‘Personal data law needs to be tightened’ (Updated)

Act should require online systems to be stress-tested and certified to avoid security breaches, say experts

05 Mar 2021 / 13:21 H.

PETALING JAYA: There is a need for a revision of legislation covering personal data if security breaches are to be avoided, or at the very least minimised, cyber security experts told theSun.

Assoc Prof Dr Selvakumar Manickam of Universiti Sains Malaysia said data breaches can be extremely damaging, citing the leak involving Malaysian telcos in 2016, which gave rise to Macau scams.

“As we rely more on online services, we have to share our personal data with these service providers to ensure smooth delivery of their services,” he said.

It is important that service providers do not ask for information that is not relevant to the service they render, and must provide reasons why such information is required.

“Malaysia’s Personal Data Protection Act (PDPA) should be bolstered with new regulation requiring online systems to be stress-tested and certified by security experts and fix any vulnerabilities found,” he said.

Under PDPA, a business which fails to protect its customers’ personal data within its control is guilty of an offence and the business owner is liable to a fine not exceeding RM300,000 or a jail term not exceeding two years, or both.

Selvakumar believes that the law should be amended to make the penalty harsher and to ensure businesses are not allowed to operate without any form of cyber-security certification.

Cyber-security testing firm LGMS Group chief executive officer Fong Choong-Fook said data leaks pose a great risk since it gives rise to malicious practices such as the selling of identities and scams.

Fong suggested that individuals be more careful before submitting their personal details and to only give information that is crucial.

“If you are registering for a gym membership, for example, information such as the personal details of your family members and your household income should obviously not be disclosed.”

Custodians of personal data can be made liable for breaches of the data and consumers can lodge complaints with the Personal Data Protection Department.

The cyber security experts were commenting on a Malaysian Airlines data security breach recently reported at a third-party IT service provider.

The airlines informed members of its frequent flyer programme, Enrich, that the incident happened during a nine-year period from March 2010 to June 2019.

The number of members affected was not disclosed. However, personal data involved included names, date of birth, gender and contact details of the programme members.

Unfortunately, such cases are far too common, both in Malaysia and elsewhere, with data breaches becoming more prevalent in today’s highly digitalised world.

A major example included the Malindo airlines data breach in 2017. The details of about 30 million passengers of Malindo and Lion Group subsidiary, Thai Lion Air, were posted on online forums, all due to the negligence of a third party.

Lecturer and criminologist Shankar Durairaja said data breaches not only have severe consequences to consumers but also to the companies.

Shankar said companies can face significant financial losses due to regulatory fines, settlement payments, and future revenue loss as well as face lawsuits from customers.

“Companies can face reputational and operational damage, which is long-lasting. Senior management can also be dismissed for trying to cover up the data breach.”

He also suggested that PDPA be amended to address issues related to online privacy, including data such as geolocation and “cookies”.

“The Personal Data Protection Act 2010 only protects against the inappropriate use of personal data for commercial purposes and does not cover breaches involving the online community,” he added.

email blast