Authored By: Datuk Alan See, co-founder and CEO of FIRMUS™.
Security breach. Personal data compromised. Cyber crimes on the rise.
This has been on the increase of late, especially so, with the advent of many things online and digital. The Malaysia’s Central Bank governor acknowledged this in her keynote address at the International Conference on Financial Crime and Terrorism Financing (IFCTF) 2022, that Malaysians are not spared. Between 2017 to July 2021, Malaysians suffered losses of about RM2.23 billion on account of cybercrimes.
While major cybercrimes are documented, numerous small cybercrimes go undetected and unreported. Recent data breaches include AirAsia and Optus. Malindo Airlines, now Batik Air, was not spared in 2019.
But how protected are Malaysian against cybercrimes, primarily personal data breaches? Is Malaysia’s Personal Data Protection Act 2010 effective?
The Personal Data Protection Act 2010 (PDPA) is a law that governs the handling of personal data by organisations in Malaysia. The Act sets out the requirements for the collection, use, disclosure and care of personal data and is administered and enforced by the Personal Data Protection Commission. The PDPA does not apply to data that is processed for the purpose of national security, defence or international relations.
Is the PDPA protecting Malaysians? Are organisations taking responsibilities?
PDPA is designed to protect the personal data of individuals from being misused or mishandled. However, the PDPA has its limitations, and data breaches can still occur. While individuals may learn to protect their own personal data, the onus is also on each organisation to secure their assets.
The PDPA imposes certain obligations on organisations, including the obligation to notify individuals of the purpose for which their personal data is being collected, used or disclosed. Organisations must also ensure that personal data is accurate and up-to-date and must take reasonable steps to protect personal data from unauthorised access, use or disclosure.
The Malaysia PDPA vs EU GDPR
Despite the PDPA's undeniable importance, it is also subject to criticisms and doubts over its effectiveness as it often presents itself as a “toothless tiger” in the face of breaches happening to organisations and allowing them to escape being punished.
Organisations are still responsible for ensuring the security of their data, even if the PDPA does not explicitly mention it. This means having security measures in place to protect against unauthorised access, disclosure, or destruction of data. However, any parties suffered a data leak in Malaysia are not obliged to notify the authorities or the victims.
PDPA only covers certain types of data breaches, for example, the PDPA does not protect against social engineering attacks. Managing and enforcing the PDPA is by a Personal Data Protection Commissioner under the Department of Personal Data Protection.
But in Europe, harsher punishments are meted to organisations that violated personal data protection. A good case in point is British Airways, who was fined USD230 million by the U.K. Information Commissioner’s Office (ICO), for an incident that took place from June to September 2018 and compromised the data of over 500,000 customers.
Under the EU General Data Protection Regulation (GDPR), any companies including foreign companies with an office and/or serve the European region are required to lodge a report of any data breach within 72 hours. Organisations face the risk of a fine up to 4% of global revenue in the event of a data breach.
But the GDPR fines were important for reasons well beyond numbers. Any organisation that suffers cybercrime, due to inadequate protection or lack of it, is made to pay the consequences.
The EU GDPR has set the global precedent; and this should be emulated by other jurisdictions; to protect their citizens. With the limitations of The Malaysian Personal Data Protection Act 2010, we should use the GDPR as a guiding framework because of its cohesiveness and inclusiveness.
It is vital for individuals to be aware of their rights, be informed and vigilant against any unlawful personal data collection. However, breaches will still happen. violation of data protection will still occur. With all the shortcomings of this legislation coming to play, it should be reviewed and improved, to better protect the common man.