IN the aftermath of the shocking revelation that there had been a massive data breach in this country, many Malaysians were asking how could this happen? Could it have been prevented if the necessary precautionary steps had been taken and vigilant monitoring had been carried out by the regulatory authorities to ensure full compliance of the law and codes of standard practice by the data subjects and users (those involved in the collection, processing and storage of personal data)?
Many of my colleagues felt it is unthinkable and unacceptable that with the governing law, Personal Data Protection Act 2010 (PDPA) in force since Jan 1, 2013, and the regulatory infrastructure already established (the Personal Data Protection Commissioner and the Personal Data Protection Department), this awful breach was undetected.
What is even more alarming is that members of the general public, who are affected by the breach, were never informed about it until recently.
In many countries, there are data breach notification laws that require data users to inform data subjects of the occurrence of data breaches. I am told that there is no such mandatory requirement under PDPA to notify that there is a data breach to the affected parties. It is time to revisit this issue and remedy this legal loophole.
According to media reports, the stolen or leaked data involves personal information such as mobile phone numbers, MyKad numbers, home addresses and SIM card data of 46.2 million customers from at least 12 Malaysian mobile phone operators. The leaked data is also believed to contain private information of more than 80,000 individuals, whose records are kept by the Malaysian Medical Council, the Malaysian Medical Association, and the Malaysian Dental Association.
Fortunately, the police had identified the suspects responsible for this new crime. According to Inspector-General of Police Tan Sri Mohamad Fuzi Harun, the breach was believed to have occurred during a data transfer process at a telecommunications company. He also said certain individuals in the company had committed the breach, but he assured that no syndicates were involved.
In layman’s terms, a “data breach” is the wrongful release of secure private and confidential information to an unauthorised environment.
In legal terms, a data breach is a security incident, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by any unauthorised party.
Data breaches can involve (a) financial information such as credit card or bank details, (b) personal health information, (c) personal identification information, and (d) trade secrets or intellectual property of corporations. Most data breaches involve unprotected, vulnerable and over-exposed data, such as files, documents and sensitive information.
Popular search engine Yahoo recently announced that all three billion of its user accounts were compromised in a data breach in 2013. This is three times higher than the earlier figure of one billion exposed accounts. The stolen user account information included names, email addresses, telephone numbers, date of birth, hashed passwords (using MD5) and, in some cases, encrypted security questions and answers.
A Malaysian citizen’s right to personal data is protected, not only under PDPA (Act 709), but also under the common law of privacy. There are five aspects of common law privacy — namely the right to be left alone, physical privacy, privacy of communications, territorial privacy and informational privacy.
Informational privacy means the rights of an individual to have control over his personal information — in other words, personal data protection. Whilst the two law overlap, the common law of privacy is wider in scope than the personal data protection law under Act 709.
The term “personal data” is defined in section 4 PDPA as “any information in respect of commercial transactions”, which is processed or recorded relating directly or indirectly to a “data subject”, whilst the term “sensitive personal data” means any personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs, the commission or alleged commission by him of any offence.
Under section 130, the unlawful collection, disclosure or sale of personal data is punishable with a fine of RM500,000 or imprisonment of up to three years or both. Under section 131, a person who abets or attempts the commission of such an offence is liable to the same punishment.
Modern technology and the Internet have turned the whole world into a hacker’s playground. Hackers are continuously changing their “business models”. In the past, hackers gained data unlawfully for purposes of sale. They are called “cyber launderers”, turning stolen data into cash. Nowadays, instead of just selling the stolen data on the market (the rise of cryptocurrency comes in handy for them), hackers hold their victims to ransom.
Corporations and organisations that process, collect and store data must rethink their security measures. According to the American Banker’s official portal, 80 per cent of breaches are caused by employee negligence or human error.
Unfortunately, companies are not spending enough on security and privacy training. According to a recent survey in the United States, only 54 per cent of surveyed organisations conduct regular security-awareness training for all employees.
A careless employee who leaves his unlocked smart phone in a taxi poses as much danger to his employer as a disgruntled worker who leaks company information to a business competitor. An employee who is not trained in security best practices, has a weak password, visits unauthorised websites, clicks on links in unsolicited and suspicious emails and blindly opens email attachments, poses enormous security threat to his employer’s systems and data.
The writer formerly served the Attorney-General’s Chambers before he left for practice, the corporate sector and, then, the academia.