MLS’ financial representatives were not continuously conveyed and trained on up-to-date requirements for personal devices.
Singapore’s Personal Data Protection Commission (the Commission) received a data breach notification on 23 March 2020 from Manulife Singapore (MLS), about a representative who was licensed to provide financial advisory services representing MLS had misplaced an unencrypted thumb drive which contained the personal data of 104 individuals on 19 March 2020.
The personal data consisted of NRIC images, passport images, MLS forms used to conduct financial needs analysis for clients, MLS insurance application forms, medical reports, claims documents (current and past claims), insurance summaries for client portfolios.
The Commission found that MLS’ financial representatives were not continuously conveyed and trained on up-to-date requirements on the permissibility of using personal devices for business purposes and the proper use of removable storage media via onboarding and refresher training sessions, circulars, and quarterly bulletins.
After the incident, MLS notified all affected individuals of the incident and monitored their insurance policies for unusual requests and/or transactions for a period of six months. A refresher training on privacy and data security was also conducted for MLS representatives.
The Commission considered the circumstances of the case and accepted an undertaking from MLS to improve its compliance with the Personal Data Protection Act 2012. The undertaking was executed on 15 January 2021 (the “Undertaking”).
The Undertaking provides that MLS was to:
- Take all necessary steps to implement its remediation plan, namely, to carry out the actions referred to in Schedule A of the Undertaking
Provide a status report to the Commission at a time requested by the Commission confirming whether MLS has fulfilled each of the specific measures set out in the implementation plan.
- MLS has since provided the Commission with the status report referred to above. The Commission has reviewed the matter and determined that MLS has complied with the terms of the Undertaking.
In a statement to the Commission, Manulife said it has taken or will take all necessary steps to implement its remediation plan, namely, to carry out the actions referred to in Schedule A in accordance to the stipulated timelines.
“In addition, the Organisation undertakes to provide, and will ensure that it provides all necessary assistance that the Commission may require to verify the completion of the Organisation’s remediation plan in accordance with Schedule A referred to in clause 3.1, including (without limitation) granting the Commission and its representatives physical access to the Organisation’s premises, providing information and documentation to the Commission, and arranging for meetings and/or interviews with the Organisation’s staff, contractors and/or consultants,” states Manulife.