Ransomware Attack: How a PDP law compliance can be of any help

By: Sonny Zulhuda

Ransomware

No! We are not talking about how to cure a ransomware attack such as “WannaCry” after it happens. That is not going to happen. Legal compliance is, from the perspective of business continuity and data disaster management, always at the “preventive” side rather than “curative” or “recovery” domain. Just like how technically a data backup is more preventive rather than reactive.

Then, are we saying that complying with Personal Data Protection law is going to prevent incidents like ransomware attack? Not necessarily true. But obviously, by keeping yourself updated about legal requirements pertaining to personal data protection, you will activate a “standby” mode.

Complying with the legal requirements on data protection such as Data Security and Data Retention standards, for example, people in your organisation are made aware that some security measures had to be put in place to protect the personal data system, which often overlaps with other database or information systems in your organisation: payroll system, human resources system, financial system, CRM system, and so on, because in each of those there are personal data of data subjects that you or your organisation process/processes.

That is why, a compliance with PDP law such as the Malaysian Personal Data Protection Act 2010, can be a gateway to better data protection in your organisation from unwanted attacks or other risks to the data integrity and security. In fact, the PDPA 2010 hints that a data due diligence

In fact, the PDPA 2010 hints that a data due diligence such as your data risk management that you conduct in your organisation will not only mitigate the risk to data attack but also will be your “legal defence” in case such attack takes place despite your mitigating measures. This is what transpires from the provisions of the PDPA 2010.

So, the equation is not complicated:

Data due diligence = legal compliance + risk management = legal defence

Good luck! 🙂

Advertisements

Personal Data Governance from A Cyber Security Perspective

By: Sonny Zulhuda

Data privacy and data security are two sides of a coin – unseparable. Despite efforts by experts to explain this, yet the misunderstanding that they defeat each other is still widely looming.  In this APAC Cyber Security Summit held in on 3rd June 2016 in Kuala Lumpur and attended by more than two-hundred regional participants, I took another attempt to explain this: How protecting one’s data privacy can contribute to a larger information security practices. Not coincidentally, one can see it from the other side: In order to afford maximum protection of one’s privacy, efforts must be taken to secure his data. Thus, data security is part of a bigger personal data privacy protection. Confused? Don’t be.

APAC Cyber Summit 2016_1The truth is, personal data management does include protecting its confidentiality, integrity and availablity. And doing so, it means one must ensure the privacy and security of personal data goes side by side.

In a report released by the PriceWaterhouseCoopers (PWC) in 2016 on Personal Data Use Governance – Mitigate Risk while Unlocking Business Value, there is a sfift (or more sutiably, an expansion) of personal data risks landscape from merely a security and regulatory issue, to an intersection of issues of ethical, regulatory, litigation, security and serivce quality.

At this Conference, I highlighted the latest status and implementation of the Malaysian Personal Data Protection Act 2010 and tried to show how the new regulatory framework reshape the landscape of information security in Malaysia.

The points can be summarised as follows:

  1. Perspective #1. PDPA 2010 creates data management principles
  2. Perspective #2. PDPA 2010 spells out the duties throughout data lifecycle
  3. Perspective #3. PDPA 2010 identifies data risks
  4. Perspective #4. PDPA 2010 creates new data offences
  5. Perspective #5. PDPA 2010 creates duty of data due diligence

Making sense of Dark Data

By: Sonny Zulhuda

BIG-DATAWhile big data is by now a commonly heard term, dark data is not. Some participants in the recently-held Singapore Symposium whispered to me that they had never heard about the term – so you can say they were in dark about Dark Data.

The term is new to me as well! Except that I have had a little earlier opportunity than those guys to read about it and to finally make sense of it.

It all rooted from the fact that we have had an abundance of data around us, and how much those abundant data are capable of being sourced as information. Yes, it is about Big Data. As we know, Big Data is about quantifying everything possible to be a data. A person’s identity is no longer depending on what is printed on documents (ID, passport, certificates) about him. A person is now identifiable from his mumbling words, his movement, his location, his mood and even the pattern of what he will do every day. All those data are being quantified and measured due to their availability from myriads of media, devices, and interactions (both human and artificial). What makes it possible? You name it: Mobile gadgets, Social media, CCTVs and commercial transactions you have been making, to name a few.

In organisational life, the same is happening. More and more data are collected and stored by organisations, manually and electronically. Data of employees (and their mumbling words, movements, location, mood, etc.), of visitors, of business transactions, of internal meetings, of vendor’s works, of all reports, records and repositories, etc. are increasingly collected, stored…. but not necessarily used. In many occasions those data are no longer usable after their first collection, and yet they still fill up the organisation’s storage (recent research indicates that these unusable data may stack up to 70% of oganisations’ data).

Those are dark data. Untapped, untagged and sometimes unknown data.

Now is this: the fact that they remain unused does not mean they are valueless. You can run this simple test: Should you dump all these data to your competitor or any third party, would there be a loss to suffer? What about a competitive loss, breach of secrets, infringement of privacy, reputation loss, legal liability? If yes, then such Dark Data should be urgently managed.

That is the first message that I delivered in my 1-hour talk in Singapore yesterday.

PDP Law Compliance for Educational Institution

By: Sonny Zulhuda

Educational institutions -universities, colleges, schools, etc.- are among those who are regulated by the Personal Data Protection Act (PDPA) 2010. The data subjects include: students (obviously the main object here), staffs or employees, vendors, alumni, sponsors, as well as those applicants who have yet join the universities/schools.

The amount of personal data are potentially bulky: personal details, medical records, financial and scholarship records, academic records, student societies records, disciplinary records and even post-study information about the students. Given this situation, people who deal with students’ data in the educational institutions would need to ensure their handling of personal data is in line with the demands of the Act.

In introducing the subject matter to the community in the University, I will be speaking in this following workshop, together with my friend Noriswadi Ismail from Quotient Consulting Sdn Bhd and PDP Academy LLP, and Dr. Federico Feretti from Brunel Law School, London, UK.

Banner PDP Workshop AIKOL 28052014 (4)

Privacy Policy in Corporate Practices

By: Sonny Zulhuda

Today my MBA students presented their assessment on privacy policy. This is a practical session for them to see how the principles of personal data protection are being put in in real life corporate conduct. They form a group and choose company of their own in order to look at their privacy policy as stated in their official websites.

The session was very informative and interactive, in which students were to highlight in summary what those companies do in general and what they do with personal information. Then they presented their assessment, examining how good the privacy policy is prescribed, and how well it is compliant with the principles of personal data protection law.

Among the interesting findings that they presented were: Continue reading

Data Protection Principles under PDP Law

By: Sonny Zulhuda

Understanding data protection principles is crucial to (re)formulate the business processes. For companies and organisations that in any way involve the use and exploitation of personal data of their employees, customers (actual and potential) and business partners, series of actions need to be taken to comply with the legal regime on data protection.

In Malaysia, this is particularly a cause of concern nowadays as the new law on personal data protection clearly requires data users to take certain actions.

Laid in the main body of the law is the prescription of data protection principles from which stemming all the rights, duties and liabilities of each of data user and data subject (Note: ‘data user’ is those who use, collect, process, etc. the personal data that belong to certain individuals. Those individual are called ‘data subject’).

In Personal Data Protection Bill that was recently passed by Malaysian Lower House of Representatives, the principles of personal data protection is laid down in Part II, sections 5-12. Continue reading

Credit Reporting Agencies (CRA) are NOT covered by PDP Act 2010

By: Sonny Zulhuda

Much have been said and written in the past two days regarding the passing of the Personal Data Protection (PDP) Act by the Dewan Rakyat on Monday this week. Of those hypes and hits, the name CTOS has been among the top, even days and months before the lawmakers finally okays the law.

Not less than parliament members from both sides (ruling and oppositions) as well as the Minister in charge of the law had indicated that with the birth of this Act, people’s suffering and distress due to the alleged misuse of their data by credit reporting agencies (also known as credit rating agency), such as CTOS (Credit Tip-Off Service Sdn Bhd) will see the end.

So happy ending, or is it? I do not think so. And I think this is a mistake, which is unfortunately echoed by the press and media.

Continue reading

  • December 2017
    M T W T F S S
    « Nov    
     123
    45678910
    11121314151617
    18192021222324
    25262728293031
  • Visitor

    free counters

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,582 other followers