Symantec Corporation welcomes the enforcement of Malaysia’s Personal Data Protection Act.
In today’s digital economy, personal data of consumers has become a rich source of information and data for businesses seeking to address the needs of their customers better, whether this is in the form of better targeted advertising, or services tailored to the needs of particular customers.
With the introduction of the Act, Malaysia recognises that as the custodian of so much customer data, companies and organisations also have a responsibility to their customers to ensure that the information they hold is accurate, and adequately protected.
While global multinationals have had a lot of experience in this area, due to similar legislations in the United States and Europe, for many of the local smaller enterprises in Malaysia, this is a new frontier.
With the rapid adoption of IT technology to improve the customer experience, through web portals or affinity and membership programmes, these enterprises have also collected a lot of personal data of their customers, and today share similar responsibilities under the Act.
Small and Medium Businesses (SMBs) are an important part of Malaysia’s economy as they constitute 99.2% of the total business establishments, contribute about 32% of Gross Domestic Product (GDP) and 59% of total employment.
SMBs are also a crucial part of the ecosystems as partners of multi-national corporations (MNCs) as they do business in Malaysia.
However, it is also increasingly apparent that MNCs see a risk in doing business with partners who are not able to protect the sensitive data being shared with them.
In 2011, 18% of all targeted cyber attacks globally were on enterprises with 250 employees or less. In the first half of this year, Symantec saw this percentage double to 36%.
Cybercriminals recognise that because of the lower security posture of SMBs, they are much easier targets, who would also have information (their own or partners’ customer data, or Intellectual Property) which can be stolen and monetised.
In addition, compromised systems of SMBs are also used as stepping stones into the systems of their business partners.
It is thus important that SMBs recognise the exposure they have to cyber attacks, and the possible damage to their companies, through loss of reputation, business, and even legal censure, in the case where cybercriminals are able to steal data from inadequately protected systems.
In the more than two years since the enactment of the Act in Malaysia, the cybersecurity threat landscape has increased in complexity and scale. News of large scale breaches of companies database have been a constant and even the largest and best protected systems have not been spared.
It is thus timely for the Government to also consider the introduction of mandatory breach notification within the Act.
This would be in line with many other jurisdictions which have either implemented such legislations or are in the process of doing so.
Mandatory breach notification is an important part of any data protection legislation as it gives a definitive course of action to companies of what must be done in the case of a data breach.
By informing affected stakeholders, this also gives them the opportunity to take the required remedial actions (such as changing passwords, or having their financial institutions change their credit card numbers) to mitigate the consequences of the breach.
While it is recognised that this may increase the regulatory overheads of the Act, and represent an increased burden on companies, but the resulting improved consumer confidence in the data protection regime as well as e-commerce can only be helpful to Malaysia, as it moves towards developing its own digital economy.
NG KAI KOON Symantec Corporation Kuala Lumpur
Personal Data Protection Act to come into force Jan 12013
KUALA LUMPUR: The Personal Data Protection Act, aimed at preventing the abuse of citizens' personal data for commercial purposes, will come into force on Jan 1, said Deputy Information, Communications and Culture Minister Datuk Joseph Salang.
He said the Act, which was passed by Parliament in 2010, plays a crucial role in safeguarding the interest of individuals and makes it illegal for corporate entities or individuals to sell personal information or allow the use of data by third parties.
Many quarters, he said, felt that the enactment of the Act was timely as it would facilitate the transfer and transmitting of personal and often very important information seamlessly.
"It gives the public more control over their personal data. Whenever consent is required for data processing, it'll have to be given expressly rather than impliedly or be assumed," he said in his keynote address at the Second Annual Personal Data Protection Summit, here on Wednesday.
He said organisations would need to embark on continuous data privacy audit exercises to ensure compliance with the law as they now faced increased responsibility and accountability in processing personal data disclosed to them.
Salang said that to administer this piece of legislation, the Personal Data Protection Department was established on May 16, 2011.
Under the Act, offenderscan be jailed for up to two years or fined RM300,000, or both, if convicted.
Salang urged the public to be careful about information they shared online, especially in social media applications.
"Unfortunately, this is an 'open window' to our lives which makes it easier for those with nefarious intent to obtain information and use it for their own ends," he cautioned. - Bernama