Govt must take lead in regulating privacy as repercussions of breach have impact on individuals, organisations: Expert

PETALING JAYA: An expert has called on the government to undertake a cybersecurity audit each time personal data leaks are discovered in one of its IT systems.

Murugason R. Thangaratnam, who is a cybersecurity company CEO, said last year was the worst ever for online privacy leaks in Malaysia, with several cases of data breaches at various government agencies.

He said in December alone, the Sabah government’s official website was hacked, compromising 109 files involving state agencies.

This was followed by the official Halal Portal of Malaysia which was hacked and disabled temporarily, while the Social Security Organisation confirmed a cyber attack on its systems, database and website in the same month, even though it regained control without any serious data leaks.

Murugason said it is difficult to assess the safety of systems owned by the government or private organisations because of the lack of accountability and transparency that currently exists.

“When a data breach is discovered, most government agencies and private organisations deny it outright.

“When the breach is finally and reluctantly acknowledged, the parties held responsible will only provide a nonchalant mention without being fined or shamed due to their negligence,” he said.

Murugason said the reason for their negligence is due mainly to the lack of proper cybercrime legislation and an obsolete Personal Data Protection Act (PDPA).

When it comes to the consequences of data breach, he said the repercussions can be far-reaching and deeply impactful to individuals and organisations.

He said the breaches or data leaks have evolved from mere cyber security issues to direct financial losses, reputational damage, legal troubles, regulatory fines in many countries, erosion of public trust and even crippling of businesses.

Unfortunately, the worrying increase in data breaches in Malaysia has not been correlated with any increase in organisational preparedness.

“Many organisations fail to implement basic security measures to prevent a cyber attack,” he said, adding that in the event of a breach, most do not even have a plan or playbook to accept, address, mitigate and recover from it with minimal impact to their operations.

Murugason said it is important to have data protection laws to ensure everyone’s data is used properly and fairly.

He said organisations collect and store personal data about their customers and clients such as names, addresses and contact details. Such data are required to deliver goods or services, provide consultation and improve customer experience.

“However, they may also have access to sensitive information such as medical and income-related data. Organisations having such data need to be responsible, accountable, and ensure they are not exploited beyond the terms and conditions of use.”

Murugason said the government must take the lead in regulating data privacy and cyber security from all aspects.

He said the Cyber Security Act and the amended PDPA are to be tabled in Parliament. “We should get more clarity and accountability when these two legislations come into force.”

Meanwhile, he said by practising proper cyber hygiene and additional security measures, one can learn how to protect privacy, fend off identity thieves and hackers, and regain control of personal data.

“Choose a secure storage method, whereby you store personal data in a secure location, such as an encrypted database, a password-protected file, or a secure cloud storage service.

“Perform updates, make regular backups of your data, and store them in a secure location to ensure that you can recover them in case of loss or files getting corrupt.

“Only give access to personal data to those who need it for legitimate business purposes, and always keep track of where it ends up and who has accessed it.”

Related article :