Aviva fined $6,000 for data breach

Irene Tham
Tech Editor
Updated
May 03, 2018, 06:24 PM
Published
Oct 13, 2017, 05:00 AM

Insurer Aviva has been fined $6,000 for lapses that resulted in the inadvertent disclosure of a policyholder's insurance documents to the wrong person.

This is the second fine the insurance industry has attracted from the Personal Data Protection Commission (PDPC) in two months.

The commission was alerted to the breach in November last year, after the complainant received another policyholder's letters in his mail.

The letters contained confidential information including the policyholder's name, address, policy type, Central Provident Fund account number, contact number, date of birth and employer. The name and date of birth, among other details, of the person's dependant were also disclosed.

After an investigation, PDPC found a "systemic problem" with the way Aviva sent follow-up letters to its policyholders.

The staff member assigned to process these letters was the only one checking the letters before mailing them out.

There were no additional checks following the processing, printing and sorting of documents to ensure that the right documents were sent to the intended recipients.

The absence of a second layer of basic checks "amounted to extremely weak internal work process controls (that) fell far short of the standard of protection required for such sensitive personal data", said PDPC deputy commissioner Yeong Zee Kin in a decision paper issued on Wednesday.

The absence of a second layer of basic checks "amounted to extremely weak internal work process controls (that) fell far short of the standard of protection required for such sensitive personal data", said PDPC deputy commissioner Yeong Zee Kin in a decision paper issued on Wednesday.

More On This Topic
Privacy watchdog fines three insurers, highlights serious lapses in new advisory

As such, Aviva was found to have breached the Personal Data Protection Act, which requires organisations to put in place adequate security measures to protect consumers' personal data.

Organisations flouting the Act, in force since July 2014, can be fined up to $1 million.

When contacted, an Aviva spokesman said: "We view customer data protection seriously. This was an isolated incident. We have since taken steps to ensure the process is more robust."

In August, a former financial consultant with Prudential Assurance was fined $1,000 for improperly disposing 12 policyholders' documents containing personal data such as names, NRIC numbers and insurance coverage details.

The former financial consultant had put the files in a plastic bag and simply dumped it at the second level of a multistorey carpark in Jurong West in October last year, thus subjecting the policyholders to data leaks.

In its advisory guidelines, PDPC had recommended that paper containing personal information be shredded into small pieces and not dumped in unsecured bins.

Similarly, personal data stored on electronic media such as computer hard disks, USB drives or DVDs must be erased using specialised software to avoid accidental data leaks.

Join ST's Telegram channel and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Straits Times on October 13, 2017, with the headline Aviva fined $6,000 for data breach. Subscribe

Available for
iPhones and iPads
Available in
Google Play

MCI (P) 066/10/2023. Published by SPH Media Limited, Co. Regn. No. 202120748H. Copyright © 2024 SPH Media Limited. All rights reserved.

Back to the top