Are Malaysia’s data protection laws not strong enough?

For most governments, data protection is essential in safeguarding their citizens and also ensuring the information does not fall into the wrong hands. However, many countries around the world still struggle in implementing and enforcing proper data protection for their citizens.

In Malaysia, there are several bodies that oversee the use of data, including how it is stored in protected. While there are laws in Malaysia, such as the Personal Data Protection Act 2010, a recent report by The Star highlighted that the Personal Data Protection Department (PDPD), an agency under the government’s Communications and Multimedia Ministry is not living up to its purpose.

Quoting a source, the report said the agency failed to exercise its powers to curb data leaks many times. And it’s not surprising given the number of data breaches, even those involving highly sensitive data, being reported in the country in recent times.

More recently, another report also stated that data is Malaysians is now being sold openly on a website. According to the report, the website, allows a person to be searched by details like name, address, phone number, identity card or military ID or date of birth. While the website has since been taken down, questions are arising again on how this could have occurred in the first place.

Just to point out, Malaysia has Cybersecurity Malaysia which according to its website, is committed to providing a broad range of cybersecurity innovation-led services, programs, and initiatives to reduce the vulnerability of digital systems and strengthen Malaysia’s self-reliance in cyberspace. However, the agency states that it does not oversee data breaches.

And then there is the National Cyber Security Agency (NACSA). It was officially established in February 2017 as the national lead agency for cyber security matters, with the objectives of securing and strengthening Malaysia’s resilience in facing the threats of cyber-attacks, by co-ordinating and consolidating the nation’s best experts and resources in the field of cyber security.

So when a data breach happens and it impacts the data protection of Malaysians, who is really responsible for handling the situation?

In fact, in 2022 alone, Malaysia has witnessed several concerning data breaches involving its citizen’s data. Among the recent ones include a data leak whereby 160Gb of data with personal details of 22 million Malaysians from the National Registration Department being sold on the dark web.

Interestingly, when it comes to financial data, Bank Negara, the central bank of Malaysia has released an advisory requiring all licensed banks to adopt high standards of security, particularly for internet and mobile banking services.

“Bank Negara Malaysia has been collaborating with Polis Diraja Malaysia (PDRM), Malaysian Communications and Multimedia Commission (MCMC), and the financial industry to coordinate efforts in combating financial fraud and scams, and create greater public awareness of new fraud tactics. In addition to ensuring more effective preventive measures by financial institutions against new modus operandi, these efforts will also support the recovery of embezzled funds as well as timely and effective investigations by the relevant law enforcement agencies,” stated the advisory.

Currently, Bank Negara enforces RMiT (Risk management in technology), whereby financial institutions are required to properly manage their cyber-risk exposure. This includes establishing the necessary risk frameworks, government structures, policies, and procedures, given the increasing adoption of modern technologies.

Despite this, there have been increased cases of fraud being experienced by some local banks. One local bank even had wrongly deposited funds to customers and is now been ordered to enter defense over its banking errors.

The reality is though, the ones that are actually responsible for ensuring data is protected is the organization itself. While these government agencies and bodies oversee how data protection is implemented and also take action to deal with any data breaches, it is up to the organization to protect its users’ data.

For example, the National Registration Department should be responsible for how it protects the data it collects. A bank is responsible for keeping its customers’ data safe, even if a fraud is caused by its customer. Banks have invested heavily in adopting new technologies to provide better services and have also been doing the same to reduce fraud.

At the end of the day, it is not about passing the blame over on who should be responsible for solving the problem. The best way to deal with this is to avoid the problem in the first place.

---

---

---

---