Tag: due diligence

Ransomware Attack: How a PDP law compliance can be of any help

By: Sonny Zulhuda

Ransomware

No! We are not talking about how to cure a ransomware attack such as “WannaCry” after it happens. That is not going to happen. Legal compliance is, from the perspective of business continuity and data disaster management, always at the “preventive” side rather than “curative” or “recovery” domain. Just like how technically a data backup is more preventive rather than reactive.

Then, are we saying that complying with Personal Data Protection law is going to prevent incidents like ransomware attack? Not necessarily true. But obviously, by keeping yourself updated about legal requirements pertaining to personal data protection, you will activate a “standby” mode.

Complying with the legal requirements on data protection such as Data Security and Data Retention standards, for example, people in your organisation are made aware that some security measures had to be put in place to protect the personal data system, which often overlaps with other database or information systems in your organisation: payroll system, human resources system, financial system, CRM system, and so on, because in each of those there are personal data of data subjects that you or your organisation process/processes.

That is why, a compliance with PDP law such as the Malaysian Personal Data Protection Act 2010, can be a gateway to better data protection in your organisation from unwanted attacks or other risks to the data integrity and security. In fact, the PDPA 2010 hints that a data due diligence

In fact, the PDPA 2010 hints that a data due diligence such as your data risk management that you conduct in your organisation will not only mitigate the risk to data attack but also will be your “legal defence” in case such attack takes place despite your mitigating measures. This is what transpires from the provisions of the PDPA 2010.

So, the equation is not complicated:

Data due diligence = legal compliance + risk management = legal defence

Good luck! 🙂

Stopping Data Theft through the Back Door: Shifting the Duty to the Boardroom?

By: Sonny Zulhuda

The following is the abstract of the paper I presented (in a poster) at the recent 7th Asian Law Institute (ASLI) Conference at the International Islamic University Malaysia, 25-26 May 2010.

“In the information economy that relies heavily on the sustainability of information technology and the availability of data for business, data theft is equal to a catastrophe that causes massive losses to organisations. Authorities and technologists have put in place myriad of criminal laws and security tools to address this issue, only to see that the incidents of data theft become more rampant. The complications is because data theft involves a range of security issues, ranging from flawed physical control to a weak personal data management, from a single mistake of people on data processing, to a collective negligence of decision makers in the boardroom.

“In the context of corporation, the idea of holding the management board responsible is now increasingly attractive due to the fact that the victims of data theft would see a better chance of getting compensation. This is a rising trend on the law on data theft where certain duties are imposed on the management board of the companies.

“The law, as appears in some jurisdictions such as the US and the UK, obliges the board to exercise certain level of due diligence in managing data asset in the company. Besides, new laws impose duty on the companies to disclose or quickly notify threat or actual attack of data theft that occurs and potentially affects their clients, partners, customers or anyone who happen to be their data subjects. This paper reckons that in shifting some duties to the companies, the incidents of data theft can be better prevented. It argues that it is a good move for other countries like Malaysia to emulate such legal development.”