With the benefit of hindsight, the second half of 2019 proved to be a tumultuous time for Malaysian businesses when it came to security of the personal data of their customers.
In Q3 of 2019 alone, we saw the news below making headlines in Malaysian news outlets:
- The second leakage of Astro subscribers’ names, identity card numbers, data of birth, gender, race and address;[1] and
- the leakage of Malindo’s passengers’ information including passport details, home addresses and phone numbers.[2]
Perhaps reading this article will give readers a sense of déjà vu, as this was the SECOND instance of personal data leakage originating from Malaysia’s largest cable TV network. We briefly mentioned a previous leak in our article here from 2018.
The above are just examples of some of the more prominent incidents. This is particularly worrying, considering that Malaysia was very recently ranked very unfavourably for our personal data protection regime.
A personal data breach is not just bad PR for businesses. A personal data breach also puts individuals whose personal data has been breached at a heightened risk of identity theft, spamming and / or unwanted targeted advertising, among others.
In response to the incidences above, the Ministry of Communications and Multimedia (“MCMC”) and the Minister of Communications and Multimedia released a statement stating that the MCMC is currently reviewing the Personal Data Protection Act 2010 of Malaysia (“PDPA”) to “ensure it applies to those receiving leaked information along with data leakers, and to ensure actions against cross-border hackers activities via cooperation with ASEAN countries”.
While those are lofty goals, we are not entirely clear on the content of the proposed amendment. However, there is a low hanging fruit that MCMC and the Department of Personal Data Protection of Malaysia (“PDP”) can pursue – data breach notification.
The General Data Protection Regulations of the European Union (“GDPR”) mandates that data controllers (businesses are a class of data controllers) to notify the relevant supervisory authorities within 72 hours upon the occurrence of a personal data breach, unless such breaches are unlikely to result in a risk to the rights and freedoms of individuals.[3] In addition, if the personal data breach is likely to result in a high risk to the rights and freedoms of individuals, data users are obliged to notify the data subjects (customers are a class of data subjects) of the same.[4]
For the ease of reading, the above obligations shall be referred to as “Data Breach Notification”, or DBN. Broadly, DBN places obligations on data users to have robust breach detection, investigation, record keeping and internal reporting processes in place when a data breach arises. DBN further requires both regulators and individuals (the data subjects) to be notified by the data user of a breach of personal data within a specific time frame, in order to take active steps to contain the leakage and manage the risks occurring from a personal data leakage.
The PDP is aware of the omission, as it is the subject matter of the Public Consultation Paper No. 1/2018 (“PCP”) published by the PDP in which feedback is solicited from the Malaysian public with regards to the implementation of DBN under the PDPA.
As at the date of publishing of this article, the PDPA still does not contain any DBN obligations on businesses, but do watch this space as we anticipate legislative developments in this area soon. To prepare for this almost inevitable introduction of DBN, organizations should ask themselves these key questions:
- What is a personal data breach?
- What systems do we have to detect breaches?
- What is our internal investigation and reporting procedure when a breach occurs?
- Do we have an internal decision making process on whether to notify a breach to the authorities and affected individuals?
- What information must we provide to individuals when telling them about a breach?
- What other steps should we take in response to a breach?
To be clear, the PDPA, its subsidiary legislations, and the Personal Data Protection Standard 2015 do contain obligations on businesses to protect personal data of its customers and employees, notwithstanding that there is no clear DBN obligation as yet. Donovan & Ho has written about this briefly in this article.
Personal data leakages are a very real problem that has arisen time and time again. Businesses and Malaysian regulators have to work hand in hand to overcome this thorny issue, and the formulating of regulatory solutions like DBN can’t come soon enough.
[1] https://www.thestar.com.my/tech/tech-news/2019/08/22/astro-suffers-another-data-breach-in-the-midst-of-informing-affected-customers
[2] https://www.nst.com.my/news/crime-courts/2019/09/524082/malindo-data-leak-breach-caused-ex-staff
[3] Article 33, GDPR.
[4] Article 34, GDPR.
***
This article was written by Shawn Ho (Partner) & Ian Liew (Associate) from the corporate practice group of Donovan & Ho. Shawn leads the corporate practice group of Donovan & Ho, and has been recognised as a Notable Practitioner, whilst the firm has been recognised as a Notable Firm for Corporate and M&A by Asialaw Profiles 2020. We are also ranked a Recommended Firm by IFLR1000 2020.
Our corporate practice group advises on corporate acquisitions, restructuring exercises, joint venture arrangements, shareholder agreements, employee share options and franchise businesses, Malaysia start-up founders and can assist with venture capital funds in Seed, Series A & B funding rounds. Feel free to contact us if you have any queries.
