Reference no: EM132918169
Potential data breach after travel agency employee loses hard disk The authorities are investigating a potential data breach after a travel agency employee lost a hard disk containing personal details of clients. The employee of Insight Vacations had taken the disk out of the office without authorisation and lost it in a taxi on the way home. The disk, which has not been recovered, contains the names, mailing addresses and NRIC details of more than 200 clients, as well as the names, mailing addresses and mobile numbers of more than 5,000 people on the agency's mailing lists. The incident came to light only after the agency recently conducted an internal review of the best practices for data protection. "We immediately reported the incident to the relevant authorities after we discovered the accidental loss as we felt it was important to take a proactive approach to alerting those affected on the risks of someone misusing their mobile number or mailing address," she said. "We value the importance of our guests' privacy and, as a company, regularly review polices regarding customer data privacy." "Insight Vacations and our parent company, The Travel Corporation, take security of customer data seriously and regret that this incident has happened," she said. "We have extensive policies and procedures governing the security of customers' personal information, including the use of portable data storage devices, and are conducting a thorough review of potentially affected records and taking measures to further improve our data security going forward." Insight Vacations said it will be engaging third-party experts on data privacy and system security, and is implementing mandatory training for employees provided by a global data security training provider.
A spokesman for the Personal Data Protection Commission said it is investigating after it was notified of the incident. Insight Vacations e-mailed its clients and people on its mailing lists yesterday to inform them that it was actively monitoring for indications of information being leaked. The recipients were advised to take precautionary steps to avoid falling victim to fraudulent activities. Singapore had its most serious data breach in June when the personal data of 1.5 million SingHealth patients was compromised.
(a) In the Insight Vacations case, the company discovered the breach when it conducted a review of its data protection. It is therefore important for the company to adopt a sound privacy pledge. Differentiate six (6) elements of such a privacy pledge that the company should include.
(b) When the breach was discovered, the company undertook various steps in its recovery process. In its communication with the affected clients, an effective apology is an important component. Discuss the two (2) elements of an effective apology that Insight Vacations should bear in mind.