ID Theft and Consumer Protection — From the GCC Review Workshop

By: Sonny Zulhuda

Initiated by the Communications and Multimedia Consumer forum of Malaysia (CfM), this national workshop took place on Thursday, 6th May 2010 at the MCMC Headquarter, Cyberjaya, Selangor, Malaysia. Participants came from various quarters such as universities, industries as well as government agencies. The main agenda was to review the provisions of General Consumer Code and to come up with recommendations to improve them.

Before the participantsgo to smaller group discussions, the floor heard presentation from some representatives of the Consumer Forum as well as the Government. Among others, En. Maz Malek (from the Ministry of Information, Communications and Culture) strongly emphasised that consumers interest is government interest, and is a national interest. In order to reflect this seriousness, the Government urges that consumer complaints would have to be entertained and settled in 72 hours (3 days). He also stressed about the newly-passed Personal Data Protection Act that would reform the legal landscape of consumer protection in Malaysia.

Mr. Abdul Rosyid from the Ministry of Domestic Trade, Cooperatives and Consumerism Affairs informed the workshop participants that Direct Selling Act and Consumer Protection Act have been emended to include electronically-effected transactions under their protection. Nevertheless, there are still lots of pressing issues going on in the public that are not entirely settled. He mentioned among others the issue of misuse of personal data and incidents of unknown parties sending sms-es asking people to provide their personal data under the pretext of awarding presents or bonuses, etc. This is simply phishing/smishing issues in which personal data and identities are stolen.

This unwanted disclosure, namely information theft or data theft, is on rise due to at least two motives; firstly, information theft is now becoming a very serious threat to the integrity, confidentiality and availability of organisation’s information assets, leading to disruption of business, the corruption of its technical infrastructure and destruction of reputation of people behind it. The second motive is down to the fact that information theft is now a hugely-increasing and attractive business, exploiting its ‘market’ from both technical and human vulnerabilities.

Identity breach/theft and phishing is not exclusively Malaysian issue, just look at these stats that I compiled:

In the US

• Back in 2003, the Federal Trade Commission (FTC) reported that identity theft –the most popular type of information theft– alone was the reason behind nearly US$48 billion annual costs for the businesses and an additional five billion per year for consumers (Kate Brimsted. “Data security breaches – Is Europe heading for US standards of openness?” Privacy and Data Protection, 1 Nov 2006 PDP 7 1(3)).

• There were 656 reports of breaches in 2008, compared with 446 for 2007, and an estimated 35.7 million records were potentially breached based on notification letters and information from breached companies in the US (Elinor Mills, “Study: Data breaches rose in 2008,” at http://news.cnet.com/8301-1009_3-10134825-83.html?tag=mncol;title).

• A total of over 250 million records of US residents have been exposed due to security breaches between January 2005 and February 2009 (The Ponemon Institute, “2008 Annual Study: US Cost of A Data Breach” at http://www.encryptionreports.com/costofdatabreach.html).

In the UK

• In the United Kingdom, the problem of information theft becomes more serious as it severely affects public institutions. The overall report in 2007 stated that computer and data theft is still a prominent risk for large corporations as 28% of them were affected (PriceWaterHouseCoopers. 2008. Information Security Breaches Survey (ISBS) 2008).

• The independent authority responsible for Data Protection in the UK, the Information Commissioner’s Office (ICO) has reported over 277 breaches of significant volume since the His Majesty Revenue & Customs (HMRC) breach in November 2007 (The Ponemon Institute, “2008 Annual Study: UK Cost of A Data Breach” at http://www.encryptionreports.com/costofdatabreach.html).

In Malaysia

• It was reported that in Malaysia in 2006, a total of 1372 cases involving security incidents were handled by MyCert of the CyberSecurity Malaysia, representing an increase of 82% from the previous year. Interestingly, the cases mainly involved web defacement and phishing (Multimedia Development Corporation, A guide to managing cybercrime in Malaysia, Report by MDec Sdn Bhd, 2007).

• The incidents of Internet fraud were dominating the Internet security incident statistics in the later year. In 2007, there were a total of 1038 reported incidents (excluding spam) which range the threats to harassment issues, fraud, hack threat, malicious code, denial of service and intrusion (MyCert. Incident Statistics 2007, at http://www.mycert.org.my/abuse-stat/index.html).

• Meanwhile, the figures in 2008 statistics were unsurprisingly maintaining the domination of the two abuses, except that this time the computer-related fraud (such as online scams and phishing attacks) overcomes the intrusion incidents (MyCert. Incident Statistics 2008, at http://www.mycert.org.my/abuse-stat/index.html).

• In agreement with the reports above, national consumer associations argue data security and ID theft are becoming more serious. The National Consumer Complaints Centre receives around 20 complaints involving identity fraud a year; a figure which is increasing (The Star, 15^th March 2008).

Looking at these figures, there is no doubt that the issue of identity theft could and would dominate the issues of consumer protection especially that in telecommunications and multimedia industry.