Three insurance firms fined for data breaches
Penalties of up to $30,000 for Aviva, NTUC Income, AIG
Three insurance companies have been fined by Singapore's privacy watchdog this year for inadvertently disclosing policyholders' documents to the wrong people.
Aviva, NTUC Income Insurance Cooperative and AIG Asia Pacific Insurance have been fined $30,000, $10,000 and $9,000 respectively by the Personal Data Protection Commission (PDPC).
All three cases involved lapses in printing and posting documents containing personal data.
Aviva faced the heaviest penalty as it had been fined for similar lapses last October.
The three are among the eight cases this year in which the PDPC has imposed fines.
The commission released an advisory yesterday spelling out the safeguards companies must have in place when handling documents containing personal data.
They include performing test runs when printing, as well as mandating a second layer of random checks by a supervisor when putting letters in envelopes.
ONE ENVELOPE, FOUR CLIENTS
Aviva's latest offence came about when it sent four underwriting letters meant for four different clients to one of them - in a single envelope.
The documents contained each client's full name, residential address, policy details and the sum assured.
The lack of additional checks was consistent with the "systemic problem" found last October, when Aviva was fined $6,000 for inadvertently disclosing a policyholder's insurance documents to the wrong person.
The PDPC said: "The organisation failed to conduct a more thorough review of its internal departments... that are subject to the same vulnerabilities and risk similar failures as the prior incident."
NTUC Income's offence involved 426 policy letters containing the names, residential addresses and policy details of clients. A staff member had mistakenly printed two different policy letters to different individuals - one on each side of a sheet of paper - and mailed the letter to one of the individuals. Again, checks were not made to prevent the inadvertent data leak.
In AIG's case, a wrong facsimile number - that of retailer Tokyu Hands - was printed on the policy renewal notices issued to policyholders.
The renewal notices contained the names, addresses and policy details of clients, and had fields for the clients to update their personal data, including payment details. Up to 125 renewal notices intended for AIG could have been mistakenly sent by clients to Tokyu Hands.
Get The New Paper on your phone with the free TNP app. Download from the Apple App Store or Google Play Store now
