To inform or not to inform, that is the question
By Dzof Azmi June 18, 2018
- Companies currently decide themselves whether or not notify the public about breaches
- Corporates still struggle with public disclosure as seen in recent media reports
ALTHOUGH there was an earlier related breach of 10,000 records in January, Astro seems to have not alerted affected customers of this until the second breach that was reported on lowyat.net last week.
In a statement published on Facebook, they state that "Astro was made aware of this incident on 26 January 2018. On the same date we sought assistance from MCMC and had the search engine provider remove the link".
They also added that "All trace of customer data online was immediately removed. Subsequently, Astro lodged a police report on 8 February 2018."
When contacted, a representative from Astro added that after further investigation they have "concluded that no data leakage was identified from their system".
Currently no compulsion to publicly disclose
However, the fact remains that their disclosure of the first incident only came more than four months after it occurred, and after a second breach was discovered.
This is not the first time that public disclosure of a major breach has taken time to surface. In October 2017, it was revealed that the breach of details of 46.2 million mobile phone subscribers in fact originated from an earlier undisclosed breach that happened in 2014.
Nevertheless, currently companies are free to decide when - and if - they disclose any breaches they discover.
"I do not think that (Astro) has committed any wrong for failing to inform the public about the breach," said Professor Abu Bakar Munir, Professor of Law from the University of Malaya. However, Professor Abu did note that capital market entities in Malaysia are mandated to report to the Securities Commission any detected cyber incidents on the day it happens.
In the meantime, it's best to be prepared for the worst. "It is absolutely important for companies to have clear policies and guidelines in terms of what to do in the event of a data breach," said Jason Yuen (pic, right), Ernst & Young Advisory Services Sdn Bhd (EY), Partner and Malaysia Cybersecurity Leader.
PDPA can be amended
The feeling is that companies need to be compelled to disclose any breaches they may face rather than depend on their voluntary good will.
"We have seen in Malaysia as well as globally that companies are unlikely to report data breaches unless they are compelled to do so by law," pointed out Yuen.
"However, the reality is that in Malaysia, we do not have compulsory breach notification laws as part of our Personal Data Protection Act 2010."
As an example, he contrasted the situation here with what is mandated by the European General Data Protection Regulations (GDPR), which requires notification of data breaches within 72 hours.
Professor Abu Bakar himself had a hand in drafting the PDPA and he feels that it could be amended to include a breach notification clause. If that's too difficult, it's also possible to incorporate it through subsidiary legislation, which is a regulation by the Minister as provided in the Act.
Yuen admits that the private sector may raise objections.
"The potential disadvantages include the fact that by giving publicity to a breach, we may create more awareness that such data is available to unscrupulous parties. Other concerns that have been raised include the increased cost of business as well as sometimes the lack of proof that real or significant harm has been done by a breach."
"However, in my view, the benefits clearly outweigh the potential disadvantages," stressed Yuen.
Nevertheless, one shortcoming of the PDPA to Yuen is that it doesn't apply to the government. "As a key acquirer and user of personal data, the Government itself should be required to comply with PDPA and breach notification laws."