PDPA: A much needed update, please
A dispute resolution lawyer and member of the Malaysia Bar Council, Sarah Yong, talked about the state of local cybersecurity legislation with a focus on the Personal Data Protection Act (PDPA) and what businesses needed to do to comply with the legislation.
To get a gauge on the state of cybersecurity and even personal data protection legislation, one only needs to look towards the series of breaches Malaysia has undergone, and the responsible parties, (many) and the action they have taken since (zilch).
Were the data breach events so inconsequential that not a single affected party, or the regulator for that matter, would say anything about it?
To be fair, since last January when Sarah gave her presentation at the Internet Alliance cybersecurity summit, the newly elected government has had time to settle into their collective roles, take stock of the real situation, and announce their next steps in terms of cybersecurity – one was the setting up of a scam response centre, and another was the implementation of a killswitch which enabled banking users to immediately freeze their accounts in the event of any suspicious activity. EITN has shared their initial responses about these measures,?here.
So, the government HAS taken some action in response to the data breaches, although it is too little and extremely too late.
Sarah also noted that since the JPN breach (and the many others before and after that), there has been next to no news about what was being done to address the almost continuous leak of Malaysians’ personal data.
So, the government HAS taken some action in response to the data breaches, although it is too little and extremely too late.
The scariest thing from the JPN hack, is that Malaysians do not even know if their data has been leaked, because the Government does not inform them.
THE CHALLENGE?
According to Sarah, “Now in Malaysia, there is no overarching cybersecurity legislation at the moment.”
What we do have however is various different laws, covering various different aspects relating to the Internet, to cybercrime, to online transactions, to service providers, and so on. It is all over the place.
This situation also makes it extremely difficult to come forward with resounding statements and impactful actions. There are many stakeholders and sensitivities to consider.
However, Sarah shared that the previous government was going to reveal a Cybersecurity Act.
“The scheduled announcement or revelation of it is supposed to be this year 2023. So let’s wait and see when that happens, and we will be able to then look at the contents of the Cybersecurity Act.”
What we do have however is various different laws, covering various different aspects relating to the Internet, to cybercrime, to online transactions, to service providers, and so on. It is all over the place, in essence.
It has been about 3 months since Sarah shared about this Cybersecurity Act, and as she had pointed out that various stakeholders will be engaged to discuss about the bill, I think that is the key thing that needs to happen right now.
THE PDPA
The PDPA bill has been around since 2010, and came into force in 2013, according to Sarah. Truth be told, I have come across a few scenarios when PDPA should have been enforced, but was not. From what I understand, the onus was upon the claimants (or persons whose data had been abused) to pursue the matter via the legal route.
Needless to say, I was curious to find out how accurate this is, and the actual scope of PDPA enforcement.
领英推荐
Now Sarah explained the scope of PDPA is personal data, and personal data that is exchanged in a commercial transaction between businesses and consumers. So, the government, and non-commercial transactions are excluded from this act.
“So, there is a wide exclusion of data that is at risk because they are not protected.”
Sarah opined, “There are so many issues that have happened, data breaches that have happened, and I think on the policy level, in terms of accountability, the government needs to be the one to be accountable… then the businesses will follow.”
WHAT TO LOOK OUT FOR?
Businesses can download a Personal Data Protection standards document, that serves as a list of minimum standards for businesses to adhere to.
Sarah prepared a checklist of things business owners needed to prepare in order to comply with the PDPA, at the risk of paying costly fines.
For starters, businesses need records of consent by the data subjects. She also advised business owners to have a written privacy notice and even a list of disclosures of personal data made to third parties.
She also mentioned a security policy which states the SOPs that will be undertaken in the event of a data breach. A register of employees that have access to personal data is also very important, as is records of your organisation’s compliance with the minimum retention standards, records of any periodic disposal of data, and your organisation’s compliance with minimum data standards.
For starters, businesses need records of consent by the data subjects. She also advised business owners to have a written privacy notice and even a list of disclosures of personal data made to third parties.
WHAT’S NEXT?
An update to the PDPA is coming. The proposed amendments according to Sarah is, a wider scope that now covers data processors. These are not just companies and businesses that use the data, but also the companies that service and process the data, and hence they hold the data (likely on their premises), or even hold the data in cloud storage.
Sarah emphasised, “Soon, data processors would have direct obligations under the Personal Data Protection Act.”
So far, companies are not mandated by law to report when they are hacked or have data that is compromised. This is expected to change soon.
She also shared her belief that mandatory reporting of breaches within 72 hours of the event, would be included to the PDPA.
So far, companies are not mandated by law to report when they are hacked or have data that is compromised. This is expected to change soon.
There also needs to be appointment of a data protection officer within companies.
A blacklist approach is being considered when it comes to data transfer across borders for cloud storage services; if data transfer routes take it through a blacklisted country, companies need to obtain permission from the regulator.
Discussions about a much needed PDPA upgrade has come up as well during SecurityLAH! podcast episodes. View the episodes?here.
Information Security Practitioner, CISSP, CISA, CISM, CCSK, ISO27001A
1 年4. also, hope the government can seriously look into safeguarding the interest of breached victims after data breach. If (that is IF) there was a successful prosecution, a compound will be imposed onto the offending party. But non of the financial resources / effort is channeled to the direct benefit of the data breach victims. The victims remain victims, with his / her data out there waiting for the next scam to knock on his / her door.
Information Security Practitioner, CISSP, CISA, CISM, CCSK, ISO27001A
1 年1. one of the amendment to the new PDPA (I hope) will cover the gap on credit bureau. currently this is a void as well. 2. enforcement, the lack of skills / know-how in investigation, security technical knowledge required etc. is the biggest deterrent for any prosecution. hopefully the government is serious enough to work on improving on this. 3. The incident reporting process is another deterrent discouraging whistle blowers to come forward. Just like our PDRM, someone would need to make a report in order for the investigation to take place. That include going in physically to the PDPA office to report (or at least to sign / initial / validate on the reports and facts) where oberhead / expenses is on the person that comes forward. Therefore, before the due legal process even starts (and no visibility how far it can go), the person that comes forward is being burdened with inconvenience. Hopefully the government can look into exploring a process that makes more sense for the common civilians to do the right thing.
Cyber Security Advisor, Trainer, Mentor, Conference Moderator, Sales Management Leader and Cyber Security Thought Leader with more than 25 years in IT Security and CISO responsibilities; Cybersecurity Event Planner
2 年Great coverage Cat! Let's wait patiently for the new version... while we continue to be careful with our own data as scammers and perpetrators roams (semi) freely.....
Digital Health @ HIMSS | MD, MBA, CPHIMS, HRDCorp. Accredited Trainer | Healthcare IT | Medical Informatics
2 年A company in Malaysia can be liable for breaching the GDPR, if they offer good or services to individuals in the EU. Same goes for HIPAA. If a healthcare company in Malaysia handles PHI of an individual in the US, they must comply with HIPAA regulations, and failure to do so can result in fines and penalties. I believe we have sufficient guidelines which can easily be adopted locally.