My Intro: The following passages were published by the Star in their Sunday Edition (6th January 2013) at pp 23-24. The article is about what Malaysian consumers should know and do in relation to their personal data. It is based on another interview the journalist had with me. For the benefit of the readers, I reproduce some parts of the article in this page. Should you want to read it in full, check the newspaper’s pageHERE.
“Consumers, take control of your personal data”
The Personal Data Protection Act 2010 has come into force, but the public will have to do their part to make it effective.
EAGER to win the grand prize, Maria (not her real name) did not hesitate to “drop” her name card at the door for a lucky draw at a company dinner. Weeks later, she found herself inundated with phone calls and text messages offering different services and products.
It is an accepted practice in Malaysia to leave our call cards or personal information at the registration counter of public events. But have you ever wondered what your personal data will be used for later? Or how it will be stored?
This has become so common here that no one thinks twice about the risks and implications, says personal data protection law expert Dr Sonny Zulhuda.
Under the newly enforced Personal Data Protection Act 2010 (PDPA), however, this practice will have to be reviewed, particularly for business entities that use these occasions as an opportunity to build their network of potential customers.
In my last post I made note about why banks should or must care to protect the personal data with them. In this post I just want to put that note in real perspective, learning from real cases and incidents involving major banks in the world.
First, it was reported that Citigroup breach exposed data on 210,000 customers (here for the full report)
Citigroup admitted Wednesday (June 8th, 2011) that an attack on its website allo
wed hackers to view customers’ names, account numbers and contact information such as email addresses for about 210,000 of its cardholders in North America. Although hackers may have not gained complete information on cardholders, the contact information is enough for scammers to try and elicit more information through targeted attacks. The email addresses, for example, could be used to send “phishing” messages asking for other sensitive information which could potentially give identity thieves enough to start committing fraud.
Second, you’ll see how Data breaches lead to massive fines for three HSBC firms (here for the report)
Three HSBC firms have been fined more than £3 million by the Financial Services Authority (FSA) for failing to secure customer data. The FSA claimed the three firms sent large amounts of unencrypted data – often on discs sent via the post – and staff were untrained on the issue of identity theft. The FSA said that, in April 2007, HSBC Acutaries lost a floppy disk in the post that contained 1,917 pension numbers and addresses. And, in February 2008, HSBC Life lost an unencrypted disk holding data on 180,000 policy holders – also in the post.
Contrary to the traditional belief, information is no longer a mere business processing tools. It is now the very asset that turns to become the commodity of the business itself – becoming more powerful and valuable than any other physical assets. And this is particularly obvious in financial and banking industries where the acquisition of personal data and the adoption of information technology (IT) have both transformed the banking industry as well as the associated operational risk management.
The demand to protect personal data in banking industry comes mainly from two factors. Firstly, the consumers are getting increasingly aware of their right to data privacy. The bulk of their data such as personal and family data, financial information, credit history, employment records, or legal matters are now the target of many predators who wish to acquire them for their benefit, ranging from unsolicited direct marketing, loyalty program recruitment, credit card applications, and even for malicious intent such as identity theft and fraud (or “phishing”).
Initiated by the Communications and Multimedia Consumer forum of Malaysia (CfM), this national workshop took place on Thursday, 6th May 2010 at the MCMC Headquarter, Cyberjaya, Selangor, Malaysia. Participants came from various quarters such as universities, industries as well as government agencies. The main agenda was to review the provisions of General Consumer Code and to come up with recommendations to improve them.
Before the participantsgo to smaller group discussions, the floor heard presentation from some representatives of the Consumer Forum as well as the Government. Among others, En. Maz Malek (from the Ministry of Information, Communications and Culture) strongly emphasised that consumers interest is government interest, and is a national interest. In order to reflect this seriousness, the Government urges that consumer complaints would have to be entertained and settled in 72 hours (3 days). He also stressed about the newly-passed Personal Data Protection Act that would reform the legal landscape of consumer protection in Malaysia.
Mr. Abdul Rosyid from the Ministry of Domestic Trade, Cooperatives and Consumerism Affairs informed the workshop participants that Direct Selling Act and Consumer Protection Act have been emended to include electronically-effected transactions under their protection. Nevertheless, there are still lots of pressing issues going on in the public that are not entirely settled. He mentioned among others the issue of misuse of personal data and incidents of unknown parties sending sms-es asking people to provide their personal data under the pretext of awarding presents or bonuses, etc. This is simply phishing/smishing issues in which personal data and identities are stolen.