PDPA: Need for mandatory data breach notification; SMBs vulnerable
By Ng Kai Koon December 31, 2012
- Govt should consider mandatory breach notification an important part of any data protection legislation
- Cybercriminals know that SMBs make easier targets, and also put their partners’ information at risk
IN today’s digital economy, the personal data of consumers has become a rich source of information for businesses seeking to better address the needs of their customers, whether this is in the form of better targeted advertising, or services tailored to the needs of particular customers.
With the introduction of the Personal Data Protection Act (PDPA), Malaysia recognized that as the custodian of so much customer data, companies and organizations also have responsibilities to their customers to ensure that the information they hold is accurate, and adequately protected.
With Malaysia’s Personal Data Protection Act coming into force on Jan 1, 2013, we recommend looking into two key areas -- SMB (small and medium business) readiness and mandatory data breach notification.
Threat to SMBs
While global multinationals have had a lot of experience in this area, due to similar legislations in the United States and Europe, for many of the local smaller enterprises in Malaysia, this is a new frontier.
With the rapid adoption of IT to improve the customer experience, through web portals or affinity and membership programs, these enterprises have also collected a multitude of personal data about their customers, and today share similar responsibilities under the PDPA.
SMBs are an important part of Malaysia’s economy. They constitute 99.2% of the total number of business establishments in Malaysia, contribute about 32% of the Gross Domestic Product (GDP) and 59% of total employment.
Beyond this, SMBs are a crucial part of the ecosystems as partners of multinational corporations (MNCs) which do business in Malaysia.
However, it is also increasingly apparent that MNCs see a risk in doing business with partners who are not able to protect the sensitive data being shared with them. In 2011, 18% of all targeted cyber-attacks globally were on enterprises with 250 employees or fewer.
In the first half of 2012, Symantec saw this percentage double to 36% (click to enlarge graphic). Cybercriminals recognize that because of the lower security posture of SMBs, they are much easier targets, and would also have information (their own or partners’ customer data, or intellectual property) which can be stolen and monetized.
In addition, compromised systems of SMBs are also used as stepping stones into the systems of their business partners.
It is thus important that SMBs recognize the exposure they have to cyber-attacks, and the possible damage to their companies, through loss of reputation, business, and even legal censure, in the case where cybercriminals are able to steal data from inadequately protected systems.
Mandatory data breach notification
In the more than two years since the enactment of the Personal Data Protection Act in Malaysia, the cybersecurity threat landscape has increased in complexity and scale. News of large scale breaches of companies’ databases has been a constant, and even the largest and best protected systems have not been spared.
It is thus timely for the Government to also consider the introduction of mandatory breach notification within the PDPA. This would be in line with many other jurisdictions which have either implemented such legislations or are in the process of doing so.
Mandatory breach notification is an important part of any data protection legislation as it gives a definitive course of action to companies of what must be done in the case of a data breach.
By informing affected stakeholders, this also gives them the opportunity to take the required remedial actions (such as changing passwords, or having their financial institutions change their credit card numbers) to mitigate the consequences of the breach.
While it is recognized that this may increase the regulatory overheads of the PDPA, and represent an increased burden on companies, the resulting improved consumer confidence in the data protection regime as well as e-commerce can only be helpful to Malaysia as it moves towards developing its own digital economy.
Ng Kai Koon is senior manager of Government Affairs, Asia Pacific and Japan, at Symantec Corporation
PDPA: Businesses have responsibilities and burdens
The coming of the Personal Data Protection Act
Clock ticking for Personal Data Protection Act compliance
The tale of two laws: Section 114A and the PDPA