Cyber Security in the Era of Open Government: A note from the University of Sydney

By: Sonny Zulhuda

I was honored to be invited by the University of Sydney to talk about this on November 2016. The event, called “Cyber Security in the Era of Open Government”, sought to identify innovative solutions for improving the security of open government services and their users. 



Several keynoters were invited to provide for the best practices from the public and private sectors, both locally and internationally on issues surrounding the cyber security challenges associated with increasing citizens’ access to government data. The preview of the program can be traced in the USyd’s website page here.

The conference was split up into 3 thematic panels:

1. Open Government and Cyber Security in Australia. Three renowned personalities from Australian regulators spoke, namely Tim Pilgrim (Acting Australian Information Commissioner and Australian Privacy Commissioner); Elizabeth Tydd, (NSW Information Commissioner and Head of the Information and Privacy Commission); and Rolf Green, who was the Director of Information, ICT and Digital Government Division, Australian Department of Finance, Services and Innovation.

2. Open Government from Global Perspectives. In this session, I spoke alongside with an American Charles Bell, CEO of Startup Policy Lab (SPL); Dr. Janet Xu, Associate Researcher of the University of Oxford; and the Canadian Dr Khaled El Emam, himself a Professor at the University of Ottawa. I also like to note that this session was chaired by my friend Dr Adam Molnar, a lecturer in criminology at the Deakin University, Victoria, Australia.

3. Privacy, Surveillance and Government Services. This afternoon session presented a speakers from a diverse background, namely Dr. Elizabeth Coombs, NSW Privacy Commissioner; Professor Fleur Johns, Associate Dean (Research) UNSW; Bernard Keane, Crikey’s political editor.

Personal Data Governance from A Cyber Security Perspective

By: Sonny Zulhuda

Data privacy and data security are two sides of a coin – unseparable. Despite efforts by experts to explain this, yet the misunderstanding that they defeat each other is still widely looming.  In this APAC Cyber Security Summit held in on 3rd June 2016 in Kuala Lumpur and attended by more than two-hundred regional participants, I took another attempt to explain this: How protecting one’s data privacy can contribute to a larger information security practices. Not coincidentally, one can see it from the other side: In order to afford maximum protection of one’s privacy, efforts must be taken to secure his data. Thus, data security is part of a bigger personal data privacy protection. Confused? Don’t be.

APAC Cyber Summit 2016_1The truth is, personal data management does include protecting its confidentiality, integrity and availablity. And doing so, it means one must ensure the privacy and security of personal data goes side by side.

In a report released by the PriceWaterhouseCoopers (PWC) in 2016 on Personal Data Use Governance – Mitigate Risk while Unlocking Business Value, there is a sfift (or more sutiably, an expansion) of personal data risks landscape from merely a security and regulatory issue, to an intersection of issues of ethical, regulatory, litigation, security and serivce quality.

At this Conference, I highlighted the latest status and implementation of the Malaysian Personal Data Protection Act 2010 and tried to show how the new regulatory framework reshape the landscape of information security in Malaysia.

The points can be summarised as follows:

  1. Perspective #1. PDPA 2010 creates data management principles
  2. Perspective #2. PDPA 2010 spells out the duties throughout data lifecycle
  3. Perspective #3. PDPA 2010 identifies data risks
  4. Perspective #4. PDPA 2010 creates new data offences
  5. Perspective #5. PDPA 2010 creates duty of data due diligence

Privacy – How to be Assured in Cyberspace

By: Sonny Zulhuda

This year’s ISACA Malaysia’s Conference is renamed a CyberSecurity, IT Assurance & Governance (CIAG) Conference 2016, held on 30th May 2016, in Le Méridien hotel, Kuala Lumpur. My friends and colleagues in ISACA Malaysia are kind enough to invite me for the fourth time in their annual national conference. Last year, I was invited to speak about the pros and cons of Internet of Things (IoT) in the form of a debate, together with a representative from the Malaysian Digital Economy Corporation (MDec).

 

In this year’s edition, I was seated in a panel discussion to speak about the protection (or  Assurance) of privacy in the cyberspace. With me as panelists are Mr. Retnendran Subramaniam CISA, CRISC (former ISACA Malaysia chairman) and Mr. Victor Lo, the Head of Information Security, InfoTech Division, MDeC. The panel was moderated by Mr. Jason Yuen from the Ernst & Young Malaysia. Continue reading “Privacy – How to be Assured in Cyberspace”

Making sense of Dark Data

By: Sonny Zulhuda

BIG-DATAWhile big data is by now a commonly heard term, dark data is not. Some participants in the recently-held Singapore Symposium whispered to me that they had never heard about the term – so you can say they were in dark about Dark Data.

The term is new to me as well! Except that I have had a little earlier opportunity than those guys to read about it and to finally make sense of it.

It all rooted from the fact that we have had an abundance of data around us, and how much those abundant data are capable of being sourced as information. Yes, it is about Big Data. As we know, Big Data is about quantifying everything possible to be a data. A person’s identity is no longer depending on what is printed on documents (ID, passport, certificates) about him. A person is now identifiable from his mumbling words, his movement, his location, his mood and even the pattern of what he will do every day. All those data are being quantified and measured due to their availability from myriads of media, devices, and interactions (both human and artificial). What makes it possible? You name it: Mobile gadgets, Social media, CCTVs and commercial transactions you have been making, to name a few.

In organisational life, the same is happening. More and more data are collected and stored by organisations, manually and electronically. Data of employees (and their mumbling words, movements, location, mood, etc.), of visitors, of business transactions, of internal meetings, of vendor’s works, of all reports, records and repositories, etc. are increasingly collected, stored…. but not necessarily used. In many occasions those data are no longer usable after their first collection, and yet they still fill up the organisation’s storage (recent research indicates that these unusable data may stack up to 70% of oganisations’ data).

Those are dark data. Untapped, untagged and sometimes unknown data.

Now is this: the fact that they remain unused does not mean they are valueless. You can run this simple test: Should you dump all these data to your competitor or any third party, would there be a loss to suffer? What about a competitive loss, breach of secrets, infringement of privacy, reputation loss, legal liability? If yes, then such Dark Data should be urgently managed.

That is the first message that I delivered in my 1-hour talk in Singapore yesterday.

Information Governance and Dark Data Management

By: Sonny Zulhuda

Next week on 7th July 2015. Carlton Hotel, Singapore. The event’s name is Innoxcell Asia Symposium 2015 on Legal Risk, Compliance, e-Discovery, Financial Crime, Corporate Governance and Data Privacy.

I will be speaking on one compelling issue concerning the information governance, namely dark data management.

Dark Data (credit: http://www.cio.in)
Dark Data (credit: http://www.cio.in)

Techopedia defines “dark data” as “a type of unstructured, untagged and untapped data that is found in data repositories and has not been analyzed or processed. It is similar to big data but differs in how it is mostly neglected by business and IT administrators in terms of its value.”

Dark data is operational data that is not being used. Consulting and market research company Gartner Inc. describes dark data as “information assets that organizations collect, process and store in the course of their regular business activity, but generally fail to use for other purposes.” (Citation from TechTarget).

It was reported in Forbes that these class of data, similar to dark matter in physics, cannot be seen directly, yet it is the bulk of the organizational universe.

The background of this talk is the fact that the amount of operational information —both structured and unstructured— that companies create and store are drastically increasing due to digitisation and mobility. Dark data management emerged as another challenge for corporate information governance. Under the increasing pressure from new regulatory regime and consumer expectation, corporate data must be well managed if companies wish to survive in today’s information age.

In this session I will explore the nature of corporate information legal risks in the context the Big Data and offers insights on information governance to transform data from a liability into an asset.

For more on the event: Innoxcell Asia Symposium 2015 on Legal Risk, Compliance, e-Discovery, Financial Crime, Corporate Governance and Data Privacy. Will be speaking alongside prominent international speakers, who can be retrieved from here.

The Problems with IoT (Internet of Things)

By: Sonny Zulhuda

Today I will be speaking at the IT Governance, Assurance and Security Conference 2015, held annually by ISACA Malaysia and the Malaysian National Computer Confederation (MNCC). In the slotted debate panel, I will be speaking about the problems and challenges brought about the Internet of Things (IoT) vis a vis individuals’ privacy. My debate counterpart will be Mr. Hizamuddin from MDEC.

Here are some details:

Debate ISACA

And here is for the event link:

Click to access IT%20GOV%202015.pdf

The summary of my points are aa follows:

=== IoT vs Privacy ===

1. IoT is conceptually flawed/problematic because it equates human and other objects (“things”)

* Under EU Data protection law, there is a legal rule protecting individuals against data automated processes

* IoT, like any other innovations, is wrongly perceived as technical matters, not really human affairs

* Privacy is a fundamental need, its protection cannot be sidelined, reduced or outsourced to others (including things)

2. Businesses looking for a quick RoI, invested only on technical requirements, not on the prerequisite culture

3. Those countries who introduce IoT (US, EU, Japan, Korea) are already equipped with a strong privacy laws, unlike Malaysia where the law is in the making at initial stage.

PDP Law Compliance for Educational Institution

By: Sonny Zulhuda

Educational institutions -universities, colleges, schools, etc.- are among those who are regulated by the Personal Data Protection Act (PDPA) 2010. The data subjects include: students (obviously the main object here), staffs or employees, vendors, alumni, sponsors, as well as those applicants who have yet join the universities/schools.

The amount of personal data are potentially bulky: personal details, medical records, financial and scholarship records, academic records, student societies records, disciplinary records and even post-study information about the students. Given this situation, people who deal with students’ data in the educational institutions would need to ensure their handling of personal data is in line with the demands of the Act.

In introducing the subject matter to the community in the University, I will be speaking in this following workshop, together with my friend Noriswadi Ismail from Quotient Consulting Sdn Bhd and PDP Academy LLP, and Dr. Federico Feretti from Brunel Law School, London, UK.

Banner PDP Workshop AIKOL 28052014 (4)

Personal Data Protection a Key Concern for Human Resources (HR) Professional

By: Sonny Zulhuda

More personally identifiable information (PII) is being captured in the commercial activities across sectors and industries. The workplace today has become a battleground for protecting employees’ valuable personal data that includes their personal records, financial status, medical information as well as the professional data relating to their jobs.

Image

As a result, it is not too much to say that managing human resource HR) data has now become a critical success factor for organisations both internally and externally. Internally, because an effective and sustainable personal data management supports the works of everyone in the organization who relies on those data. Externally, because personal data has now become a crucial issue closely linked with managing trust and competitiveness while trying to grab the best human capital in the industry.

Given this, a Human Resource (HR) manager plays a central role to ensure that personal data of the employees and anyone around them would remain as assets and not turn out as liabilities for the commercial organizations. And for Malaysian employers, dealing with personal data of their employees, customers as well as their service providers has transformed from largely a business and operational issue to a legal and compliance concern.

With the enforcement of the Personal Data Protection (PDP) Act 2010 (Act 709), the operational landscape for human resource management has tremendously changed. The Act tasks the employers with a series of obligations relating to the collection, use, disclosure and retention of the personal data in their control, including data of employees, job applicants, former workers, outsourced service providers, vendors and customers.

Even though measures from industrial laws and guidelines are abundant and in place, employers are still in the dark about the multi-dimensional effect of the PDP Act 2010 on the employment relationship. Many practical issues arose in the workplace and throughout the employment lifecycle. These questions would likely arise:

Do-Not-Call Registry (DNCR) to Protect Personal Data?

By: Sonny Zulhuda

In March, I featured in The Sunday Star (9/3/2014) reporting on the need to establish a “Do not call registry” to protect people’s personal information. The main issue discussed was to scrutinize an initiative to have a DNCR and its operational and legal challenges. The full report can be traced here.

Image

 

The question that was posed to me was: (1) How good is the idea of DNCR for Malaysian consumers? AND (2) Do you foresee any issues that might arise when they  implement this?

Here are my comments:

Speaking at the Global Information Governance Summit (GIGS 2013)

By: Sonny Zulhuda

ImageThis is just to share of my upcoming presentation at the Global Information Governance Summit (GIGS 2013) that is held in Kuala Lumpur, 28th-29th of May 2013.

I will be speaking in the session 3 of day 2, entitled “Selected Issues in Information Security Law and Data Protection”. I will be speaking more specifically about the threat of identity theft; spam; data surveillance and cyber-terrorism!

The event is jointly organised by the QC Consulting and Universiti Teknologi Malaysia (UTM) Space. Here is the snapshot of the agenda at the second day.

 

Image

The list of the speakers are amazing. I hope I can deliver something new to the audience. Let me know if you’re there too. That is for now, will share more when things are done!:)