The beginning of the year saw my interview with the Malaysian daily the Borneo Post that was published on 1st January 2019. This interview was initiated by my colleagues from the consultancy firm Straits Interactive. The report was entitled “Malaysians increasingly aware of risks with data breach.” It can be found in this link.
The article started to to note that Malaysians now are more aware about the risks associated with breaches of their personal data. In fact, we in Malaysia have seen in the past five years, that there is a sharp increase in data privacy civil suits in the local Malaysian courts.
Among the points I highlighted in the interview are as follows:
What are the costs of data breaches?
The cost of data breaches can be seen in many areas. In terms of legal liabilities, companies in breach of the Malaysian PDP Act 2010 can be fined up to RM500,000 – for offences such as unlawful sale or unlawful collection of personal data, as well as collection of data without the required certificate of registration.
And when a data breach occurs, costs can also be incurred through technical repairs and loss of reputation. Business can also suffer because of bad publicity.
Civil suits can also be brought against companies, and these can cost businesses a lot of money. Malaysians are becoming increasingly more aware of the risks associated with breaches of their personal data, and we have seen a sharp increase in data privacy civil suits in the local Malaysian courts in the past five years.
Are we prepared? Here is what I said:
Unlike companies in the US and Europe, many companies in the Asean have yet to reach an acceptable level of preparedness. Data protection does not tend to be a part of the business culture, however some industries (banking and finance) are more prepared due to legislation and legal requirements.
To bolster the understanding and preparedness of other industries, we need more public awareness, training, and certified professionals in the field of data protection.
What are among the common concerns?
One major concern in Malaysia is how much our MyKad (ID cards) details are easily and unnecessarily exposed. Many people needlessly impose the collection or retention of MyKad details before people start business communication or interactions, enter premises, or participate in events. Unfortunately, lots of people are happy to submit these details and this gives the impression that these practices are approved and not an issue.
Another problem is direct marketing, as well as unsolicited commercial calls, emails and text messages. While it’s clear individuals have the right to refuse direct marketing, it still regularly happens.
What has been prepared?
I highlighted that leading consultant like Straits Interactive plays the role to champion a public-private partnership by establishing alliance with academia, industries and the government. This partnership will ensure Malaysia as a nation moves together and responds to data privacy issues with a common understanding and comprehensive programmes.
Does the European Union GDPR (General Data Protection Regulations) have anything to do with the Malaysians?
With the passing and enforcement of the EU General Data Protection Regulation (GDPR) in May 2018, Malaysia needs to gear up for these stronger laws and better enforcement.
The GDPR applies to companies who also interact with European citizens, and this requires short-term training programmes and certifications in the field of data protection.
A collaboration at the regional level is also timely and necessary. We are heading towards that.
Credit on this Interview to the Straits Interactive and the Borneo Post.
Data privacy and data security are two sides of a coin – unseparable. Despite efforts by experts to explain this, yet the misunderstanding that they defeat each other is still widely looming. In this APAC Cyber Security Summit held in on 3rd June 2016 in Kuala Lumpur and attended by more than two-hundred regional participants, I took another attempt to explain this: How protecting one’s data privacy can contribute to a larger information security practices. Not coincidentally, one can see it from the other side: In order to afford maximum protection of one’s privacy, efforts must be taken to secure his data. Thus, data security is part of a bigger personal data privacy protection. Confused? Don’t be.
The truth is, personal data management does include protecting its confidentiality, integrity and availablity. And doing so, it means one must ensure the privacy and security of personal data goes side by side.
In a report released by the PriceWaterhouseCoopers (PWC) in 2016 on Personal Data Use Governance – Mitigate Risk while Unlocking Business Value, there is a sfift (or more sutiably, an expansion) of personal data risks landscape from merely a security and regulatory issue, to an intersection of issues of ethical, regulatory, litigation, security and serivce quality.
At this Conference, I highlighted the latest status and implementation of the Malaysian Personal Data Protection Act 2010 and tried to show how the new regulatory framework reshape the landscape of information security in Malaysia.
The points can be summarised as follows:
Perspective #1. PDPA 2010 creates data management principles
Perspective #2. PDPA 2010 spells out the duties throughout data lifecycle
Perspective #3. PDPA 2010 identifies data risks
Perspective #4. PDPA 2010 creates new data offences
Perspective #5. PDPA 2010 creates duty of data due diligence
This year’s ISACA Malaysia’s Conference is renamed a CyberSecurity, IT Assurance & Governance (CIAG) Conference 2016, held on 30th May 2016, in Le Méridien hotel, Kuala Lumpur. My friends and colleagues in ISACA Malaysia are kind enough to invite me for the fourth time in their annual national conference. Last year, I was invited to speak about the pros and cons of Internet of Things (IoT) in the form of a debate, together with a representative from the Malaysian Digital Economy Corporation (MDec).
In this year’s edition, I was seated in a panel discussion to speak about the protection (or Assurance) of privacy in the cyberspace. With me as panelists are Mr. Retnendran Subramaniam CISA, CRISC (former ISACA Malaysia chairman) and Mr. Victor Lo, the Head of Information Security, InfoTech Division, MDeC. The panel was moderated by Mr. Jason Yuen from the Ernst & Young Malaysia. Continue reading “Privacy – How to be Assured in Cyberspace”→
Today I will be speaking at the IT Governance, Assurance and Security Conference 2015, held annually by ISACA Malaysia and the Malaysian National Computer Confederation (MNCC). In the slotted debate panel, I will be speaking about the problems and challenges brought about the Internet of Things (IoT) vis a vis individuals’ privacy. My debate counterpart will be Mr. Hizamuddin from MDEC.
Here are some details:
And here is for the event link:
The summary of my points are aa follows:
=== IoT vs Privacy ===
1. IoT is conceptually flawed/problematic because it equates human and other objects (“things”)
* Under EU Data protection law, there is a legal rule protecting individuals against data automated processes
* IoT, like any other innovations, is wrongly perceived as technical matters, not really human affairs
* Privacy is a fundamental need, its protection cannot be sidelined, reduced or outsourced to others (including things)
2. Businesses looking for a quick RoI, invested only on technical requirements, not on the prerequisite culture
3. Those countries who introduce IoT (US, EU, Japan, Korea) are already equipped with a strong privacy laws, unlike Malaysia where the law is in the making at initial stage.
In less than three weeks (since I spoke in GIGS2013 Summit), this Big Data concern had had me involved in more direct and personal way. The Malaysian chapter of the Information Systems Audit and Control Association (ISACA) – yes, you’ve heard about their CISA and CISM professional certification, that’s their product – will hold its annual IT Governance, Assurance and Security Conference on 18-19 June 2013 in Kuala Lumpur, Malaysia.
The massive intersection between the Big Data, security issues, compliance as well as data protection legislation had taken me into the epicenter of the complicated development of IT governance: I will be delivering a keynote address of the event with my paper entitled: Beyond “personal”, “data” and “protection” – How the Data Privacy Law Transforms Business Landscape in Malaysia and Beyond. — wow, that is.. long!
I will be speaking in the session 3 of day 2, entitled “Selected Issues in Information Security Law and Data Protection”. I will be speaking more specifically about the threat of identity theft; spam; data surveillance and cyber-terrorism!
The event is jointly organised by the QC Consulting and Universiti Teknologi Malaysia (UTM) Space. Here is the snapshot of the agenda at the second day.
The list of the speakers are amazing. I hope I can deliver something new to the audience. Let me know if you’re there too. That is for now, will share more when things are done!:)
Last time In May ’12, I was invited by the Federation of Public Listed Companies (FPLC) and the Malaysian Institute of Corporate Governance (MICG) to speak in their National Conference on IT Governance, Data Protection and Cyber Security.
I chose to speak about the importance of the Privacy Impact Assessment (PIA) as an implementing tool for complying with the data management rules and obligations under the law. The exact title of my presentation was “Privacy Impact Assessment for a Better Corporate Governance: The New Legal Landscape in Managing Corporate Data Assets.”
In fact, this was the first time I spoke about it. I just felt that people especially the corporate citizens need to be told in a more practical way on why and how they should comply with the laws on personal data management, i.e. the Personal Data Protection Act 2010 as far as Malaysia is concerned.
This is my latest paper that I recently presented in the 1st International Conference on International Relations and Development (ICIRD) organised by a consortium of Thai top universities, and held in the beautiful campus of Thammasat University, Bangkok, Thailand.
This paper investigates the need for global government and especially Malaysia to relook at and redefine the concept of national security amid the changing circumstances especially in relation to the country’s increased reliance on the information and communications technology (ICT).
The challenge is, the more a governance system is exposed to the Internet and ICT, the bigger the risks it would face. When the security of the system is not reliable enough to secure the system, information assets are at stake and the country’s critical information infrastructure (such as defence, communications, energy and medical systems) would become loophole that undermines national security.
Understanding data protection principles is crucial to (re)formulate the business processes. For companies and organisations that in any way involve the use and exploitation of personal data of their employees, customers (actual and potential) and business partners, series of actions need to be taken to comply with the legal regime on data protection.
In Malaysia, this is particularly a cause of concern nowadays as the new law on personal data protection clearly requires data users to take certain actions.
Laid in the main body of the law is the prescription of data protection principles from which stemming all the rights, duties and liabilities of each of data user and data subject (Note: ‘data user’ is those who use, collect, process, etc. the personal data that belong to certain individuals. Those individual are called ‘data subject’).
Above is the title of my paper that has been approved for presentation at the International Symposium on Social Management Systems (SSMS 2010) to be held in March this year in Kochi, Japan. The abstract reads as follows:
The increasing reliance of critical infrastructures (such as those operating the national communications, energy, transport, and defence systems) on a computerized and networked environment imposes an enormous security task for both their operators and users. The fact that attack to critical infrastructure is not merely an ordinary criminal matter but rather an issue of national security makes it more urgent for policy-makers to come up with policies or laws addressing various issues ranging from information sharing to public-private cooperation, from technical solutions to security procedures, and from public awareness to law enforcement.
Looking at the scope it covers and the role it plays, the law on critical information infrastructures is so critical not only because it is part of national security measures, but also because the law may well determine the level of national readiness for landing a global investment. This is true because major business processes are now dependent on the secure information technology tools and networks. The biggest task ahead for policy-makers is therefore to prepare the best legal framework to protect the country’s critical information infrastructure and, at least, to manage and minimise the security risks that surround a networked environment.
This paper hypothesizes that security risk management of the critical information infrastructure can not be effectively sustained without a comprehensive framework that consists of, among others, good policies and legal framework. In Malaysia, the legal framework on CII can be found in several pieces of legislation. This paper seeks to discuss the role of the law especially on the restriction of access to and movement in the perimeters of CII as well as the law on computer and network security
KEYWORDS: critical information infrastructure, legal framework