Data Breach a Test to Our Digital Resilience

By: Sonny Zulhuda
DSC_0025
Malaysian public has recently been perturbed by a series of personal data breach one after another. While the investigation is taking place, one can only expect that what has surfaced may only be a tip of an iceberg.
As the country embraces digital economy and aims at a cashless society by 2020, this data security crisis becomes a part of the equation. More digitised information and more synchronised data mean a bigger risk of data breach calamities. As a country, there is no backing out from this equation even though that means we have to learn it hard.
As a consequence, a data breach is not a matter of ‘whether’ but is a matter of ‘when’ it will happen. This requires us to adopt a risk management approach. Failure of managing the risks can be increasingly costly. The problem is, it is too often when we realise there is a data, it may be already too late. The alleged leak and illegal sale of Malaysian telecommunications data are said to have happened years ago. By now, we are already five years too late!
Time is of the essence here. As we start to learn about the breaches that took place, swift actions are warranted. There are few points to consider by all the stakeholders.
Firstly, data users can do the least by keeping the public informed about what is going on.
Even though our PDP law does not oblige data users to notify data subjects about any breach, this is warranted for transparency and trust preservation, and hence their business continuity plan.
Secondly, we should treat this as an issue of national security.
Not only because massive data of the majority of the public is affected, but also because those data come from the telecommunications and financial industries which are deemed among the ten critical national information infrastructures (CNII) as outlined by the Malaysian National Cyber Security Policy (NCSP) 2006. So, data security under this CNII must be given utmost priority. Both public and private sectors must cooperate in dealing with the crises.
Thirdly, it is time to test the mechanism of our law.
These incidents of a personal data breach either maliciously or negligently occurred, will need to be tested against the Personal Data Protection principles enshrined in the Act. The authority needs to speed up the activation of the Personal Data Protection Act (PDPA) 2010 after some “day-nap”. Other agencies need to help in accordance with the statutory powers granted to each of them.

7E3A8212

The year 2017 is notably the beginning of some successful prosecutions under the Act, which is a crucial milestone in itself. On a positive note, we should take this crisis as an opportunity to also prove our legal mechanism. 

On top of that, what we are facing now is something bigger: it is testing our resilience as a nation. The challenge is more than a damage control: it is to deal efficiently with the massive data crisis like what is happening now.

This is not a one-off duty as data security is a process rather than a result. As Vince Lombardi was once famously quoted, it is not so much about how we fall down, but rather on how to raise back. And by “we” I mentioned in this last paragraph, it is you and me and every one of us the individuals to whom the personal data actually belong to.

Advertisements

Ransomware Attack: How a PDP law compliance can be of any help

By: Sonny Zulhuda

Ransomware

No! We are not talking about how to cure a ransomware attack such as “WannaCry” after it happens. That is not going to happen. Legal compliance is, from the perspective of business continuity and data disaster management, always at the “preventive” side rather than “curative” or “recovery” domain. Just like how technically a data backup is more preventive rather than reactive.

Then, are we saying that complying with Personal Data Protection law is going to prevent incidents like ransomware attack? Not necessarily true. But obviously, by keeping yourself updated about legal requirements pertaining to personal data protection, you will activate a “standby” mode.

Complying with the legal requirements on data protection such as Data Security and Data Retention standards, for example, people in your organisation are made aware that some security measures had to be put in place to protect the personal data system, which often overlaps with other database or information systems in your organisation: payroll system, human resources system, financial system, CRM system, and so on, because in each of those there are personal data of data subjects that you or your organisation process/processes.

That is why, a compliance with PDP law such as the Malaysian Personal Data Protection Act 2010, can be a gateway to better data protection in your organisation from unwanted attacks or other risks to the data integrity and security. In fact, the PDPA 2010 hints that a data due diligence

In fact, the PDPA 2010 hints that a data due diligence such as your data risk management that you conduct in your organisation will not only mitigate the risk to data attack but also will be your “legal defence” in case such attack takes place despite your mitigating measures. This is what transpires from the provisions of the PDPA 2010.

So, the equation is not complicated:

Data due diligence = legal compliance + risk management = legal defence

Good luck! 🙂

Social Media Policy and Regulation: A Network Governance Perspective

By: Sonny Zulhuda

The above is the name of the event in Tsinghua University, Beijing, on December 3-4, 2016, where I came as a speaker to the audience consisted of law, media and Internet governance academia and practitioners. Both Beijing-based School of Journalism and Communication of Tsinghua University and the School of Communication of Hong Kong Baptist University (HKBU) jointly organised this event.

The invitation came to me through Dr. Yik Chan Chin of the HKBU, who is with me at the Global Internet Governance Academic Network (GigaNet). Upon few exchanges of emails, I was then invited to come and present my views on the social media regulations in the Malaysian perspective. I must say that the event was really a rewarding experience; filled with substantial discussions, new perspectives and, of course, new friends and network!

IMG_3014

This can be highlighted from the list of the speakers of the two-day workshop: Continue reading

Open Government and Cyber Security in Malaysia

By: Sonny Zulhuda

Open government is the notion that allows transparency of governments in running matters pertinent to public interests. According to that concept, the government shall allow its citizens an access to government documents and a right to obtaining information relating to public matters.

In Malaysia recently, the Open Government initiative was represented in the Public Sector Open Data Portal programme which was launched in September 2015 by MAMPU, a Unit under the Prime Minister’s Department. It declares that the aim of such initiative is to open and share government data to public and hence to enhance transparency and efficiency of government and to create a digital innovativeness.

 

With this background, the question of how the Government deals with the increasing demand of freedom of information and other challenges ranging from personal data to the government data security is worth examining. I was invited to talk about this at an international conference hosted by Sydney Cyber Security Network, the University of Sydney, Australia. In my presentation, I highlighted a recent initiative of open data in Malaysian public sector and the related challenges on data security, privacy and information surveillance.

I was also looking at the recent developments in Malaysia relating to the enactment of personal data protection law and recent policies relating to critical infrastructure protection. Lessons from cases and incidents surrounding information security and personal data breaches were discussed to trigger discussions on relevant solutions and best practice.

Among the key summary of my talk in Sydney was as following:

  • Open Government is underway, but more economically-motivated and narrowly looked at “open data”. A long way to the “open government”.
  • Cyber security governance enhances the security of data in the Malaysian cyberspace. However:
  • There is a striking imbalance in the legal framework between the protection of secret on one hand, and the freedom of information on the other.
  • The data privacy law boosts the transparency in the private & commercial sector, but it is a missed opportunity for an open government.
  • The open government initiative needs to be supported as national agenda, to be backed by a stronger law and national policy.

Cyber Security in the Era of Open Government: A note from the University of Sydney

By: Sonny Zulhuda

I was honored to be invited by the University of Sydney to talk about this on November 2016. The event, called “Cyber Security in the Era of Open Government”, sought to identify innovative solutions for improving the security of open government services and their users. 



Several keynoters were invited to provide for the best practices from the public and private sectors, both locally and internationally on issues surrounding the cyber security challenges associated with increasing citizens’ access to government data. The preview of the program can be traced in the USyd’s website page here.

The conference was split up into 3 thematic panels:

1. Open Government and Cyber Security in Australia. Three renowned personalities from Australian regulators spoke, namely Tim Pilgrim (Acting Australian Information Commissioner and Australian Privacy Commissioner); Elizabeth Tydd, (NSW Information Commissioner and Head of the Information and Privacy Commission); and Rolf Green, who was the Director of Information, ICT and Digital Government Division, Australian Department of Finance, Services and Innovation.

2. Open Government from Global Perspectives. In this session, I spoke alongside with an American Charles Bell, CEO of Startup Policy Lab (SPL); Dr. Janet Xu, Associate Researcher of the University of Oxford; and the Canadian Dr Khaled El Emam, himself a Professor at the University of Ottawa. I also like to note that this session was chaired by my friend Dr Adam Molnar, a lecturer in criminology at the Deakin University, Victoria, Australia.

3. Privacy, Surveillance and Government Services. This afternoon session presented a speakers from a diverse background, namely Dr. Elizabeth Coombs, NSW Privacy Commissioner; Professor Fleur Johns, Associate Dean (Research) UNSW; Bernard Keane, Crikey’s political editor.

Information Governance and Dark Data Management

By: Sonny Zulhuda

Next week on 7th July 2015. Carlton Hotel, Singapore. The event’s name is Innoxcell Asia Symposium 2015 on Legal Risk, Compliance, e-Discovery, Financial Crime, Corporate Governance and Data Privacy.

I will be speaking on one compelling issue concerning the information governance, namely dark data management.

Dark Data (credit: http://www.cio.in)

Dark Data (credit: http://www.cio.in)

Techopedia defines “dark data” as “a type of unstructured, untagged and untapped data that is found in data repositories and has not been analyzed or processed. It is similar to big data but differs in how it is mostly neglected by business and IT administrators in terms of its value.”

Dark data is operational data that is not being used. Consulting and market research company Gartner Inc. describes dark data as “information assets that organizations collect, process and store in the course of their regular business activity, but generally fail to use for other purposes.” (Citation from TechTarget).

It was reported in Forbes that these class of data, similar to dark matter in physics, cannot be seen directly, yet it is the bulk of the organizational universe.

The background of this talk is the fact that the amount of operational information —both structured and unstructured— that companies create and store are drastically increasing due to digitisation and mobility. Dark data management emerged as another challenge for corporate information governance. Under the increasing pressure from new regulatory regime and consumer expectation, corporate data must be well managed if companies wish to survive in today’s information age.

In this session I will explore the nature of corporate information legal risks in the context the Big Data and offers insights on information governance to transform data from a liability into an asset.

For more on the event: Innoxcell Asia Symposium 2015 on Legal Risk, Compliance, e-Discovery, Financial Crime, Corporate Governance and Data Privacy. Will be speaking alongside prominent international speakers, who can be retrieved from here.

Speaking at the Global Information Governance Summit (GIGS 2013)

By: Sonny Zulhuda

ImageThis is just to share of my upcoming presentation at the Global Information Governance Summit (GIGS 2013) that is held in Kuala Lumpur, 28th-29th of May 2013.

I will be speaking in the session 3 of day 2, entitled “Selected Issues in Information Security Law and Data Protection”. I will be speaking more specifically about the threat of identity theft; spam; data surveillance and cyber-terrorism!

The event is jointly organised by the QC Consulting and Universiti Teknologi Malaysia (UTM) Space. Here is the snapshot of the agenda at the second day.

 

Image

The list of the speakers are amazing. I hope I can deliver something new to the audience. Let me know if you’re there too. That is for now, will share more when things are done!:)

  • December 2017
    M T W T F S S
    « Nov    
     123
    45678910
    11121314151617
    18192021222324
    25262728293031
  • Visitor

    free counters

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,582 other followers