters: (a) As referenced in the Commission’s Letter, the Commission has carried out investigations into certain acts and practices of the Organisation, which potentially infringe one or more of the Data Protection Provisions. (b) As a result of any non-compliance with the PDPA by an organisation, the Commission has a number of enforcement options under the PDPA, including the option to give a direction under section 29 of the PDPA. (c) The Commission recognises that the Organisation has made efforts to address the concerns raised in this case and to improve its personal data protection practices. In addition, the Organisation was cooperative in the course of the investigation and was responsive to requests for 1 information. The Commission further recognises that the Organisation appears ready to implement the remediation plan set out in clause 3 below forthwith. (d) Having carefully considered all the relevant facts and circumstances, the Commission takes the view that this is an appropriate case in which an Undertaking may be accepted. 2.2 The Organisation also acknowledges and agrees that the Commission may publish and make publicly available this Undertaking, and without limitation to the foregoing, the Commission may issue public statements referring to this Undertaking and/or its contents in whole or in part. 3. UNDERTAKINGS 3.1 The Organisation undertakes to take all necessary steps to implement and give effect to the conditions set out below within any stipulated time frames: 3.2 (a) Review password policies relating to the Organisation’s servers and IT equipment storing personal data i.e. password strength. (b) Review the process of login authentication on the Organisation’s servers and IT equipment storing personal data i.e. access rights. (c) Review need for an alert system in the event of multiple failed account login attempts to the Organisation’s server and IT equipment storing personal data, including logging such attempts. (d) Provide, within fourteen (14) days of the date of acceptance of this Undertaking, a proposed remediation schedule to fulfil clause 3.1. The proposed remediation schedule shall state specific measures that the Organisation has taken and/or proposes to take to fulfil clause 3.1, as well as the time frame (the “Time Frame”) within which the Organisation expects to complete each of the specific measures (to the extent that these measures have yet to be completed). The overall Time Frame within which the Organisations proposes to complete all of the specific measures shall not exceed sixty (60) days beginning from the date of acceptance of this Undertaking. (e) Provide a status report to the Commission within fourteen (14) days from the end of the Time Frame approved by the Commission confirming that the Organisation has fulfilled clause 3.1. The status report should provide details as to when and how each of the specific measure was completed. In addition, the Organisation undertakes to provide, and will ensure that it provides all necessary assistance that the Commission may require to verify the completion of the specific measures as set out in clause 3.1, including 2 (without limitation) granting the Commission and its representatives physical access to the Organisation’s premises, providing information and documentation to the Commission, and arranging for meetings and/or interviews with the Organisation’s staff, contractors and/or consultants. 4. COMMENCEMENT 4.1 This Undertaking shall take effect upon the acceptance by the Commission of the Organisation’s duly executed Undertaking. 5. THE COMMISSION’S STATUTORY POWERS 5.1 In order to provide the Organisation with an opportunity to take all necessary steps to implement its undertakings set out in clause 3 above, the Commission will exercise its powers under section 50(3) of the PDPA to suspend the investigations referred to in clause 2 on the date the Undertaking takes effect as set out in clause 4.1. 5.2 The Organisation acknowledges that the Commission will verify the Organisation’s compliance with its undertakings set out in clause 3 above. 5.3 Clause 5.1 above shall be without prejudice to the Commission’s statutory powers to conduct or resume, at any time, the investigations referred to in clause 2 above if it thinks fit, including but not limited to the situation where the Organisation fails to comply with this Undertaking or part thereof in relation to any matter. 5.4 Nothing in this Undertaking, including the Commission’s acceptance of the Undertaking, is intended to, or shall, fetter or constrain the Commission’s rights and statutory powers (including but not limited to those under section 29 and section 50 of the PDPA) in any manner. Neither shall be construed as creating any anticipation or expectation that the Commission will take or not take any particular course of action in the future (whether in the present case or in respect of any other case concerning a breach or suspected breach of the PDPA). The acceptance of this Undertaking is strictly confined to the particular facts of the present case, and is made on the basis of the representations and information provided by the Organisation. The acceptance of an Undertaking in this case shall not be construed as establishing any precedent. 6. VARIATION 6.1 This Undertaking may be varied only with the express written agreement of the Commission. This document has been electronically signed by Info-communications Media Development Authority and StarMed Specialist Centre Pte Ltd. The Parties hereby affirm that the electronic signatures have been affixed with the due authorisation of 3 each Party and that Parties intend for the electronic signatures to carry the same weight, effect and meaning as hand-signed wet-ink signatures. SIGNED, for and on behalf of ) StarMed Specialist Centre Pte Ltd ) By the following: ) Name: ______________________________________ ) Designation: _________________________________ ) Date: _______________________________________ ) ACCEPTED, for and on behalf of ) Personal Data Protection Commission ) By the following: ) Name: ______________________________________ ) Designation: Deputy Commissioner for Commissioner for Personal Data Protection ) Date: _______________________________________ ) 4 | 05cb56a107d82eeeed481ae4c5479a6622f3f043 |
Links from other tables
- 7 rows from item_version in pdpc_undertakings_changed