Analysis: S'poreans and businesses affected by service disruptions due to tech issues have little recourse
SINGAPORE — There is little recourse for individuals affected by technological disruptions to critical infrastructure or services such as at immigration counters or digital banking services.
- As Singapore further digitalises, technological glitches that cause various services to be disrupted will become more commonplace, say tech experts
- However, there's little recourse for those impacted, lawyers tell TODAY
- This is because software services often have terms and conditions that exclude them from liability, and tangible losses need to be proven
- Recourse is even harder in a breakdown of government-related software, though there are feedback options, said lawyers
- The experts spoke to TODAY following two recent incidents where disruptions in digital banking services and immigration checkpoints affected many people
SINGAPORE — There is little recourse for individuals affected by technological disruptions to critical infrastructure or services such as at immigration counters or digital banking services, said technology experts and lawyers.
They told TODAY that individuals have few options to claim damages when it comes to technological disruptions caused by corporate entities, such as the outage in DBS Bank's digital banking services last Wednesday (March 29).
When government-related services are disrupted because of technological glitches, as was the case last Friday when a "system overload" caused the automated immigration clearance system at Singapore's checkpoints to be unavailable, individuals and businesses impacted can do even less to seek compensation of any sort.
At the end of the day, the onus is on these corporate and government organisations to maintain their systems and to minimise the impact of any breakdown that happens, said the tech and legal experts.
TODAY looks at whether such disruptions will be more common as Singapore moves towards becoming a Smart Nation and what more the public can do to protect themselves.
Tech experts told TODAY that breakdowns in technological infrastructure are to be expected as Singapore moves towards greater digitalisation.
Some reasons for these breakdowns include hardware and software issues, human errors and cyber attacks.
Mr Ali Fazeli, an information security officer at Singapore-based Infinity Forensics, a cybersecurity and digital forensics firm, said: “The nation is growing its digitalisation efforts — now so many things are dependent on technology. You pay your bills, and can access your identity card on your phone.”
More technological usage means an increased potential of errors causing such breakdowns, Mr Ali added, noting that such critical digital infrastructure often has millions of users at any one time — a demand that is hard to mimic with stress testing software.
There are various insurance policies related to technology that individuals and corporations can take up, but these policies often cover cyber attacks and have various exclusions which may leave individuals with little recourse on that front.
Etiqa Insurance Singapore is one of the insurance companies offering cyber insurance for individuals and corporations.
Individuals can be covered by up to S$25,000 each year for four main cyber threats — namely cyber fraud, cyber extortion, restoration costs and identity theft — though there are exclusions such as losses from falling for an online love scam.
Businesses can also purchase cyber insurance that covers financial losses directly caused by a cyber event, such as when an unintentional information technology failure like a cyber attack shutting down a company’s computer system results in losses.
“With the nature of technological advancement, cybercrimes and attacks are always evolving in level of sophistication,” said Mr Raymond Ong, chief executive officer of Etiqa Insurance Singapore.
“This can present major challenges in cyber risk assessment. Insurers need to keep up with constant changes in the landscape.”
Mr Ong added that these policies do have exclusions, so consumers should be “vigilant in safeguarding their safety, both online and offline”.
In response to queries from TODAY, a Great Eastern spokesperson said that its travel insurance covers delays and cancellations that can arise from a “mechanical breakdown, equipment failure or any structural or technical fault on the part of the transport provider”, such as an airline.
However, there are caveats to the coverage — a tech fault caused by a natural disaster might mean that the incident is excluded from coverage for example.
It is also unlikely that a delay caused by a technical breakdown of an immigration system will be covered by travel insurance plans.
“If the delay happens, the policyholder simply has to get a written confirmation by the transport provider or their handling agents indicating the reason and duration of the delay,” added the spokesperson.
Ms Jessica Cheung, a senior associate at law firm Edmond Pereira Law Corporation, said that for last Friday's delays at Singapore's checkpoints due to the system overload, it would be “unfair” to attribute missing a flight to the Immigration and Checkpoints Authority (ICA).
Beyond providing the alternative of going through manual immigration counters, which ICA did, it is not liable to process people through customs as quickly as possible.
“If you are taken aside for enhanced security checks, you cannot simply say that missing your flight is a loss due to or attributable to ICA's failure,” said Ms Cheung.
PROVING DAMAGES ‘DIFFICULT’
While consumers and businesses impacted by a tech breakdown could consider taking legal action, lawyers say it might be a tough fight.
Mr Ben Chester Cheong, a lecturer at the Singapore University of Social Sciences’ School of Law said that Singapore has consumer protection laws that might mean some consumers are entitled to compensation.
These include the:
- Sale of Goods Act which requires businesses to provide goods that are of satisfactory quality, fit for their intended purpose, and as described
- Consumer Protection (Fair Trading) Act which protects consumers against unfair trade practices, such as false advertising, misleading claims, and unfair contract terms
- Unfair Contract Terms Act which contains statutory restrictions on the exclusion or limitation of liability by contract terms or notices
There is also a data protection law which requires businesses to protect the personal data of customers — meaning that if a tech failure results in a loss of personal data, a company might be liable for damages.
Mr Cheong also said that businesses can be held accountable for damages caused by their product under product liability law.
“For example, if a business provided a defective tech product that resulted in physical harm to a consumer or damage to property, consumers may be entitled to compensation under a claim of negligence,” said Mr Cheong.
“If a business breached a contract by failing to provide a promised level of uptime or performance, consumers may be entitled to compensation under contract law.”
However, proving the damages caused can be difficult, said Ms Gretchen Su, a partner at law firm Withersworldwide.
“For individual consumers to go after a service provider is quite difficult (because) they must have suffered a quantifiable loss, like a sum of money, and not just inconvenience,” she said.
These losses must also not be caused by something that is excluded in the terms and conditions written up by the service provider, which Ms Su said often leave consumers with little legal recourse.
However, she added that there are Government regulations which require major service providers to ensure that their systems are operational and any disruptions are resolved within a certain time frame.
“Internet Service Providers are regulated by IMDA (Infocomm Media Development Authority) and banks are regulated by MAS (Monetary Authority of Singapore), so extended service failures will be punished in the form of fines,” she said.
As for businesses, seeking recourse might be more straightforward should they have a service level agreement with the software service’s provider.
Mr Lim Tianjun, a lawyer with law firm That.Legal LLC, said: “In business-to-business services, it is typical for parties to negotiate a service level agreement that typically limits the amount of downtime that a service provider is allowed to incur.”
But what if the technological service is one provided by the Government? Some experts say little can be done by individuals to seek compensation.
Ms Su noted that under the Government Proceedings Act, individuals must identify the appropriate government department responsible for the failure resulting in losses.
Then, as with any litigation, individuals must establish that the department entitles them to sue or owes a duty of care and that its negligence resulted in the loss. This must also not be excluded by the software’s terms and conditions, and the losses must be quantifiable and can be proven.
Mr Cheong added that individuals can raise complaints for issues they encounter with government-related software, such as through the Government's feedback unit Reach.
PREVENTION AND MITIGATION
Ultimately, it’s on companies and the Government to ensure such critical technology runs smoothly — and there are ways to reduce the chances of a full tech breakdown, say experts.
“Some organisations conduct regular exercises simulating that their software is down... so that in the real situation when it fails, they have an estimate of how long it’ll take to restore services,” said Mr Terence Siau, vice-president of cybersecurity firm ABPGroup.
Beyond that, experts said that testing software, having a backup system and ensuring there is ability to cater to sudden spikes in demand can help increase the reliability of critical technological software.
However, they also noted that these are not foolproof measures — it can be difficult to spot an error that might cause a software to malfunction, especially when it's unintentional like a human error.
And even as companies upgrade their software and replace it with newer versions, this may also introduce errors that might potentially cause a breakdown.
“You can test it and plug gaps, but some will be difficult to detect until it is fully rolled out to the millions of people that need the software,” said Mr Siau.
Mr Shivaji Das, the Asia-Pacific managing director of consultancy firm Frost & Sullivan, added: “It will be impossible to create a zero fault system or process. They can however be made more resilient to low probability but high impact events.”
To do so, Mr Ali of Infinity Forensics said that companies should have a backup system that activates should an error occur.
And should that fail, he added that a standard operating procedure that is consistently practised should help minimise the software breakdown’s impact as engineers would be able to quickly identify and find a solution.
Mr Siau added: “Rehearsing (the standard operating procedure) will help familiarise staff with what to do, and (is also) a good opportunity to identify existing gaps and improve it.”