The costs of not protecting personal data

What is your personal data worth? How many of us stop to think about this question before we hand over our names, NRIC numbers, phone numbers and addresses just for a lucky draw? Do we think twice about why others even need to know our NRIC numbers?

The Personal Data Protection Act 2012 ("PDPA") has been in force for nearly three years now, yet, many organisations still do not seem to be aware of the grave risks of collecting too much personal data, or of not protecting personal data in an adequate manner. Individuals too, seem oblivious to the evils of others holding too much information about them.

The truth of the matter is that without strong personal data protection practices, organisations, big and small, will incur even greater costs and losses. Organisations should view practising good personal data protection as part of good organisational processes and essential costs that need to be incurred in much the same way that costs are incurred in protecting other assets belonging to the organisations.

The effective protection of personal data however, is a chicken and egg problem. If individuals continue to be complacent about the risks and dangers of handing over their personal data, organisations will continue to take a lax attitude, even as the Personal Data Protection Commission pursues errant organisations for PDPA breaches.

Perhaps a case from the US might jolt organisations and individuals to the very real monetary, psychiatric and emotional costs of poor data protection practices.

The case of Erin Andrews, if it had occurred in Singapore, would have been a sensational PDPA case.

Erin Andrews is sportscaster and television host who was stalked by a deranged fan, Barrett. She was staying at the Nashville Marriott Hotel and Barrett asked the employees of the hotel whether Andrews was a guest at the hotel. The employees confirmed that she was indeed a guest and the employees initially granted his request for a room next to her. Later, the hotel's employees informed Barrett that the room was not available. Barrett then went to the hotel restaurant and used a house phone to ask to be connected to Andrews' room. When he was connected, the house phone displayed Andrews' room number. Knowing in which room Andrews was staying, Barrett then went to the front desk to book the room next to Andrews' room.

As Barrett was staying in the room next to Andrews', he was able to monitor her movements, and he managed to remove the peephole from Andrews' door. Barrett waited until Andrews was in the shower and when she came out of the shower, he used a camera phone to digitally film her naked while she was getting dressed in her room without her knowledge or consent. Barrett initially tried to sell the nude videos but was unsuccessful; he then uploaded the nude videos of Andrews onto the Internet. As a result, Andrews suffered depression, public shame and humiliation, and psychological and psychiatric harm and she sued the hotel for negligence, amongst other legal claims as the US does not have a PDPA equivalent. A computer science professor testified at the court hearing that an estimate of at least 16.8 million people had viewed some of the video online, including on pornographic websites. The court awarded US$55m compensation to Andrews.

This case highlights the liability of employers for the mishandling of personal data by its employees; it also demonstrates that the monetary compensation amount can be quite substantial. The hotel employees had disclosed to Barrett that Andrews was a guest at the hotel, which was clearly a disclosure of personal data about Andrews without consent. Second, the internal hotel telephone system was not set up to protect the personal data of its guests and it disclosed her room number without her consent. This too was a breach of personal data protection by the hotel.

Remedies for such kinds of personal data breaches would often lie not just under PDPA but could well fall under tort law and contract law and other legal areas as well, depending on the circumstances. Compliance with personal data protection laws would assist organisations in greatly reducing their exposure to such risks and liabilities. Hence, employers should be vigilant to ensure that their employees are well trained in the proper handling of personal data and to put in place checks that personal data is properly handled by employees.

In the Erin Andrews case, there was little else that Andrews could have done to protect her personal data. In many of our every day scenarios however, we as individuals can practise better protection of our personal data by not so willingly part with our personal data for lucky draws, store discount cards and so on. Singapore has seen nearly 30 cases of breaches of the PDPA. None of the cases to date have caused harm as egregious as the Andrews case, but it is only a matter of time. In many of the Singaporean cases, poor implementation of technology and human errors have caused individuals' personal data, such as names, home addresses, mobile numbers and landlines to be publicly accessible, such as in the PropNex case.

Furthermore, whatever personal data we hand over can be easily matched and compiled so that others have a complete profile of us that we are not even aware of. The harms in the Andrews case were emotional, psychological and psychiatric for Andrews, and ultimately monetary for the hotel. These are just a few of the types of harms. Other kinds of insidious harms that may arise would include cybersecurity and big data centred types of harms.

About the author

Hannah YeeFen Lim is Associate Professor of Business Law at Nanyang Business School, NTU. She recently published a book, Data Protection in the Practical Context: Strategies and Techniques, with Academy Publishing, a division of the Singapore Academy of Law.

This commentary was published in The Business Times on 7 September 2017 and The New Paper on 8 September 2017.