According to research from multinational law firm DLA Piper reported on CNBC, since the General Data Protection Regulation’s (GDPR) implementation in 2018, there have been over 160,000 data breach notifications across Europe. The overhaul of data privacy regulation in the EU is estimated to have generated 114 million Euros in fines in the same period as well.
Under GDPR, the biggest fine to date was a 50 million Euros penalty dished out by the French data protection regulator on Google last year for alleged infringements related to transparency and a lack of valid consent, rather than a data breach. With GDPR, a company can be fined either 20 million euros or up to 4% of their annual revenues, whichever is the greater amount. The stakes are considerably high for companies like Google and Facebook, which handle a huge amount of data and make billions of dollars every year.
Moving over to this part of the world, Southeast Asia does not have a collective law for data privacy in the region like the GDPR. Instead, each country has its own set of laws and regulations on data privacy. Singapore, Malaysia, Thailand, Vietnam and the Philippines have their own set of regulations on data privacy with Malaysia and Singapore streamlining theirs to the GDPR.
Yet, with such laws in place, data breaches continue to happen in the region. According to CyberSecurity Malaysia, there were 10,772 reported incidences in 2019. Fraud dominated most of the cases reported, but there were also 1463 intrusions or attempted intrusions reported. Intrusions would normally mean someone is trying to steal something from the organisation, be it funds or information, i.e. personal data.
Looking at data breaches, there were close to a dozen major data breaches in Malaysia in the last two years. Among those involved in major breaches included Astro, Malindo Air and UiTM. Some of the batches were caused by outdated security patches, weak cybersecurity protection and disgruntled former employees. Thousands of personal data were affected and made available on the dark web.
Reports were made public, and the companies issued statements explaining their breaches and what they plan to do to contain the breach and improve their security. Interestingly, none of these companies was given any large fines for the data breach. In fact, a check with the relevant ministry revealed that since 2017 and October 2019, only five individuals had been charged and fined a total of RM54,000 for breach of confidential personal data, with seven others slapped with compounds totalling RM80,000.
In other words, there were only fines for individuals involved in such breaches. Organisations did not really have to pay any huge penalties for the breaches. Compared to the GDPR, the data privacy laws in Malaysia seem very lenient towards organisations.
Adding to that, Malaysia was ranked the fifth-worst in privacy protection among 47 countries according to a study by Comparitech, a UK-based technology research firm.
Which is why the Communications and Multimedia Ministry is reviewing the Personal Data Protection Act 2010 (PDPA) to include penalties against organisations whose systems are breached, and customer data leaked. The review would also consider imposing penalties against those who obtain or come into possession of leaked data unlawfully.
With the government pushing for more digital initiatives like the National Digital Identity in 2020, data privacy laws have to be firmer and make organisations more accountable. Newer technologies will only encourage cybercriminals to come up with more ways to breach organisations.
The updates to data protection and privacy laws are expected to be tabled in parliament this year. Organisations, be it SMEs or enterprises should not have to wait for the law but should already be looking into their cybersecurity plans to ensure they are well secured and protected. Or do they need to still for the government to pass laws that will impose higher fines on them for cybersecurity breaches to finally take the matter seriously? Only time will tell.