7 Lessons To Know About Your Company’s Website To Avoid A Breach Of Section 24 Of The Personal Data Protection Act (PDPA)

Have you recently carried out a vulnerability test on your Company’s website and secured webpages such that all Confidential and Personal Data would not leak out accidentally?

This is what happened to one such Company who allowed their customers to access data from their company webpage due to having inadequate security measures.

What Happened?

For the convenience of its policyholders, Friends Provident International Limited (the “insurer” or “Company”) operated and maintained an online portal (“Portal”).

Policyholders could access the Portal through the Company’s webpage via a supposedly “Secured Mailbox Webpage” (“Webpage”). Authorised persons of the Company i.e. employees and advisors could also access the Webpage to generate and obtain reports.

Unsurprisingly, the reports contained some personal data of policyholders including their names, policy number(s) and residential area where they lived. It was not intended for policyholders to see more than their own information.

Unfortunately, the Company’s breach of the PDPA came about when an inquisitive policyholder, while accessing the Portal and the Webpage, was able to also generate and obtain confidential reports containing details of other policyholders.

The policyholder then complained to the Monetary Authority Singapore who in turn referred the matter to the Company. The Company, on its own accord, reported the breach.

The troubling issue is that the Company did not know of the vulnerability of its Webpage. It was only by chance it did an upgrade of the backend and enhanced the website’s verification had resolved the security issue on 6 February 2018. Therefore, these breaches were in fact incidents which occurred sometime on or about 12 December 2017 but to the Company, it was unaware that there was a glitch.

In total, 240 individuals were affected by the generation of the reports where 42 reports had been produced and downloaded by 21 policyholders or their advisors.

What exactly was the Company’s breach?

In Friends’ Case [2019] SGPDPC 29, the Deputy Commissioner stated that Section 24 of the Personal Data Protection Act 2012 (“PDPA”) requires companies to protect data in their possession or under the control by making reasonable security arrangements to prevent unauthorised access, disclosure and similar risks (emphasis added).

The Company had not done so for 2 main reasons:-

  1. It was less careful in the manner it had restricted access to the Reports to prevent unauthorised access; and
  2. The testing done on the Webpage was inadequate.

The Deputy Commissioner said that the most striking factor was the lack of authorization mechanism for access to be able to generate and obtain reports. Once a person could get access, there was no further authorization or verification required. The Company merely deployed a simple way of hiding from view of other unauthorised persons. Due to a faulty JavaScript within the Webpage, the “report” tab was now no longer hidden from other users.

The testing of the Webpage was inadequate because the facts showed that the Webpage was intended for use across a variety of devices and screens. Therefore, the Deputy Commissioner felt that testing should have been conducted across multiple browsers and devices including mobile phones and on a representative basis.

Wearing the hat of a director or entrepreneur, if you were to assess what is expected of the Company, it is unlikely that you would have questioned the work of your developers. Perhaps you may have expected the developers or your IT team to have tested all devices across a variety of all platforms. Many directors or entrepreneurs may have been completely unfamiliar with resolving a faulty JavaScript.

The Deputy Commissioner highly recommended that companies and developers should have tested other browser conditions such as “script blocking”. Script blocking is to prevent a website from running bits of code when a user visits the website. Did you know of “script blocking” as a tool before reading this article?

Decision

The most positive outcome, in this case, is that the Company only got away with a warning.

The misuse of the personal data was relatively low and that the Company took prompt steps to inform the Commission and implement remedial steps.

Had the information been more confidential (as defined under the PDPA), there could have been severe consequences for the Company with a heavy fine imposed.

Remedial Steps Taken Promptly

After the breach was reported, the Company took all efforts and remedial actions (bearing in mind that it had already resolved the glitch on 6 February 2018). It took urgent steps to:-

  1. review the Portal;
  2. conduct an initial risk assessment and investigations;
  3. imposed a requirement for regression testing for mobile devices and different screen resolutions;
  4. ensured that there was backend access validation in place;
  5. all employees received training on data protection upon commencement of employment or a refresher session; and
  6. contacted all affected persons so that all Reports were retrieved.

7 Lessons Learnt

From this case, it is clear you must, when working with your developers or IT teams,

#1 Ensure that thorough vulnerability tests are conducted on your websites regularly;

#2 Ensure that reasonable security arrangements are made such as front-end and backend verification procedures when entering secured webpages;

#3 Work closely and in consultation with your developers and IT teams on regular Website maintenance;

#4 The testing should apply not only to websites but to your mobile devices and across multiple browsers and screens;

#5 You should carry out enhanced testing regularly such as script blocking or such other tools to bring forth any flaws in the coding of your websites and mobile devices;

#6 Equally important is to ensure that all employees receive training on data protection when they start and at yearly trainings;

#7 When there is a breach, report promptly and take remedial steps early. It may well be a mitigating factor and save you from a hefty fine before the Commissioner.

Brought to you by DLLC Legal News

DL LAW CORPORATION is a Singapore-based law firm that helps businesses and business owners with their legal needs. The firm is a keen supporter of Small and Medium Enterprises and advises many SMEs on their legal issues, both corporate and litigation matters. Grab a FREE CONSULTATION today at www.dllclegal.com or send your email to contactus@dllclegal.com to book your appointment.

The contents and views set out above are those of the author(s) and/or are personal views and for information only. It does not constitute in any way any legal advice or representation to the reader even if the facts appear similar to your fact situation. You are strongly encouraged to seek legal advice should you have any legal issues.

3 Major Amendments To The Employment Act Business Owners Must Know

For an employer, It is a bag of mixed feelings on the proposed amendments.  It is however no surprise the executive and managerial employees who earn higher salaries welcome the changes.

We think these changes level the benefits to employees as a whole and perhaps it is time for employers to ensure that their company’s grievance procedures are in place internally to manage any unfortunate disputes.

The amendments impact all executives of a Company especially those employees who previously were not afforded any protection because their income was above the statutory limit of $4,500.00.

The 3 major changes are as follows:

1. Applicability of EA

Before the amendments, the provisions of the Act (except for rest days, hours of work and other conditions of service) did not apply to Professionals, Managers and Executives (“PMEs”) earning a monthly salary above $4,500.

With effect from 1 April 2019, the provisions in the Act (except for rest days, hours of work and other conditions of service) apply to all PMEs regardless of the monthly income.

This means that provisions relating to sick leave, maternity benefits and wrongful dismissal will equally apply to PMEs.

The rationale for the amendments is that PMEs make up more than half the local workforce and they should be given the benefit of the Act.

It must follow that employers should be fully aware of the changes to ensure that the employment agreements and employment handbooks are updated in compliance with the revised obligations under the Act.

2. Sick Leave & Hospitalisation Leave

The amendments will now provide employees more flexibility when obtaining a medical certificate.

Employers are now required to recognize medical certificates issued by any registered medical practitioner.

Previously, if an employee wanted to take paid sick leave, he would be required to consult a registered medical practitioner employed by the Government or the company doctor.

Employers are of course concerned whether more employees may be encouraged to take sick leave since it would now be easier to obtain a medical certificate from your neighbourhood GP.  On the other hand, this amendment is in line with standardising that any registered medical practitioner is competent to treat a patient.

Further, the definition of “hospitalisation leave” has been extended.  It now includes employees who have been discharged from the hospital but are still unwell to require hospitalisation leave during that period so that the employee can rest at home.  It seems the rationale is that if it was not hospitalisation leave, the employee would have to use his sick leave which is limited to 14 days for each employee.

3. Wrongful dismissal claims

For PMEs who wish to make a claim for wrongful dismissal against their employers, the amendments have shortened the length of employment required from 12 months to 6 months.

This effectively means that after a period of 6 months of service, if the employee is dismissed for whatever reasons and the employee feels aggrieved, the employee would be able to make a claim. While a bigger group of employees would fall within this provision, we are of the view that this number of employees filing wrongful dismissal claims are unlikely to be high.

Other Amendments

The other amendments, although less impactful, are

  • Leave For PMEs – Before the amendments, annual leave for PMEs was governed by what was stated in the Employment Agreement.  Now, PMEs will be entitled to at least 7 to 14 days of paid annual leave.  It seems to suggest that PMEs may no longer be offered 14 days but given 7 days when they start and it would be for the PME employee to negotiate for more leave days;
  • Suspension of PMES for longer than 1 week – Employers may suspend (for example gross misconduct) a PME employee for a period exceeding 1 week by applying and obtaining an approval from MOM but the employee shall be paid half his salary for such period;
  • Salary Deduction by Consent – Salary deductions will now be allowed if the employee consents to the deduction in writing.  Therefore, if an employee agrees to his salary being deducted, the employer cannot be faulted unless the employee withdraws his consent;
  • Query By Commissioner on Employer’s Retrenchment Benefits – Employers can be called upon by the Commissioner of Labour to provide information on any retrenchment benefits available to employees.

Concluding Comments

In light of the recent amendments, many companies have yet to update their employment agreements and employment handbook.

Companies are to set out the rights and obligations of the employees to protect the Company’s interest and to avoid any misunderstandings.  This includes updating the Employee Handbook on leave policies and putting in place a good process for grievance procedures.

If an employee issue can be resolved internally, the Courts need not have to be involved and precious manhours are not wasted at the tribunals.

Brought to you by DLLC Legal News

DL LAW CORPORATION is a Singapore-based law firm that helps businesses and business owners with their legal needs. The firm is a keen supporter of Small and Medium Enterprises and advises many SMEs on their legal issues, both corporate and litigation matters. Grab a FREE CONSULTATION today at www.dllclegal.com or send your email to contactus@dllclegal.com to book your appointment.

The contents and views set out above are those of the author(s) and/or are personal views and for information only. It does not constitute in any way any legal advice or representation to the reader even if the facts appear similar to your fact situation.  You are strongly encouraged to seek legal advice should you have any legal issues.

The Case of “I did not know that I needed a Personal Data Protection Policy in My Organisation”

The “I did not know!” Defence and “Do I really need not have A Personal Data Protection Policy in My Organisation, I didn’t think I needed it”?

That is exactly what the management of “Bud Cosmetics Pte Ltd” (“Bud Cosmetics”) told the Commissioner of the Personal Data Protection Commission in Re Bud Cosmetics Pte Ltd [2019] SGPDPC 1.

This argument was, of course, rejected completely as ignorance of the law is no excuse, said the Commissioner.

The Commissioner then directed that Bud Cosmetics:

  1. pay a financial penalty of $11,000 within 30 days,
  2. engage duly qualified personnel to conduct a security audit of its Website and IT systems, and
  3. develop an IT security policy to guide its employees on the security of personal data of its Website and IT System within 60 days.

For failing to take necessary steps, Bud Cosmetics suffered unnecessary and troubling costs and expenses, not to mention unwanted stress to the management facing the PDPC.

What Happened?

Here is what happened.   The PDPC received a complaint from an individual about a member’s list containing personal data on the internet.  There were at least 2300 names and personal data exposed on the internet.

Bud Cosmetics is an organic and natural skincare retailer specialising in natural skincare brands.  It had an online store and a Website.  Customers of Bud Cosmetics had to set up membership accounts on its Website. (sound familiar!) There was also a physical database (“Offline”) that was retained from its point-of-sale system.  The online database contained over 1,000 members since 2012 and this list had grown to about 2,400 registered members on the Online database.

Like most organisations, Bud Cosmetics sent email blasts and e-newsletters to its customers from both the Online database and Offline database.

On or about 6 April 2017, the affected individual complained that there was personal data of 2,300 members exposed on the internet and the individual’s data was one of it (much to this person’s distress).  If you must know, the members list was exposed because there was a cyberattack on Bud Cosmetics host server in Australia and US and all was revealed because one of the image folders holding the data was unsecured.

To be fair to Bud Cosmetics, they took some steps to ensure that after the cyberattack, they improved security by adding “Sitelock” and other features and conducted daily scans of its Website.  Bud Cosmetics tried to blame it on the cyberattack and that it happened in 2012.  The Commissioner did not buy this explanation.

Organisations Must Take Proactive Steps to Comply

The Commissioner explained that the data disclosed in the Member’s List was definitely personal data under the PDPA as anyone could identify the individual from the data.  It is interesting to note that the Commissioner said that although the PDPA came into force on 2 July 2014, Bud Cosmetics’ duty was to take proactive steps to comply with its obligations and not apply only to new personal data that may come into its possession but any existing personal data held in its possession or control.(emphasis added).

Privacy Policy Insufficient – How employees handle personal data is important

Bud Cosmetics tried to explain that it had a privacy policy on its Website  (“Privacy Policy”) at the time of the incident.  Another interesting point is that the Privacy Policy only notified customers as to how the company would use and process their personal data but did not set out the procedures or practices as to how the company and its employees should handle and protect the personal data.

Bud Cosmetics thought (quite incorrectly) that PDPA only prohibited organisations from sending marketing messages to Singapore telephone numbers that were registered with the Do Not Call Registry.  They admitted that they did not implement any data protection policies or practices on personal data.  It was unaware of its Data Protection Obligations under the PDPA and it had just started considering a Data Protection Policy because other companies were beginning to have them in their website.

Formalised Data Protection Training For Employees

This is when the Commissioner said that ignorance of the law is no excuse and its lack of obligations under the PDPA cannot excuse its breach.  It is also clear that data protection training was grossly missing in this organisation and more importantly, employees would have been better able to protect privacy when they were able to recognise issues to personal information.  In Bud Cosmetics, they did not provide any formalised data protection training for its employees. (Is it a question of not knowing how or what training to provide to the employees?)

Carrying Out Vulnerability Scans Or Penetration Tests On Websites

The Commissioner asked if Bud Cosmetics took reasonable security steps to prevent unauthorised access as set out in section 24 of the PDPA.  They had the control of the data and were responsible for ensuring the security of the Website.  They should have conducted periodic penetration testing or vulnerability assessments and promptly fixed to prevent data breaches.  Again like most SMEs, the management never considered the adequacy of the security of its Website or IT systems.  The Commissioner commented that Bud Cosmetics never conducted any vulnerability scans or penetration tests to ensure that its Website was sufficiently protected.

We ponder exactly how many SMEs and online providers and retailers actually carry out vulnerability scans and penetration tests on a regular basis.  We think the numbers are very small.  Most SMEs and some larger organisations would also assume that our website host would have in place all the security to look after our website requirements.  In Re Bud Cosmetics Pte Ltd [2019] SGPDPC 1 that duty, among other things, fell squarely on the organisation to have checked for “bugs” and “cracks” in its Website.  Again, in smaller organisations, this exercise to test Website would not be so automatic and to some organisations unheard of. Larger organisations have the resources, we think they would not have any excuses not to invest in IT security.

Overseas IT Vendors – Make Sure that Their Standard Of Protection is Equal or Better Than Our PDPA

Lastly, Bud Cosmetics case discusses choosing IT vendors who are overseas.  Bud Cosmetics had website hosting services in Australia and the US.  Companies have a duty under section 26 of the PDPA to ensure that recipients of personal data outside of Singapore have legally enforceable obligations to provide the same if not better standards of protection captured in the PDPA.  If your information was going overseas, the bottom line is that you would have to extremely careful as the breaches carried overseas could still land your organisation in trouble.

Concluding Comments

Many SME companies, like Bud Cosmetics, all have this false sense of security that their websites would be taken care off by their website hosting IT providers.  Contented to merely placing simple privacy policies on their Website, they assume that it would take care of the problem.  Many more organisations think that compliance with PDPA is not the organisation’s problem but to be solved by other parties.

Bud Cosmetics learnt it the hard way.  They were fined $11,000 (which is no small amount) and directed to engage qualified personnel to conduct a security audit and to develop an IT security policy.  More expenses and time engaged in correcting the errors.  Could this have been avoided or did the obligation still fall heavily on training employees to recognise the PDPA obligations?  Was it due to the inevitable cyberattack in 2012 such that Bud Cosmetics could not have done anything significant?  Was the Commissioner too harsh on Bud Cosmetics for focusing on the business especially when the PDPA only became a hot button topic in Singapore from July 2014?  After all these lapses happened in 2012, less was known about cyberattacks and personal data protection.

Brought to you by DLLC Legal News

DL LAW CORPORATION is a Singapore-based law firm that helps businesses and business owners with their legal needs. The firm is a keen supporter of Small and Medium Enterprises and advises many SMEs on their legal issues, both corporate and litigation matters. Grab a FREE CONSULTATION today at www.dllclegal.com or send your email to contactus@dllclegal.com to book your appointment.

The contents and views set out above are those of the author(s) and/or are personal views and for information only. It does not constitute in any way any legal advice or representation to the reader even if the facts appear similar to your fact situation.  You are strongly encouraged to seek legal advice should you have any legal issues.

7 Costly Legal Mistakes Startups Make When Issuing Equity

While sitting in your co-sharing office space, anxiously waiting to make your next presentation on your App, you ponder nervously if your investors would be interested in your App.

You have worked with your team for many months and this next presentation is one of many you have made to scrutinizing investors. You continue to meet and greet potential investors hoping for a buy-in on your ideas.

With each presentation so far, you wonder where the money will come from.

The deficit is getting bigger and you need an investor desperately. Just as you are about to enter your next meeting, you receive a pleasant call from a potential investor, excited to invest with you but clearly wants equity in your company.

You are so excited to reel in the investor that you are prepared to sign any document and here is where the mistakes can be costly.

MISTAKE #1Choosing An Investor Without Doing Your Due Diligence

Do not judge an investor by his appearance or his enthusiasm or the way he or she speaks with authority. An expensive, nice-looking watch or big luxury car does not mean anything except that your investor lives a certain lifestyle. It does not mean that the investor is the right fit for your company.

  • Check if the investor is investing in his personal or corporate capacity.
  • Check if the investor’s company is duly authorised to enter into negotiations with you; or
  • Is it a fishing expedition for the companies looking at what is available in the market?
  • Have you signed an iron-clad Non-Disclosure Agreement before sharing your business plan?

It would help you decide whether your investor is serious.

  • Look at whether the investor is a venture capitalist or an exempt fund management company looking to diversify its portfolio.
  • Check the investor has made other similar investments within your industry.

It will give you the assurance that the investor is aware of what risks are involved in investing in your industry.

Be extremely careful with private investors or individuals as some of these could be your close friends, family or relatives whom you have persuaded to invest with you.

You may have painted such an amazing picture with great profits and potential that you may have down-played the real risks (or probably forgot to mention them). The untrained individual investor is going to hold you accountable for everything you say and claim that this is what you represented to him to be the facts. Sure, “buyer beware” but this will be the start of your problems if your investor starts to kick a fuss internally disrupting your business.

Do your due diligence early so that if you, for whatever reasons realise that this investor is not a glove-in-hand fit, then at least you have not wasted much time and can look forward to the next potential investor.

It is understandable that you do not want to lose your investor’s interests but better to avoid trouble before your investor becomes part of your share capital.

MISTAKE  #2Discussing Equity When In Fact It’s A Convertible Loan Agreement

Now that you have found the right investor, your investor tells you that he will be investing, for example, $500,000.00, more than what you need for now. You are overjoyed, the champagne has popped, and you go ahead and hire the extra tech support you needed from overseas to improve on your App.

The eager but shrewd investor (probably because he consulted lawyers) then gives you an agreement of many pages. The investor tells you that it is an agreement where he will invest for one year and then decide whether he wants to invest further after one year.

You hear only the last few words that your “beloved” investor will invest further after one year, and you sign the agreement complaining that there are too many pages for this agreement.

  • First, you trusted your investor.
  • Second, you forgot to read the agreement; and
  • Third you thought you had to give up part of your shares but did not think that you had to give up very much.

Here is one scenario. One year from now your “beloved” investor sends you a letter asking for all the moneys invested in the company for the last year. You scoff and protest that it is an investment and call your investor a crazy person.

Your investor now turns to page “x” of the agreement (which you signed blindly) and shows you that the investor was in the first year, lending you money and that if the investor chose not to convert the loan to equity, he would be entitled to seek repayment of the full loan.

Some agreements would be cheekier in that if you were unable to repay the moneys which you received before the deadline, your investor, as an option, could take over all of the shares from you.

This can be devastating to any company who entered into a convertible loan agreement and is now unable to pay when it is due and payable.

This means that you must know what agreement you are entering. Is it a convertible loan agreement or is it a straight forward equity investment? If it is an equity investment, you would likely be signing subscription and allotment agreements or a sale and purchase agreement for the sale of shares in your company.

Convertible loan agreements are common in the start-up industry as there is no certainty that the App or the product will ultimately work. If so, negotiate carefully and thoroughly review every clause and think whether such a clause will shut you down if you are unable to deliver any of the terms and conditions.

Investors tend to be opportunistic but are not unreasonable if you know how to negotiate and what to negotiate on. If you leave it to the investor to dictate the terms, high chances are that the agreement will be slated in favour of the investor.

MISTAKE #3Extending A Personal Guarantee

In your in negotiations with an astute investor, you may come across an investor asking you to put your money where your mouth is and ask that you put up a personal guarantee.

Owners and founders are so excited to get their products to the market that they are prepared to sign anything to get a hold on the investor’s money.

You may have a situation where the investor is prepared to enter into a clean-cut equity agreement but demands for a personal guarantee to be executed by you, your partners or directors and sometimes even your family members. The pressure to accept the investor’s proposal is so great that you overstate your abilities and resources and agree.

The condition for the guarantee to be triggered could be as simple as repayments by way of dividends within 12 to 18 months and if no payments are made, the guarantor guarantees to make payment. 12 to 18 months later, while the company has achieved break-even with orders, it does not have the cash flow to make any repayments to the shareholders. Unreasonable investor hits the roof with his demands and threatens to sue the company and calls on the guarantee. Negotiations fails, tempers flair and a decent company rising through the rough is now deeply in trouble because of potential lawsuits by unhappy shareholders.

Be extra careful with guarantees and volunteering to be a guarantor as the sphere to argue any defence or to get out a guarantee is very limited. This means that if you have validly executed a guarantee, you are liable so long as your principal is liable to the creditor. It is only when the principal has discharged his burden, you will be released of your guarantee.

MISTAKE #4Over-committing & Over-promising

The single most important factor in choosing an investment for the investor is the returns he or she will receive from the investment. To the investor, this includes being able to know where his money is being spent or its purpose, able to receive the initial investment as quickly as possible (i.e. return on investment), understanding his risks of losing all his investment and getting a rate of return (or a win-fall) better than all the financial products outside.

To mitigate this expectation, you start by preparing an over-zealous business plan. Your business plan says that your investor will be able to recoup his initial investment in 12 to 24 months because you are confident that more investors will join in.

In person, you assure your investor that his investment will come back even quicker than 12 months.

You pitch to your investor that you have potential customers, all viewing your product and orders are about to be filled but purchase orders have not been sent out.

You then assure your investor in person that in fact the deal is confirmed; it’s just that the customer’s senior management is waiting to give the green light. In your mind, it is a done deal.

You then go ahead and promise the investor that if you can have his or her money by next week, you could take advantage of recent technological products which would pivot your company to the front and secure customers faster.

Your last sincere promise is that you have a hard-working team and that you project your growth rate at 36% per annum (or such ambitious figure) with a rate of return of close to 20% and costs to revenue maintained as the previous year.

You, however, underestimated the labour costs or that you needed additional premises now that your team is growing bigger. You realised that your team needed more time to prepare the upgrades and updates. Your customers are taking too long to respond to you and you have no orders filled even with the investor’s money. There is however a “burn rate” (what is a commonly known parlance where a tech company spends money as working capital in the interim hoping for its product to kick off in a big way or for a VC to come forth and invest in the tech company aggressively with all financial strength).

Several months later, your investor, especially an individual investor, is enthusiastic and hopeful that his investment is producing the results that you had painted to him, is now deflated that you are unable to explain to him that all of his money is gone towards the burn rate. You probably also need more money from him.

Upset and angry that you are unable to explain to your investor or you have been deliberately avoiding him, your investor files a police report calling you a “scammer” or “cheat” or accusing you of not having a valid business. An unhappy situation.

  • From the start explain to your investor with realistic figures your business numbers.
  • Be clear to your investor that the figures are estimates.
  • State clearly in your business plans words to the effect that the numbers, figures are estimates only and are not representations from you and that the investor must carry out his or her own due diligence of your company.
  • State the risks out early and provide solutions on how you are going to deal with the risks.

This means disclosing your risks, threats and assumptions right from the beginning so that your investor can make an informed decision and your investor cannot fault you for failing to disclose all your risks.

Avoid over-committing to your investors and definitely do not over-promise in your delivery. Remember that it is not your money and you will have to account for every dollar spent to your investor.

MISTAKE #5Failing to Enter Into Or to Ratify the Existing Shareholder’s Agreement

In the past, without investors, perhaps it would not have mattered whether a shareholder’s agreement existed.

Now with an investor, your investor may insist that there should be a shareholder’s agreement. Your investor would want to set out how the quorum for directors or shareholders are met, stating the type of resolution needed for specific decision-making issues. The shareholder agreement would also require details on how dividends are paid and how shareholders could exit your company or if the shares were bought over by third parties.

You may have already anticipated a shareholder’s agreement and after the investor has come on board, no further steps were taken to ensure that the new investor/shareholder signed an agreement to be part of the existing shareholder’s agreement.

Let’s say that you have done swimmingly well, and your company is a target by a US company intending to expand its footing in Asia. There is, unfortunately, no clause in the agreement for all the shareholders to be dragged along or tagged along. You and your existing investor retain some shares but only as a minority.

Your new US shareholders inform you that they refuse to recognise the arrangement you had with your investor because your investor never ratified the existing shareholders’ agreement and therefore existing rules do not apply and your US shareholders demand that a new shareholders’ agreement be drafted wiping away your existing arrangement with your investors.

MISTAKE #6Entering Into An Agreement With An Investor Without Checking If The Company Is Allowed To Do So

A real problem which many start-ups face is going about doing elaborate deals. Examples such as convertible loan agreements with options to issue preference shares, non-redeemable with no voting rights or allowing the new investor or shareholder to use Company’s funds to purchase for the shares and the list goes on.

Lo and behold, none of these elaborate schemes is catered for in the company’s constitution. Strictly speaking, the constitution is the agreement governing the relationship between the company and its members and it is one of the primary documents that the Courts will give weight to for its express terms.

In a few cases observed, litigants in court pleadings have argued that shareholder agreements which attempt to override the company’s constitution are null and void. Any changes, if proposed and agreed in the shareholder’s agreement, should have been reflected in the company’s constitution. This only leads to unnecessary litigation between you and your investors.

Before entering into any agreement with your investor, check that the company’s constitution allows for such deal structures. Where the constitution is silent, make the necessary amendments to the company’s constitution to reflect the arrangements between the company and its shareholders.

MISTAKE #7Entering Into A Commercial Agreement With An Investor But Failing To Understand the Contents

With a wealth of information available to all on the internet, you suddenly think that you have the supposed ability to understand any agreement and to attempt any agreement on your own.

It may be tempting to do your own agreement or to copy a sample found on the internet. You must also realise that each sample serves a specific purpose and it was likely created on for a different set of factual matrixes from your own.

Copying a sample agreement can be fatal to you. You may be copying a sample from a different jurisdiction which does not apply to Singapore or relying on an old sample which is no longer good law in Singapore.

In summary, here is your checklist in avoiding costly mistakes in dealing with investors

  • Sign a non-disclosure agreement;
  • Do the legal due diligence on your investor;
  • Review your constitution to confirm whether your company can carry out the relevant equity exercises and amend it if necessary;
  • Propose, prepare, review and revise your shareholders’ agreement;
  • Be clear on the agreement to be signed and terms as to whether it is convertible loan agreement, subscription agreement;
  • Be extra vigilant of whether you are expected to sign a personal guarantee;
  • Be sure and understand the contents of the agreements you intend to sign (especially if you prepared it or got it from untested sources). Check that the agreement is applicable to Singapore law and is still good law in Singapore;
  • Most importantly, be realistic on your returns and avoid over-promising. Always disclose all risks frankly.

Brought to you by DLLC Legal News

DL LAW CORPORATION is a Singapore-based law firm that helps businesses and business owners with their legal needs. The firm is a keen supporter of Small and Medium Enterprises and advises many SMEs on their legal issues, both corporate and litigation matters. Grab a FREE CONSULTATION today at www.dllclegal.com or send your email to contactus@dllclegal.com to book your appointment.

The contents and views set out above are those of the author(s) and/or are personal views and for information only. It does not constitute in any way any legal advice or representation to the reader even if the facts appear similar to your fact situation.  You are strongly encouraged to seek legal advice should you have any legal issues.