It is unfortunate that data breaches today are getting more commonplace, with Fullerton Health among the latest to be affected (Fullerton Health's booking vendor hacked, Oct 26).

There was little reported on the responsibility and culpability of Fullerton Health in this instance as the spotlight was on the healthcare provider's vendor, Agape Connecting People.

Fullerton Health may have outsourced its contact centre services but it has a fiduciary duty to its clients and patients, and is responsible for ensuring the data and services it outsources to any third party are secure.

It can do this by requesting audit reports be performed on its third-party vendors, or it can check the third party's data custodianship regularly.

After all, the data that was compromised belonged to customers of Fullerton Health, and not of Agape Connecting People.

This shifting of blame on vendors is not healthy in the cyber security realm. It does not foster responsibility and accountability.

For sound corporate governance in cyber security, it is important to understand that while operations can be outsourced, one cannot outsource responsibility.

Keong Jiun-Wen