My Intro: The following passages were published by the Star in their Sunday Edition (6th January 2013) at pp 23-24. The article is about what Malaysian consumers should know and do in relation to their personal data. It is based on another interview the journalist had with me. For the benefit of the readers, I reproduce some parts of the article in this page. Should you want to read it in full, check the newspaper’s pageHERE.
“Consumers, take control of your personal data”
The Personal Data Protection Act 2010 has come into force, but the public will have to do their part to make it effective.
EAGER to win the grand prize, Maria (not her real name) did not hesitate to “drop” her name card at the door for a lucky draw at a company dinner. Weeks later, she found herself inundated with phone calls and text messages offering different services and products.
It is an accepted practice in Malaysia to leave our call cards or personal information at the registration counter of public events. But have you ever wondered what your personal data will be used for later? Or how it will be stored?
This has become so common here that no one thinks twice about the risks and implications, says personal data protection law expert Dr Sonny Zulhuda.
Under the newly enforced Personal Data Protection Act 2010 (PDPA), however, this practice will have to be reviewed, particularly for business entities that use these occasions as an opportunity to build their network of potential customers.
This 2nd Annual Personal Data Protection Summit was held in Royale Chulan of Kuala Lumpur. As admitted by the organiser (the World Asian Summit), this year edition showed much bigger interest. This impressive crowd attendance can only mean one thing: the undeniable importance of the PDP Act 2010.
The Deputy Minister Dato’ Joseph Salang had re-emphasised the Government’s seriousness about implementing the long-awaited legislation, which was already passed since June 2010. In his key-note speech, he again revealed that the Act will be enforced on the 1st January 2013 – echoing similar statement by the Minister of Information, Communications and Culture recently (Read reports on Dato’ Joseph’s announcement here, here and here).
Last time In May ’12, I was invited by the Federation of Public Listed Companies (FPLC) and the Malaysian Institute of Corporate Governance (MICG) to speak in their National Conference on IT Governance, Data Protection and Cyber Security.
I chose to speak about the importance of the Privacy Impact Assessment (PIA) as an implementing tool for complying with the data management rules and obligations under the law. The exact title of my presentation was “Privacy Impact Assessment for a Better Corporate Governance: The New Legal Landscape in Managing Corporate Data Assets.”
In fact, this was the first time I spoke about it. I just felt that people especially the corporate citizens need to be told in a more practical way on why and how they should comply with the laws on personal data management, i.e. the Personal Data Protection Act 2010 as far as Malaysia is concerned.
Major legal issues on data privacy in Malaysia were resolved with the introduction of the Personal Data Protection Act (PDPA) 2010. Being the main legal framework for protecting data privacy of individuals, PDPA regulates the processing of personal data in commercial transactions and to provide for matters connected therewith.
Under section 4, “personal data” refers to any “data that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject.”
Meanwhile, “commercial transactions” mean “any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance.”
The enactment of the PDPA is arguably a milestone for the development of e-commerce and e-government in Malaysia, considering that a massive and increasingly valuable amount of personal information are being stored, processed and exploited. However, there is a cause for concern here that the Parliament has expressly excluded the application of PDPA to the Federal Government and State Governments in section 3. Commentators opined that this exclusion would have a far-reaching implication in terms of the development of data protection law in Malaysia. Nevertheless, it is argued that this law can still help protect the security of e-government in Malaysia in one way or another.
In my last post I made note about why banks should or must care to protect the personal data with them. In this post I just want to put that note in real perspective, learning from real cases and incidents involving major banks in the world.
First, it was reported that Citigroup breach exposed data on 210,000 customers (here for the full report)
Citigroup admitted Wednesday (June 8th, 2011) that an attack on its website allo
wed hackers to view customers’ names, account numbers and contact information such as email addresses for about 210,000 of its cardholders in North America. Although hackers may have not gained complete information on cardholders, the contact information is enough for scammers to try and elicit more information through targeted attacks. The email addresses, for example, could be used to send “phishing” messages asking for other sensitive information which could potentially give identity thieves enough to start committing fraud.
Second, you’ll see how Data breaches lead to massive fines for three HSBC firms (here for the report)
Three HSBC firms have been fined more than £3 million by the Financial Services Authority (FSA) for failing to secure customer data. The FSA claimed the three firms sent large amounts of unencrypted data – often on discs sent via the post – and staff were untrained on the issue of identity theft. The FSA said that, in April 2007, HSBC Acutaries lost a floppy disk in the post that contained 1,917 pension numbers and addresses. And, in February 2008, HSBC Life lost an unencrypted disk holding data on 180,000 policy holders – also in the post.
Contrary to the traditional belief, information is no longer a mere business processing tools. It is now the very asset that turns to become the commodity of the business itself – becoming more powerful and valuable than any other physical assets. And this is particularly obvious in financial and banking industries where the acquisition of personal data and the adoption of information technology (IT) have both transformed the banking industry as well as the associated operational risk management.
The demand to protect personal data in banking industry comes mainly from two factors. Firstly, the consumers are getting increasingly aware of their right to data privacy. The bulk of their data such as personal and family data, financial information, credit history, employment records, or legal matters are now the target of many predators who wish to acquire them for their benefit, ranging from unsolicited direct marketing, loyalty program recruitment, credit card applications, and even for malicious intent such as identity theft and fraud (or “phishing”).
Nope, this is not (yet) a ready paper. It’s an ongoing research that I am now conducting, funded by an internal research grant. It takes as the background the revolutionary growth of the information and communications technology and its use in the storing, processing and disseminating personal information.
We all know that such phenomenon (ICT+data processing) has unveiled one huge challenge in the form of identity theft. Described as unlawful acquisitions of personal data that belongs to others, identity theft incidents are reported in Malaysian media on regular basis. The lost, stolen or compromised personal data has not become an incident of its own. Rather, it provides “ammunitions” for further action such as credit cards forgery or impersonated bank accounts that are used as a platform for further crimes.
Recently local newspapers had flooded us with news on these, such as these:
Malaysians have lost RM4mil through phishing (identity fraud) within the first three months of the year alone. There were 457 cases recorded in the first quarter of the year, exceeding the 353 reported for the whole of last year where the victims lost a total of RM1.2mil. In 2009, only 75 cases were reported with total losses of around RM215,000. Federal Commercial Crime Investigations Department director Commissioner Datuk Syed Ismail Syed Azizan said the number of cases reported this year had reached a record high with authorities and the banking industry being almost powerless to curb it. (Click here for the report)
Among the first question people would ask about Personal Data Protection Act (PDPA) 2010 is “whether or not this Act applies to me?” or, if one could answer it in affirmative, “in what why the Act implicates me?”
The PDPA 2010 provides for definition of certain entities that would be in one way or another “implicated.” They are (1) Data User; (2) Data Processore and (3) Data Subject. Thus, the PDPA 2010 operates on these classes of person. It is in this frame you can have your answer whether the Act applies to you, or, in what why it implicates you.
Now everyone can “fly”! Yes we know that. But when you fly, will your personal information fly away in the sky? That, not everyone knows. This is the simple question that makes the backdrop of my recent paper, to be presented in Singapore’s International Conference of Social Science and Humanities (ICSSH2011) at the end of this month.
The paper is entitled: “Personal Data “Up in the Air” – A Tale of Two Malaysian Airlines in Dealing with Consumers Online Privacy.” It is a joint effort with one of my former students Ms. Maryam Delpisheh.
We know that uncertainties and concerns surrounding the privacy of personal information in Malaysia in the wake of many data abuse incidents had led to the passing of Personal Data Protection Act (PDPA) 2010. In a market where personal data has long been widely traded and unjustifiably exploited, the coming of this law could resemble the arrival of a long-awaited messiah expected to correct the evils and rectify people’s problem in a very immediate manner.
Yay! I opened my Inbox this morning and I just won another LOTTERY I never participated in! Feeling lucky don’t you? This is what I just received:
PRIZE AWARD NOTIFICATION!!!
We are pleased to inform you of your Email Success in our Computer Balloting made today for winners from the AUSTRALIAN LOTTERY EMAIL AWARD, as part of our Promotional Draws held this month.
This is a Scientific Computer Game in which your Email Address was used. It is a Promotional Program by AUSTRALIAN LOTTERY EMAIL AWARD.It is a Promotional Program that chooses emails world wide to encourage Internet users; therefore you do not require buying Ticket to enter for it. This is an Email Internet Program were winners are randomly selected from all over the world through Computer Draw System and extracted from over 800,000 Email Addresses from Unions, Association and Corporate Bodies listed online.
Below are your Winning Details:
Reference No: 575061725
Batch No: 056490902/188
Ticket No: 07-42-97-66-11-00
Winning Number No: ILP/HW46704/08
Wow. You don’t think I would rush checking for the accuracy or genuineness of this award right? Of course not, because for one simple reason, this kind of message could not deserve even a curiosity let alone excitement. This is obviously a phishing message which is a gateway to identity theft.