Forum: Stricter laws needed on how firms store collected data

I am writing in response to the recent data breach of MyRepublic's customer information (Hackers possibly stole personal data of 79,400 MyRepublic customers, including copies of NRICs, Sept 10).

In its e-mail to subscribers, MyRepublic admitted violating the data retention rules under the Personal Data Protection Act (PDPA) by storing the scanned identity cards/utility bills beyond the time required.

It further compounded this violation by storing it in a third-party data storage provider.

The data that was stolen basically enables any criminal to perform a complete takeover of someone's identity.

A scanned copy of an identity card, along with all the personal information stolen, allows any criminal to subscribe to or cancel services, bank accounts, and/or credit facilities.

This is an extremely serious matter and the apology, along with the six-month credit monitoring service offered by MyRepublic, comes nowhere close to fixing the problem.

The PDPA prescribes fines for such offences, but does not address the psychological harm that customers suffer as a result of such breaches, not to mention the very possible financial losses that can result.

This breach will not be the last, and the severity is a direct result of the Government requiring Know Your Customer (KYC) policies for more and more services.

If the Government wants companies to implement KYC policies, there needs to be stricter laws governing the storing of the data and documents collected, and requiring such companies to use only the Singpass MyInfo portal for identity verification.

Jonathan Boon