Back
Image Alt

The Singapore Law Gazette

It is Not So Cloudy After All: Legal Remedies When Cloud Storage Rains on You

Cloud storage is changing our lives in many ways. Whether one uses it to store personal data or as a repository of confidential business documents, cloud storage appears to be the future of storing and retrieving data securely and conveniently. The COVID-19 pandemic has also demonstrated the importance of cloud storage as part of business continuity plans. However, convenience comes with a cost and of late, a number of users have been exposed to data breaches. Coupled with the increasing dependence on cloud storage, it is timely that users pay attention to the potential legal remedies available to them in the event of a data breach by a cloud service provider as well as some of the limitations of these legal remedies. The article thus seeks to discuss some of these legal remedies in greater detail.

Introduction

Globally, the four most popular cloud platforms to store private data are Dropbox, OneDrive, Google Drive and iCloud.1Dale Walker, “Cloud Storage: How secure are Dropbox, OneDrive, Google Drive, and iCloud?” (IT Pro, 14 April 2022) <https://www.itpro.co.uk/cloud-security/34663/cloud-storage-how-secure-are-dropbox-onedrive-google-drive-and-icloud> (accessed 28 July 2022). The COVID-19 pandemic has only accelerated the proliferation of cloud computing as employees become extremely reliant on cloud-based services to store both company and personal data.2For instance, the global cloud storage market has been growing exponentially. It is now worth over US$83 billion and projected to reach approximately US$376 billion by 2029: see “Cloud Storage Market Size and Regional Forecast, 2022-2029” (Fortune Business Insights, April 2022) https://www.fortunebusinessinsights.com/cloud-storage-market-102773 (accessed 12 July 2022).

On the other hand, it has become increasingly common to read of personal data breaches in the media.3The Thales Global Cloud Security Study 2021 reported that 40% of organisations surveyed experienced a cloud-based data breach in 2021: see Maria Henriquez, “40% of organizations have suffered a cloud-based data breach” (Security Magazine, 29 October 2021) <https://www.securitymagazine.com/articles/96412-40-of-organizations-have-suffered-a-cloud-based-data-breach#:~:text=The%202021%20Thales%20Global%20Cloud,in%20the%20past%2012%20months > (accessed 12 July 2022). A data breach is an incident where information is stolen or taken from a system without the knowledge or authorisation of the system owner.4See “Data Breach” (Trend Micro Incorporated) <https://www.trendmicro.com/vinfo/us/security/definition/data-breach> (accessed 20 July 2022). This information could contain personal or confidential data. Common causes of data breaches have been reported to be due to hacking or malware attacks, and unintended disclosures.5In 2016, hackers attacked and retrieved over three billion Yahoo user accounts: see Alina Selyukh, “Every Yahoo Account That Existed in Mid-2013 Was Likely Hacked” (NPR, 3 October 2017) <https://www.npr.org/sections/thetwo-way/2017/10/03/555016024/every-yahoo-account-that-existed-in-mid-2013-was-likely-hacked> (accessed 10 July 2022). In 2012, 68 million account records were stolen in an attack on Dropbox, suspected to be via a social engineering attack: see “Dropbox hack affected 68 million users” (BBC, 31 August 2016) <https://www.bbc.com/news/technology-37232635> (accessed 10 July 2022). See also Juliana De Groot, “Social Engineering Attacks: Common Techniques & How to Prevent an Attack” (Data Guardian, 14 March 2022) <https://digitalguardian.com/blog/social-engineering-attacks-common-techniques-how-prevent-attack> (accessed 28 July 2022). See also “Network Attacks and Network Security Threats” (Cynet) <https://www.cynet.com/network-attacks/network-attacks-and-network-security-threats/> (accessed 28 July 2022).

For example, in September 2020, an independent security researcher revealed that a leak which emerged in June 2020 had exposed the confidential personal information of about 100,000 Razer customers. Razer then sued its IT solutions provider, Capgemini, for at least US$7 million in losses. On 21 July 2022, a former Capgemini employee admitted that he was the source of the breach.6Selina Lum, “Trial of Razer’s $9.7m suit over data leak cut short after IT vendor’s ex-employee concedes causing breach” (The Straits Times, 22 July 2022) <https://www.straitstimes.com/singapore/courts-crime/trial-of-razers-us7m-suit-over-data-leak-cut-short-after-it-vendors-ex-employee-concedes-causing-breach> (accessed 28 July 2022). It was also reported in July 2022 that public officers reported 178 cases of data leaks by the Singapore Government in the year ended 31 March 2022, but none of these were severe.7Irene Tham, “Public sector data leaks jump 65% to 178 cases last year, but none severe” (The Straits Times, 28 July 2022) <https://www.straitstimes.com/tech/tech-news/public-sector-data-leaks-jump-65-to-178-cases-last-year-but-none-severe> (accessed 28 July 2022). In July 2022, it was reported that virtual currency exchange operator Quoine had been fined S$67,000 for failing to protect the personal data of more than 650,000 customers. This was reportedly the first breach of the Personal Data Protection Act 2012 (PDPA) by a cryptocurrency firm.8Rei Kurohi, “Crypto exchange operator Quoine fined $67,000 over breach of 650k customers’ data” (The Straits Times, 20 July 2022) <https://www.straitstimes.com/tech/tech-news/crypto-exchange-operator-quoine-fined-67000-over-breach-of-650k-customers-data> (accessed 24 July 2022).

Another frequent cause of data breach was unintended disclosure through either negligence or mistake.9Locally, in 2020, 100,000 Razer customers’ personal information were leaked. It was alleged that this was caused by the negligence of a staff of their IT vendor. The staff was responding to a login issue and in the process accidentally keyed in a wrong character which removed the security firewalls and exposed customers’ personal information: see Kul Bhushan, “Razer seeks $7m from Capgemini for 2020 data breach” (Techinasia, 13 July 2022) <https://www.techinasia.com/razer-sues-vendor-capgemini-2020-security-breach> (accessed 24 July 2022). See also “Data Breach” (Imperva) <https://www.imperva.com/learn/data-security/data-breach/#:~:text=Unintended%20disclosure,internal%20server%20to%20the%20Internet.> (accessed 28 July 2022). In 2017, a web hyperlink to a cloud-based Excel spreadsheet was accidentally changed from “private” to “public”, allowing anyone to access the personal details of over 140 students from the National University of Singapore.10National University of Singapore (2017) SGPDPC 5.

The following sections will analyse some of the potential legal remedies, including remedies under the PDPA, contractual remedies, and claims for breach of confidence, that may be available to an aggrieved user in a situation where the user’s data has been compromised in a data breach of a cloud service provider.

Personal Data Protection Act 2012

The PDPA was passed in 2012 and came into effect in 2013. It was intended to govern the collection, use and disclosure of personal data. The key purpose is the recognition of both the right of individuals to protect their personal data, and the need for organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.11Personal Data Protection Act 2012 (2020 Rev Ed), s 3. The Personal Data Protection Commission (PDPC) was established to administer and enforce the PDPA.12Personal Data Protection Act 2012 (2020 Rev Ed), s 5(2).

1. Financial penalties

When personal information has been misused by an organisation, one could make a report to the PDPC. The PDPC is empowered to impose financial penalties on organisations or persons that have contravened certain provisions of the PDPA.13Personal Data Protection Act 2012 (2020 Rev Ed), s 48J(1).

In the cyberattack on the patient database system of Singapore Health Services Pte Ltd (SingHealth) where personal particulars of SingHealth’s patients were stolen, financial penalties of S$250,000 and S$75,000 were imposed by the PDPC on SingHealth and Integrated Health Information Systems Pte Ltd, respectively.14Singapore Health Services Pte. Ltd. & others (2019) SGPDPC 3.

In another incident involving a hospitality platform, a S$74,000 fine was imposed on Commeasure, RedDoorz Singapore’s website operator, for failing to put in place reasonable security arrangements to prevent a data leak.15Commeasure Pte Ltd (2021) SGPDPC 11. A lower fine was given to RedDoorz despite a larger number of affected customers (i.e. 5.9 million customers) as the PDPC accounted for several other factors, such as the impact of COVID-19 on the hospitality sector.16Commeasure Pte Ltd (2021) SGPDPC 11 at (20).

2. Directions

In addition, the PDPC is also empowered to order an organisation to stop collecting, using or disclosing the personal data, and destroy any personal data collected that are in contravention of the PDPA.17Personal Data Protection Act 2012 (2020 Rev Ed), s 48I(2). However, these two remedies may not be satisfactory if the individual has personally suffered loss or damage from the data breach.

3. Private action

The PDPA allows the right of private action if one suffers any loss or damage.18Personal Data Protection Act 2012 (2020 Rev Ed), s 48O. The case of Bellingham, Alex v Reed, Michael [2021] SGHC 125 was the first private action brought under the PDPA.

The case facts can be summarised as follow: The appellant, Bellingham, left his previous employer, an investment management fund, to join a competitor. There, he emailed the respondent, Reed, who was a former client with his former employer, with a view to establishing a new business relationship. The email contained confidential information which the appellant knew from his previous employment. The respondent brought the claim on the basis that the appellant had contravened the PDPA by accessing confidential information from his previous employment while in his current new employment without the respondent’s consent. The respondent sought an injunction order to restrain the appellant from using or disclosing the respondent’s personal data, and to seek damages for the distress he had suffered and loss of control over his personal data.

The High Court agreed that there were indeed breaches of the PDPA, and would have allowed the injunctions as the PDPC was empowered to do the same, under what is now section 48I of the PDPA (previously section 29).19Bellingham, Alex v Reed, Michael (2021) SGHC 125 at (94). However, the Court declined to allow the respondent the right of private action, as the damages sought, i.e. distress and loss of control, were excluded from the interpretation of what is now section 48O of the PDPA (previously section 32(1)). The Court held that the right of private action functions as a statutory tort20Bellingham, Alex v Reed, Michael (2021) SGHC 125 at (49). and therefore, the interpretation of “loss or damage” should refer to pecuniary loss, damage to property, or personal injury, similar to the heads of loss or damage applicable to torts under common law.21Bellingham, Alex v Reed, Michael (2021) SGHC 125 at (76).

Similarly, in Lloyd v Google LLC [2021] UKSC 50, the UK Supreme Court held that Lloyd’s claim against Google for breach of his (and those of 4 million other Apple iPhone users) data protection rights under section 13 of the UK Data Protection Act 1998 (DPA) should not proceed. The Court ruled that damages for non-trivial breaches of section 13(1) of the DPA required proof of financial loss or distress, and that “loss of control” of personal data was not enough.22Lloyd (Respondent) v Google LLC (Appellant) (2021) UKSC 50 at (115) and (159).

In contrast to the position in Singapore, Hong Kong’s personal data protection legislation has made it explicit that damages may include injury to feelings23Personal Data (Privacy) Ordinance (Cap. 486), s 66(2). and thus a claimant’s right to damage for injury to feelings was recognised by a Hong Kong District Court.24Tsang Po Mann v Tsang Ka Kit and Another (2021) HKCU 665. As Bellingham, Alex v Reed, Michael [2021] SGHC 125 is being appealed at the time of writing,25Bellingham, Alex v Reed, Michael (2021) SGHC 125 at (96)-(101). the position on the right to private action in Singapore under the PDPA may continue to be developed further.

Contractual Breaches

Another possible remedy would be to claim for a breach of contract. The law in Singapore recognises that an innocent party is entitled to damages for any breach in the contract. In the case of PH Hydraulics & Engineering Pte Ltd v Airtrust (Hong Kong) Ltd [2017] 2 SLR 129, the Court held that a good reference point for determining damages would be to place the innocent party, as far as payment of money allows, in the same position as if the contract had been performed.26PH Hydraulics & Engineering Pte Ltd v Airtrust (Hong Kong) Ltd and another appeal (2017) 2 SLR 129 at (62).

In that case, the appellant contracted with the respondent for a reel drive unit. The unit turned out to be defective and not fit for its purpose, thus breaching the contract. The appellant claimed for direct losses as a result of the breach and appealed for loss of profits to be included as part of the damages. The Court allowed the direct losses as it was well within the reasonable contemplation of both parties.27PH Hydraulics & Engineering Pte Ltd v Airtrust (Hong Kong) Ltd and another appeal (2017) 2 SLR 129 at (153). However, the Court declined the claim for loss of profits, due to the limitation of liability clause.28PH Hydraulics & Engineering Pte Ltd v Airtrust (Hong Kong) Ltd and another appeal (2017) 2 SLR 129 at (156)-(157).

Applying these principles, in an event of a data breach, one should presumably be allowed to claim for direct losses, such as the costs to mitigate the damage, and any other costs that were incurred as a result of it, subject to the objective test of reasonableness and the “traditional legal control mechanisms” such as causation and remoteness of damage.29Family Food Court (a firm) v Seah Boon Lock and Another (trading as Boon Lock Duck and Noodle House)(2008) 4 SLR(R) 272 at (55).

However, most of the cloud services contracts would have standard limitation of liability clauses, and seen from the case above, these clauses could limit the types of damages. For instance, Google Cloud Platform’s terms and conditions states that “neither party will have any [l]iability arising out of or relating to the [a]greement for any (a) indirect, consequential, special, incidental, or punitive damages or (b) lost revenues, profits, savings, or goodwill”.30“Google Cloud Platform Terms of Service” (Google Cloud, 29 March 2022) <https://cloud.google.com/terms> (accessed 24 July 2022), para 12.

In a situation where a cloud service provider declines to pay compensation on the basis of a limitation of liability clause or an indemnity clause, consumers could seek redress through the Unfair Contract Terms Act 1977 (UCTA). Under section 3(2) of the UCTA, a cloud service provider cannot exclude or restrict any liability in respect of a breach by reference to any contract term, unless the contract term satisfies the requirement of “reasonableness”.31See Unfair Contract Terms Act 1977 (2020 Rev Ed), s 11 and Second Schedule. Furthermore, if the indemnity clauses are unreasonable, pursuant to section 4 of the UCTA, cloud service providers would have to justify that those clauses satisfy the requirement of reasonableness.

In the event of a data breach, one could commence an action against a cloud service provider and seek the Court’s guidance in determining whether these exclusion clauses are valid. The law on damages as it relates to cloud services is in its formative years. It is difficult to predict how courts will determine whether any particular harm arising from a data breach is direct or indirect damages.32Scott Nonaka and Scott Rubino, “Contracting in the Cloud: Who Pays for a Data Breach?” (Bloomberg Law, 20 September 2016) <https://news.bloomberglaw.com/tech-and-telecom-law/contracting-in-the-cloud-who-pays-for-a-data-breach> (accessed 28 July 2022). If the exclusion clause similar to that of Google Cloud Platform’s terms and conditions is recognised as valid by the courts, then it would appear that one can only claim for direct damages.

In a 2011 US decision, the Court held that “[w]hen a contract limits recovery to direct damages, a plaintiff may recover only the difference between the amount paid and the value received”.33In re Heartland Payment Sys., Inc., 834 F. Supp. 2d 566 (S.D. Tex. 2011). This could potentially mean that the costs of a data breach would not be covered if it only covers the subscription fee paid to the cloud service provider, which is a paltry sum as compared to the potential costs incurred when personal data is leaked. This would be akin to a court being placed in between the “rock” of angry and litigious customers, and the “hard place” of a cloud service provider who is not liable for anything other than the monthly cost of the service.34Michael A. Stoolman, “The Cause of Action for Breach of Data?: The Problem with Relying on Courts when Managing the Risks of Cloud Services” (2018) 70 Rutgers University Law Review 717-748, 726.

Furthermore, another impediment is that the bulk of these cloud service providers are based overseas and the governing law of the contract is unlikely to be Singapore law. For instance, the Google Cloud Platform’s terms and conditions are governed by California laws.35“Google Cloud Platform Terms of Service” (Google Cloud, 29 March 2022) <https://cloud.google.com/terms> (accessed 24 July 2022), para 14.12(b). This would increase the complexity in bringing a claim against these cloud service providers.

Breach of Confidence

An individual may also seek redress by filing a civil claim for breach of confidence. While the law of confidential information is not codified by statutes in Singapore, the obligations of confidence are imposed by general common law. The watershed Court of Appeal decision in I-Admin (Singapore) Pte Ltd v Hong Ying Ting [2020] 1 SLR 1130 has provided guidance on the approach to protecting confidential information.

The facts can be summarised briefly as follows: the appellant, I-Admin (Singapore) Pte Ltd, was claiming against their former employees, the first respondent, Mr Hong, and the second respondent, Mr Liu. The appellant alleged that their former employees used confidential materials obtained during their employment with the appellant to develop a competing HR system that was similar to the appellant.36I-Admin (Singapore) Pte Ltd v Hong Ying Ting and others (2020) 1 SLR 1130 at (14).

The Court agreed that the respondents had indeed used the confidential information for their own personal benefit and awarded damages to the appellant.37I-Admin (Singapore) Pte Ltd v Hong Ying Ting and others (2020) 1 SLR 1130 at (66). The Court used a “modified approach”,38I-Admin (Singapore) Pte Ltd v Hong Ying Ting and others (2020) 1 SLR 1130 at (61). which modified the approach in Coco v AN Clark (Engineers) Ltd [1969] RPC 41. The Court held that once confidential information has been accessed or acquired without the owner’s knowledge or consent, the presumption that there has been a breach of confidence is established.39I-Admin (Singapore) Pte Ltd v Hong Ying Ting and others (2020) 1 SLR 1130 at (61).

This case accords more protection to businesses and individuals by imposing a confidentiality obligation not just on the cloud service providers but also on anyone who is aware or should have known that they are accessing confidential information. The obligation is then imposed on them to keep it confidential.

However, in the UK case of Warren v DSG Retail Ltd [2021] EWHC 2168 (QB), DSG fell victim to a complex cyberattack where attackers accessed the personal data of many DSG customers. The claimant, Warren, was one such customer and sued for breach of confidence and misuse of private information, among other claims.

The English High Court struck out the breach of confidence and misuse of private information claims by reasoning that breach of confidence and misuse of private information required some positive wrongful actions by DSG. The wrong in this case was a failure to keep the data secure but such failure did not amount to positive conduct, given that DSG was a victim of the cyberattack.40Darren Lee Warren v DSG Retail Limited (2021) EWHC 2168 (QB) at (18)-(32). The case therefore calls into question whether claimants can seek a breach of confidence claim in “external attacker” data breach cases.

Use as Evidence

Apart from the remedies described in the preceding paragraphs above, an individual should also be aware that electronically stored information can be produced and potentially discoverable in commercial litigation on an overwhelming basis than is the case with paper documents.41Ter Kah Leng, “E-Discovery of electronically stored information in commercial litigation” (2014) 30(2) Computer Law & Security Review 171-178. In the case of Dirak Asia Pte Ltd v Chew Hua Kok [2013] SGHCR 1, the Court had to address this issue in deciding the extent in which an email user can be said to have power over e-mails in the possession and custody of the e-mail service provider.42This was a task which mandated a contextual understanding of “power” under what is now O 11 of the Rules of Court 2021.

In that case, it concerned a discovery application brought by former employers against their former employees for breaches of fiduciary duties. The claimants claimed that the defendants had made unauthorised disclosure of confidential information to third-party competitors, one of whom was the respondent’s present employers.43Dirak Asia Pte Ltd and another v Chew Hua Kok and another (2013) SGHCR 1 at (4).

The claimants succeeded in their earlier discovery application for documents that would have shown that the sales were generated from the unauthorised use of the plaintiff’s confidential information and wanted to extend the discovery order to include emails from the defendants’ current e-mail accounts.44Dirak Asia Pte Ltd and another v Chew Hua Kok and another (2013) SGHCR 1 at (7). However, the defendants rejected the request on the basis that the e-mail accounts were in the cloud server that belonged to their current employers and that they did not have the “power” to allow the server to be accessed.45Dirak Asia Pte Ltd and another v Chew Hua Kok and another (2013) SGHCR 1 at (7).

The Court agreed that the “practical ability” to obtain e-mails does not necessarily equate to having the “power” to provide consent to access those e-mails, especially if a third-party’s consent is needed.46Dirak Asia Pte Ltd and another v Chew Hua Kok and another (2013) SGHCR 1 at (37). However, in that case, the Court allowed the claim on the basis that the defendants still exercised a strong degree of “control” that could “readily translate into actual possession”.47Dirak Asia Pte Ltd and another v Chew Hua Kok and another (2013) SGHCR 1 at (38). The defendants were still employed by their present employers who had given them full access to their emails. The defendants could have just downloaded a soft copy of the e-mails into a storage device or printed it out as a hard copy to comply with the discovery order.48Dirak Asia Pte Ltd and another v Chew Hua Kok and another (2013) SGHCR 1 at (39).

Applying these principles, it would be difficult for an individual to claim that one had no access to personal cloud data when it comes to discovery, and leaked data could potentially be used to draw an adverse inference against the individual, even in cases where access to the cloud is regulated or managed by a third-party cloud service provider. However, it should be noted that the publicly available data exception under the PDPA does not apply if the publicly available personal data was obtained through unlawful means at the outset.49Bellingham, Alex v Reed, Michael (2021) SGHC 125 at (37)-(38).

Pre-emptive Measures

While much of these risks with cloud storage are outside of an individual user’s control, businesses and users can still play a significant role in reducing the risks of data breaches. Proactive steps could be taken as a collective action in building safer online practices.

From a practical perspective, users could select a multi-tier cloud security (MTCS) certified cloud service provider to reduce the risk of data breaches. The MTCS standard for Singapore was developed under the direction of the Information Technology Standards Committee (ITSC) of the Infocomm Development Authority of Singapore.50“New Multi-Tier Cloud Security (MTCS) Standard Launched in Singapore” (Infocomm Development Authority of Singapore, 13 November 2013) <https://www.imda.gov.sg/news-and-events/Media-Room/archived/ida/Media-Releases/2013/new-multi-tier-cloud-security-mtcs-standard-launched-in-singapore> (accessed 28 July 2022). The ITSC promotes and facilitates national programmes to standardise information technology and communications, and Singapore’s participation in international standardisation activities.51There are several certified cloud service providers in the list, ranging from IaaS to SaaS MTCS certified: see “Multi-Tier Cloud Security Singapore Standard (SS584)” (Vista Infosec, 19 May 2021) <https://www.vistainfosec.com/blog/multi-tier-cloud-security-singapore-standard-ss584/> (accessed 28 July 2022). The PDPC has also launched an infographic to help organisations start implementing good practices to secure personal data in the cloud platform.52“Good Practices to Secure Personal Data in the Cloud Platform Infographic Now Available” (Personal Data Protection Commission, 18 July 2022) <https://www.pdpc.gov.sg/news-and-events/announcements/2022/07/good-practices-to-secure-personal-data-in-the-cloud-platform-infographic-now-available> (accessed 29 July 2022). See also “Advisory Guidelines on the Personal Data Protection Act for Selected Topics” (Personal Data Protection Commission, 17 May 2022) <https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/AG-on-Selected-Topics/Advisory-Guidelines-on-the-PDPA-for-Selected-Topics-17-May-2022.ashx?la=en> (accessed 29 July 2022).

Conclusion

While it may not be possible to conceive every possible solution for aggrieved users when a cloud service provider’s data breach does affect them, the first step is to understand these risks and be familiar with some of these legal remedies when things go wrong. In the unfortunate situation of a data breach by a cloud service provider, one should be equipped to handle the situation and possibly protect their interests better through the buffet menu of legal recourse available.

The current civil claim brought by Razer against its IT solutions provider could also potentially shed more light on how the courts would address such disputes in the future. At the time of writing, the IT vendor’s ex-employee had admitted in court to causing the breach that led to customers’ data leak.53Selina Lum, “Trial of Razer’s $9.7m suit over data leak cut short after IT vendor’s ex-employee concedes causing breach” (The Straits Times, 22 July 2022) <https://www.straitstimes.com/singapore/courts-crime/trial-of-razers-us7m-suit-over-data-leak-cut-short-after-it-vendors-ex-employee-concedes-causing-breach> (accessed 28 July 2022). But it remains to be seen if the Court would award the entire US$7 million in losses that Razer is seeking. The assessment of damages would naturally be of interest to cloud service providers and users. The case could potentially set a strong precedent on how contractual disputes involving cloud service providers might develop in future.

Endnotes

Endnotes
1 Dale Walker, “Cloud Storage: How secure are Dropbox, OneDrive, Google Drive, and iCloud?” (IT Pro, 14 April 2022) <https://www.itpro.co.uk/cloud-security/34663/cloud-storage-how-secure-are-dropbox-onedrive-google-drive-and-icloud> (accessed 28 July 2022).
2 For instance, the global cloud storage market has been growing exponentially. It is now worth over US$83 billion and projected to reach approximately US$376 billion by 2029: see “Cloud Storage Market Size and Regional Forecast, 2022-2029” (Fortune Business Insights, April 2022) https://www.fortunebusinessinsights.com/cloud-storage-market-102773 (accessed 12 July 2022).
3 The Thales Global Cloud Security Study 2021 reported that 40% of organisations surveyed experienced a cloud-based data breach in 2021: see Maria Henriquez, “40% of organizations have suffered a cloud-based data breach” (Security Magazine, 29 October 2021) <https://www.securitymagazine.com/articles/96412-40-of-organizations-have-suffered-a-cloud-based-data-breach#:~:text=The%202021%20Thales%20Global%20Cloud,in%20the%20past%2012%20months > (accessed 12 July 2022).
4 See “Data Breach” (Trend Micro Incorporated) <https://www.trendmicro.com/vinfo/us/security/definition/data-breach> (accessed 20 July 2022).
5 In 2016, hackers attacked and retrieved over three billion Yahoo user accounts: see Alina Selyukh, “Every Yahoo Account That Existed in Mid-2013 Was Likely Hacked” (NPR, 3 October 2017) <https://www.npr.org/sections/thetwo-way/2017/10/03/555016024/every-yahoo-account-that-existed-in-mid-2013-was-likely-hacked> (accessed 10 July 2022). In 2012, 68 million account records were stolen in an attack on Dropbox, suspected to be via a social engineering attack: see “Dropbox hack affected 68 million users” (BBC, 31 August 2016) <https://www.bbc.com/news/technology-37232635> (accessed 10 July 2022). See also Juliana De Groot, “Social Engineering Attacks: Common Techniques & How to Prevent an Attack” (Data Guardian, 14 March 2022) <https://digitalguardian.com/blog/social-engineering-attacks-common-techniques-how-prevent-attack> (accessed 28 July 2022). See also “Network Attacks and Network Security Threats” (Cynet) <https://www.cynet.com/network-attacks/network-attacks-and-network-security-threats/> (accessed 28 July 2022).
6 Selina Lum, “Trial of Razer’s $9.7m suit over data leak cut short after IT vendor’s ex-employee concedes causing breach” (The Straits Times, 22 July 2022) <https://www.straitstimes.com/singapore/courts-crime/trial-of-razers-us7m-suit-over-data-leak-cut-short-after-it-vendors-ex-employee-concedes-causing-breach> (accessed 28 July 2022).
7 Irene Tham, “Public sector data leaks jump 65% to 178 cases last year, but none severe” (The Straits Times, 28 July 2022) <https://www.straitstimes.com/tech/tech-news/public-sector-data-leaks-jump-65-to-178-cases-last-year-but-none-severe> (accessed 28 July 2022).
8 Rei Kurohi, “Crypto exchange operator Quoine fined $67,000 over breach of 650k customers’ data” (The Straits Times, 20 July 2022) <https://www.straitstimes.com/tech/tech-news/crypto-exchange-operator-quoine-fined-67000-over-breach-of-650k-customers-data> (accessed 24 July 2022).
9 Locally, in 2020, 100,000 Razer customers’ personal information were leaked. It was alleged that this was caused by the negligence of a staff of their IT vendor. The staff was responding to a login issue and in the process accidentally keyed in a wrong character which removed the security firewalls and exposed customers’ personal information: see Kul Bhushan, “Razer seeks $7m from Capgemini for 2020 data breach” (Techinasia, 13 July 2022) <https://www.techinasia.com/razer-sues-vendor-capgemini-2020-security-breach> (accessed 24 July 2022). See also “Data Breach” (Imperva) <https://www.imperva.com/learn/data-security/data-breach/#:~:text=Unintended%20disclosure,internal%20server%20to%20the%20Internet.> (accessed 28 July 2022).
10 National University of Singapore (2017) SGPDPC 5.
11 Personal Data Protection Act 2012 (2020 Rev Ed), s 3.
12 Personal Data Protection Act 2012 (2020 Rev Ed), s 5(2).
13 Personal Data Protection Act 2012 (2020 Rev Ed), s 48J(1).
14 Singapore Health Services Pte. Ltd. & others (2019) SGPDPC 3.
15 Commeasure Pte Ltd (2021) SGPDPC 11.
16 Commeasure Pte Ltd (2021) SGPDPC 11 at (20).
17 Personal Data Protection Act 2012 (2020 Rev Ed), s 48I(2).
18 Personal Data Protection Act 2012 (2020 Rev Ed), s 48O.
19 Bellingham, Alex v Reed, Michael (2021) SGHC 125 at (94).
20 Bellingham, Alex v Reed, Michael (2021) SGHC 125 at (49).
21 Bellingham, Alex v Reed, Michael (2021) SGHC 125 at (76).
22 Lloyd (Respondent) v Google LLC (Appellant) (2021) UKSC 50 at (115) and (159).
23 Personal Data (Privacy) Ordinance (Cap. 486), s 66(2).
24 Tsang Po Mann v Tsang Ka Kit and Another (2021) HKCU 665.
25 Bellingham, Alex v Reed, Michael (2021) SGHC 125 at (96)-(101).
26 PH Hydraulics & Engineering Pte Ltd v Airtrust (Hong Kong) Ltd and another appeal (2017) 2 SLR 129 at (62).
27 PH Hydraulics & Engineering Pte Ltd v Airtrust (Hong Kong) Ltd and another appeal (2017) 2 SLR 129 at (153).
28 PH Hydraulics & Engineering Pte Ltd v Airtrust (Hong Kong) Ltd and another appeal (2017) 2 SLR 129 at (156)-(157).
29 Family Food Court (a firm) v Seah Boon Lock and Another (trading as Boon Lock Duck and Noodle House)(2008) 4 SLR(R) 272 at (55).
30 “Google Cloud Platform Terms of Service” (Google Cloud, 29 March 2022) <https://cloud.google.com/terms> (accessed 24 July 2022), para 12.
31 See Unfair Contract Terms Act 1977 (2020 Rev Ed), s 11 and Second Schedule.
32 Scott Nonaka and Scott Rubino, “Contracting in the Cloud: Who Pays for a Data Breach?” (Bloomberg Law, 20 September 2016) <https://news.bloomberglaw.com/tech-and-telecom-law/contracting-in-the-cloud-who-pays-for-a-data-breach> (accessed 28 July 2022).
33 In re Heartland Payment Sys., Inc., 834 F. Supp. 2d 566 (S.D. Tex. 2011).
34 Michael A. Stoolman, “The Cause of Action for Breach of Data?: The Problem with Relying on Courts when Managing the Risks of Cloud Services” (2018) 70 Rutgers University Law Review 717-748, 726.
35 “Google Cloud Platform Terms of Service” (Google Cloud, 29 March 2022) <https://cloud.google.com/terms> (accessed 24 July 2022), para 14.12(b).
36 I-Admin (Singapore) Pte Ltd v Hong Ying Ting and others (2020) 1 SLR 1130 at (14).
37 I-Admin (Singapore) Pte Ltd v Hong Ying Ting and others (2020) 1 SLR 1130 at (66).
38 I-Admin (Singapore) Pte Ltd v Hong Ying Ting and others (2020) 1 SLR 1130 at (61).
39 I-Admin (Singapore) Pte Ltd v Hong Ying Ting and others (2020) 1 SLR 1130 at (61).
40 Darren Lee Warren v DSG Retail Limited (2021) EWHC 2168 (QB) at (18)-(32).
41 Ter Kah Leng, “E-Discovery of electronically stored information in commercial litigation” (2014) 30(2) Computer Law & Security Review 171-178.
42 This was a task which mandated a contextual understanding of “power” under what is now O 11 of the Rules of Court 2021.
43 Dirak Asia Pte Ltd and another v Chew Hua Kok and another (2013) SGHCR 1 at (4).
44 Dirak Asia Pte Ltd and another v Chew Hua Kok and another (2013) SGHCR 1 at (7).
45 Dirak Asia Pte Ltd and another v Chew Hua Kok and another (2013) SGHCR 1 at (7).
46 Dirak Asia Pte Ltd and another v Chew Hua Kok and another (2013) SGHCR 1 at (37).
47 Dirak Asia Pte Ltd and another v Chew Hua Kok and another (2013) SGHCR 1 at (38).
48 Dirak Asia Pte Ltd and another v Chew Hua Kok and another (2013) SGHCR 1 at (39).
49 Bellingham, Alex v Reed, Michael (2021) SGHC 125 at (37)-(38).
50 “New Multi-Tier Cloud Security (MTCS) Standard Launched in Singapore” (Infocomm Development Authority of Singapore, 13 November 2013) <https://www.imda.gov.sg/news-and-events/Media-Room/archived/ida/Media-Releases/2013/new-multi-tier-cloud-security-mtcs-standard-launched-in-singapore> (accessed 28 July 2022).
51 There are several certified cloud service providers in the list, ranging from IaaS to SaaS MTCS certified: see “Multi-Tier Cloud Security Singapore Standard (SS584)” (Vista Infosec, 19 May 2021) <https://www.vistainfosec.com/blog/multi-tier-cloud-security-singapore-standard-ss584/> (accessed 28 July 2022).
52 “Good Practices to Secure Personal Data in the Cloud Platform Infographic Now Available” (Personal Data Protection Commission, 18 July 2022) <https://www.pdpc.gov.sg/news-and-events/announcements/2022/07/good-practices-to-secure-personal-data-in-the-cloud-platform-infographic-now-available> (accessed 29 July 2022). See also “Advisory Guidelines on the Personal Data Protection Act for Selected Topics” (Personal Data Protection Commission, 17 May 2022) <https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/AG-on-Selected-Topics/Advisory-Guidelines-on-the-PDPA-for-Selected-Topics-17-May-2022.ashx?la=en> (accessed 29 July 2022).
53 Selina Lum, “Trial of Razer’s $9.7m suit over data leak cut short after IT vendor’s ex-employee concedes causing breach” (The Straits Times, 22 July 2022) <https://www.straitstimes.com/singapore/courts-crime/trial-of-razers-us7m-suit-over-data-leak-cut-short-after-it-vendors-ex-employee-concedes-causing-breach> (accessed 28 July 2022).

Lecturer of Law
Singapore University of Social Sciences
E-mail: [email protected]

Ben Chester Cheong is a full-time Lecturer of Law at the Singapore University of Social Sciences. He holds a LLM from the University of Cambridge, a LLB (1st Class Hons) from the University of Exeter, and placed 3rd out of 664 candidates in the Singapore Bar Exams (Part B). He is admitted to practise law in both England & Wales and Singapore, and also serves as an Of Counsel in the Financial Services (Regulatory) Practice at RHTLaw Asia LLP.

Khairul Anwar is currently running his own HR consultancy, and concurrently a second-year law student at the School of Law, Singapore University of Social Sciences.