Duty to safeguard private data

Two publicised data breaches last week involving personal information of more than 300,000 people show how far some companies here are from keeping personal data safe, despite a privacy law that requires them to do so. The first arose from a design flaw in telco M1's webpage for the pre-order of the new iPhones. This inadvertently allowed at least one visitor access to personal data of 12 customers. In the second more serious case, personal data of more than 317,000 customers of karaoke bar chain K Box were published online after the company's database was hacked by a group over a peeve unrelated to the business.

K Box faces possible sanctions for lax security under the new personal data protection law that came into force in July. Smaller companies like K Box might plead for some leeway because of smaller budgets available for security software to prevent data breaches. Such an argument should be roundly rejected because K Box and others have no business collecting and keeping private data like identity card numbers for simple transactions. A higher duty of care should be expected when financial information is stored. If a breach similar to the one at American home improvement retail giant Home Depot - which compromised 56 million credit and debit cards - were to occur here, a stricter standard should apply.

What is needed is not just better technology and systems but also stronger security policies that include inculcating a culture of security-mindedness among staff. Studies have shown that external hazards from hackers account for just one third of cyber security breaches, with the rest coming from internal threats such as insider theft, negligence, and misconduct of vendors and contractors.

Businesses can save themselves a lot of trouble by simply avoiding the over- collection of private data. And consumers can protect themselves better by simply not supplying their identity cards or disclosing their dates of birth for garden-variety purposes like loyalty cards and contest or feedback forms.

Computer users in general need to awake to the heightened risks of hacking by setting passwords that are stronger, changing these more frequently, and not resisting authentication processes that call for a one-time code sent to a mobile phone or displayed on a security token. However inconvenient the validation system, it pays to be cautious when exchanging sensitive information online.

Last year was an epic one for data losses affecting over 822 million records worldwide. It can happen to anyone. There is no totally foolproof system, but the more barriers created between users and potential hackers, the better.