Views

Personal data breaches can be costly

Think twice about giving up personal details to enter a lucky draw as companies may not protect it adequately

What is your personal data worth? How many of us stop to think about this question before we hand over our names, NRIC numbers, phone numbers and addresses for a lucky draw?

The Personal Data Protection Act 2012 (PDPA) has been in force for nearly three years, yet many organisations do not seem to be aware of the risks of collecting too much personal data, or of not protecting it.

Individuals too, seem oblivious to the evils of others holding information about them.

Without strong personal data protection practices, organisations will incur great losses.

Organisations should view good personal data protection as part of organisational processes to protect other assets.

The effective protection of personal data, however, is a chicken-and-egg problem.

If individuals continue to be complacent about the dangers of handing over their data, organisations will continue to take a lax attitude, even as the Personal Data Protection Commission pursues errant organisations.

Perhaps a case from the US might jolt organisations and individuals to the very real monetary and emotional costs of poor data protection practices.

Take the case of Erin Andrews, a sportscaster who was stalked by deranged fan Michael David Barrett.

She was staying at the Nashville Marriott hotel and Barrett asked the employees of the hotel whether Andrews was a guest there. The employees confirmed she was indeed a guest and initially granted his request for a room next to her.

Later, the employees told Barrett that the room was not available. He then went to the hotel restaurant and used a house phone to ask to be connected to Andrews' room. The phone displayed her room number.

Barrett then went to the front desk to book the room next door.

He was then able to monitor her movements and removed the peephole from her door.

Barrett waited until Andrews was in the shower and when she came out of it, he filmed her getting dressed in her room without her knowledge or consent.

Barrett tried to sell the nude videos but was unsuccessful. He then uploaded the videos onto the Internet.

As a result, Andrews had depression and sued the hotel for negligence, among other legal claims as the US does not have a PDPA equivalent.

Eventually, the court awarded US$55 million (S$74 million) compensation to Andrews.

This highlights the liability of employers for the mishandling of personal data by employees; it also shows that the compensation can be quite substantial.

The hotel employees had disclosed to Barrett that Andrews was a guest at the hotel, which was a disclosure of personal data about her without consent.

The hotel phone system was not set up to protect the personal data of its guests. This, too, was a breach by the hotel.

Remedies for suchbreaches would often lie not just under PDPA, but under tort law and other legal areas as well, depending on the circumstances.

Compliance with personal data protection laws would assist organisations in reducing their exposure to such risks.

Hence, employers should be vigilant to ensure their employees are trained in the handling of personal data.

The writer is Associate Professor of business law at Nanyang Business School in NTU. This article appeared in The Business Times yesterday.

cybercrimesecurity