By: Sonny Zulhuda
This year’s ISACA Malaysia’s Conference is renamed a CyberSecurity, IT Assurance & Governance (CIAG) Conference 2016, held on 30th May 2016, in Le Méridien hotel, Kuala Lumpur. My friends and colleagues in ISACA Malaysia are kind enough to invite me for the fourth time in their annual national conference. Last year, I was invited to speak about the pros and cons of Internet of Things (IoT) in the form of a debate, together with a representative from the Malaysian Digital Economy Corporation (MDec).
In this year’s edition, I was seated in a panel discussion to speak about the protection (or Assurance) of privacy in the cyberspace. With me as panelists are Mr. Retnendran Subramaniam CISA, CRISC (former ISACA Malaysia chairman) and Mr. Victor Lo, the Head of Information Security, InfoTech Division, MDeC. The panel was moderated by Mr. Jason Yuen from the Ernst & Young Malaysia. Here is what the program says about my panel session:
We have tonnes of confidential information digitised and stored in every possible storage media in cyberspace, via both popular applications, being direct cloud-based services and/or social media platform, and applications that are designed for specific group of professionals. However, one question remains. What happens to the information after the click of the mouse? Can we forego privacy in return for convenience? Are we assured of our privacy from the one provider who is holding all the confidential information and our own business strategic plans? The panellists will share what it takes to protect privacy in the cyber world without losing the convenience.
I first talked about the nature of privacy vis a vis technology. Talking about privacy is about the nature of human. When people invent technology, they should not forget what it takes to be human. Therefore innovation must be privacy-embedded from the very beginning, making it more acceptable to the market, i.e. a privacy by design. Protection of our privacy has been long defeated by fear and greed. A fear motivates the government, while greed motivates the industry. At the end of the day, privacy is forgone.
I also shared with the audience that the online privacy today is under a constant challenge and threat by few technological trends such as the Internet of Things, the Critical Information Infrastructure, Cloud technology, Social media (e.g. Face-identifications technology) and Surveillance. To address the protection of privacy online, we require some strategies across many platforms and forums. The awareness & norms must be strengthened from time to time as it is an underlying social infrastructure in protecting people’s privacy. Next, information governance must set in. This includes designing and implementing Privacy-enhancing Technologies (PETs) including encryption and de-identifications technologies.Laws & Regulations
On top of that, laws & regulations play their perpetual important role in addressing privacy online. Therefore we discussed a little lengthy on the latest piece of legislation in Malaysia addressing personal data protection, namely the Personal Data Protection Act 2010 (Act 709). Besides, the emergence of law of torts of breach of privacy in Malaysian courts should also come to our attention.
I highlighted some challenges to the data privacy law in Malaysia as follows:
- Torts on privacy breach is only recently evolving
- New law (PDPA 2010) requires socialisation, education and culture building
Some loopholes are however triggering our quick attention, namely:
- Inapplicability to governments personal data processing
- A series of broad exemptions
- Statute’s silence on civil remedies
- Absence of data breach reporting duty.
At the end of the lively forum, I advised the audience to not digitise everything. Your personal data, your pictures, your trip, your friendship, your house, your activities, your feelings, etc. Why should you? We just need to be a smart netizen, employing our common senses as much as we do it offline. Moreover, a habitual self-audit will help people to prevent any potentials of data abuse.
While privacy is so much part of our life and data is part of our identity; we should not confuse them with the technology and gadget which are merely disposable and wearable accessories. You don’t want to lose life for just a lifestyle or to ever sacrifice your privacy with an ever changing gadget!
Note: For some parts and materials I used for the presentation, I would like to acknowledge my past research project under the Fundamental Research Grant Scheme (FRGS 13-045-0286) commissioned by the Ministry of Higher Education, Malaysia.