Data Breach a Test to Our Digital Resilience

By: Sonny Zulhuda
DSC_0025
Malaysian public has recently been perturbed by a series of personal data breach one after another. While the investigation is taking place, one can only expect that what has surfaced may only be a tip of an iceberg.
As the country embraces digital economy and aims at a cashless society by 2020, this data security crisis becomes a part of the equation. More digitised information and more synchronised data mean a bigger risk of data breach calamities. As a country, there is no backing out from this equation even though that means we have to learn it hard.
As a consequence, a data breach is not a matter of ‘whether’ but is a matter of ‘when’ it will happen. This requires us to adopt a risk management approach. Failure of managing the risks can be increasingly costly. The problem is, it is too often when we realise there is a data, it may be already too late. The alleged leak and illegal sale of Malaysian telecommunications data are said to have happened years ago. By now, we are already five years too late!
Time is of the essence here. As we start to learn about the breaches that took place, swift actions are warranted. There are few points to consider by all the stakeholders.
Firstly, data users can do the least by keeping the public informed about what is going on.
Even though our PDP law does not oblige data users to notify data subjects about any breach, this is warranted for transparency and trust preservation, and hence their business continuity plan.
Secondly, we should treat this as an issue of national security.
Not only because massive data of the majority of the public is affected, but also because those data come from the telecommunications and financial industries which are deemed among the ten critical national information infrastructures (CNII) as outlined by the Malaysian National Cyber Security Policy (NCSP) 2006. So, data security under this CNII must be given utmost priority. Both public and private sectors must cooperate in dealing with the crises.
Thirdly, it is time to test the mechanism of our law.
These incidents of a personal data breach either maliciously or negligently occurred, will need to be tested against the Personal Data Protection principles enshrined in the Act. The authority needs to speed up the activation of the Personal Data Protection Act (PDPA) 2010 after some “day-nap”. Other agencies need to help in accordance with the statutory powers granted to each of them.

7E3A8212

The year 2017 is notably the beginning of some successful prosecutions under the Act, which is a crucial milestone in itself. On a positive note, we should take this crisis as an opportunity to also prove our legal mechanism. 

On top of that, what we are facing now is something bigger: it is testing our resilience as a nation. The challenge is more than a damage control: it is to deal efficiently with the massive data crisis like what is happening now.

This is not a one-off duty as data security is a process rather than a result. As Vince Lombardi was once famously quoted, it is not so much about how we fall down, but rather on how to raise back. And by “we” I mentioned in this last paragraph, it is you and me and every one of us the individuals to whom the personal data actually belong to.

Advertisements

“Can my lecturer access my personal information?” – And Other Issues of Data Protection at the Higher Learning Institutions 

By: Sonny Zulhuda 

In the past week alone, I spoke about the personal data protection law at two Malaysian public universities; Universiti Sultan Zainal Abidin (UniSZA) Kuala Terengganu and Universiti Malaysia Pahang (UMP) Pekan. While the former was an internal programme, the latter talk was attended by other public universities’representatives who were members of Majlis Tatatertib dan Disiplin Universiti-universiti Awam Malaysia (MATDUM).

In this post, I would like to note some discussions we had on the implementation of the Personal Data Protection Act 2010 at the University environment.

IMG_20170319_095449

The education industry is indeed among those where personal information is highly processed. The data subjects include students (prospective, actual and graduates), university’s employees, as well as any individuals involved in the data processing.

Continue reading

Rolling-out PDP Compliance Program: Issues & Challenges

By: Sonny Zulhuda

My talk this Thursday, 28th May 2015 in Petaling Jaya. More updates soon…

image

Personal Data Protection Act & Information Assurance – at ISACA Evening Talk

By: Sonny Zulhuda

I will be speaking on the above topic this week (Tuesday, 18th February 2014) to  IT Governance professionals affiliated under the ISACA Chapter Malaysia. I was informed at least one hundred people will be attending.

ISACA Feb 2014This will be my first speech on PDPA after the lapse of 3-month grace period set up by the PDP authority in Malaysia. I can foresee the level of enthusiasm from participants is high.

Details are here: http://www.isaca.org/chapters3/Malaysia/Documents/Talk%20-%20PDPA%20-%20Feb%202014%20FINAL.pdf

Here is the home page for the Chapter: http://www.isaca.org/chapters3/Malaysia/Pages/default.aspx

Beyond Personal, Data and Protection: Keynote Address at ISACA Annual Conference 2013

By: Sonny Zulhuda

ImageIn less than three weeks (since I spoke in GIGS2013 Summit), this Big Data concern had had me involved in more direct and personal way. The Malaysian chapter of the Information Systems Audit and Control Association (ISACA) – yes, you’ve heard about their CISA and CISM professional certification, that’s their product – will hold its annual IT Governance, Assurance and Security Conference on 18-19 June 2013 in Kuala Lumpur, Malaysia.

The massive intersection between the Big Data, security issues, compliance as well as data protection legislation had taken me into the epicenter of the complicated development of IT governance: I will be delivering a keynote address of the event with my paper entitled: Beyond “personal”, “data” and “protection” – How the Data Privacy Law Transforms Business Landscape in Malaysia and Beyond. — wow, that is.. long!

Continue reading

Consumers to take control of their Personal Data

My Intro: The following passages were published by the Star in their Sunday Edition (6th January 2013) at pp 23-24. The article is about what Malaysian consumers should know and do in relation to their personal data. It is based on another interview the journalist had with me. For the benefit of the readers, I reproduce some parts of the article in this page. Should you want to read it in full, check the newspaper’s page HERE.

======================================

“Consumers, take control of your personal data”

The Personal Data Protection Act 2010 has come into force, but the public will have to do their part to make it effective.

Credit: The Star Online

Credit: The Star Online

EAGER to win the grand prize, Maria (not her real name) did not hesitate to “drop” her name card at the door for a lucky draw at a company dinner. Weeks later, she found herself inundated with phone calls and text messages offering different services and products.

It is an accepted practice in Malaysia to leave our call cards or personal information at the registration counter of public events. But have you ever wondered what your personal data will be used for later? Or how it will be stored?

This has become so common here that no one thinks twice about the risks and implications, says personal data protection law expert Dr Sonny Zulhuda.

Under the newly enforced Personal Data Protection Act 2010 (PDPA), however, this practice will have to be reviewed, particularly for business entities that use these occasions as an opportunity to build their network of potential customers.

Continue reading

PDP Act Compliance Program – Where to Start?

By: Sonny Zulhuda

success manThis New Year was marked by concerns about complying with the Personal Data Protection (PDP) Act 2010 for Malaysian data users: Bankers, Telco’s, Insurers, Hospitals, Marketers, Airliners, Property Sellers, and many more.

For data users, this is what you may consider:

1. Get to know about the law and its implication to you;

2. Make self-assessment on your current business processes to what extent it complies (or not) with the law;

3. Plan a massive personal-data compliance programme.

For the first one, the shortcut is to attend forum, workshops or training on Personal Data Protection law. There are now few such training in the market. Identify them and get involved. There are few types of training you can consider, according to your needs:

Continue reading

  • December 2017
    M T W T F S S
    « Nov    
     123
    45678910
    11121314151617
    18192021222324
    25262728293031
  • Visitor

    free counters

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,582 other followers