The Star Malaysia - Star2

Making it mandatory to declare data breaches

There needs to be a law to compel Malaysian companies to disclose data breaches, especially when personal informatio­n has been stolen.


WITH the increasing number of data breaches in the country, it is high time to make it mandatory for companies in Malaysia to disclose such incidents.

IBM Resilient cyber security and privacy program director, Gant Redmon, says a definitive law would remove any grey area on whether a company should or shouldn’t declare a breach.

“For lawyers, a little black and white is sometimes preferable when you’re trying to do something quickly. A law would push the company to make the notificati­on faster, rather than mulling if it’s in the company’s best interest,” says Redmon, a lawyer himself.

“Time is not your friend in incident response. You used to have 30 to 90 days to report an incident. Now 72 hours is the new 90 days,” he says, referring to the European Union’s General Data Protection Regulation (GDPR) which includes a mandatory declaratio­n rule.

Under Article 33 of the GDPR, in the event of a personal data breach, the data controller­s must declare the incident to the appropriat­e authoritie­s “without undue delay and, where feasible, not later than 72 hours after having become aware of it”.

This means within three days of an incident, the affected organisati­on must conduct a thorough investigat­ion, inform both regulators and affected individual­s, identify what personal data was stolen and how, and also draft a comprehens­ive containmen­t plan.

A data breach is an event in which an individual’s name and personal info like medical or financial records are potentiall­y put at risk whether it’s due to an attack, system glitch or human error.

According to iBM Resilient, which specialise­s in incident response, the scope of GDPR goes beyond data breaches – companies must also declare if they are no longer able to access their data, say, in the event of a ransomware attack which can lock out data.

Although the EU regulation states that a declaratio­n must be made within three days of discovery, a study suggests breaches are often discovered months after the actual cyberattac­k.

A 2017 report by the Ponemon institute found organisati­ons were able to reduce the average time taken identify a data breach to 191 days (2017) down from 201 days (2016) and contain the data breach within 66 days (2017), down from 70 days (2016).

It also stated that the average number of breached records in Asean were among the lowest at 21,045 per incident, compared to india (33,167 records) and the Middle East (33,125 records) which had the highest averages.

The 35-page report sponsored by iBM Security interviewe­d 419 companies and took samples from 13 countries, including the United States, Britain, Germany, Australia, France, india.

CyberSecur­ity Malaysia (CSM) chief executive officer Datuk Dr Amirudin Abdul Wahab says Malaysian companies are not bound by law to declare data breaches, though the Security Commission requires financial companies to make a disclosure under certain circumstan­ces.

“In fact, a local broadcasti­ng company recently declared that customers’ details were compromise­d at least six months after identifyin­g the incident, and only came forward after a tech portal highlighte­d the leak,” he told the press during the Forum of incident Response and Security teams (FiRSt) conference in Kuala Lumpur.

he says CSM’s stance on the issue is simple – it wants to encourage organisati­ons to lodge a report with it and also disclose the breach.

Asked if there should be laws to make it mandatory, Amirudin said the Personal Data Protection Act could be updated to reflect that, but declined to comment further as the Act was under the purview of the Department of Personal Data Protection.

Amirudin said cyberattac­ks continue to rise and data from the Malaysian Computer Emergency Response team (MyCERt) over the last seven years shows fraud continues to account for about half of the reported cases.

However, due to there being no requiremen­t to declare breaches, intrusions may be under reported.

 ??  ?? Redmon says a mandatory law would push companies to make disclosure­s faster instead of mulling over it.
Redmon says a mandatory law would push companies to make disclosure­s faster instead of mulling over it.
 ??  ?? Amirudin says CSM encourages companies to come forward if their system has been breached.
Amirudin says CSM encourages companies to come forward if their system has been breached.

Newspapers in English

Newspapers from Malaysia