Singapore’s Personal Data Protection Commission (PDPC) has fined three insurance companies for lapses leading to leakage of their policyholder’s personal data.
The watchdog imposed penalties of SGD30,000 on Aviva, SGD10,000 on NTUC Income, and SGD9,000 on AIG Asia-Pacific Insurance, reported The New Paper. Aviva was slapped with the largest fine as it had already been penalised SGD6,000 for a similar offence in October last year.
The PDPC has also released an advisory, outlining the precautions companies must take when handling documents containing clients’ personal data. These include test runs during printing, as well as requiring a second layer of spot checks by a supervisor when documents are being put in mailing envelopes. The commission proposed amendments to relevant laws last year, requiring companies to notify consumers in case of certain data breaches.
Aviva’s most recent offence involved four underwriting letters meant for four different people to a single person, all contained in one envelope. The letters contained client’s full names, addresses, policy details, and sums assured.
“[Aviva] failed to conduct a more thorough review of its internal departments... that are subject to the same vulnerabilities and risk similar failures as the prior incident,” PDPC said.
NTUC Income’s error was printing two policy letters intended for different people on opposite sides of the same sheet of paper. According to PDPC, the insurer did not make checks to spot the error before the letters were sent out. A total of 426 letters were involved in the breach.
Meanwhile, AIG had printed a wrong fax number, which was actually that of Japanese products retailer Tokyu Hands, on 125 policy letters. PDPC said that AIG policyholders could have mistakenly sent their personal data to Tokyu Hands due to the misprint.