Sunday December 30, 2012

Protecting your data

I REFER to the report “Personal Data Protection Act to come into force Jan 1” (The Star Online, Dec 12).

Symantec Corporation welcomes the enforcement of Malaysia’s Personal Data Protection Act.

In today’s digital economy, personal data of consumers has become a rich source of information and data for businesses seeking to address the needs of their customers better, whether this is in the form of better targeted advertising, or services tailored to the needs of particular customers.

With the introduction of the Act, Malaysia recognises that as the custodian of so much customer data, companies and organisations also have a responsibility to their customers to ensure that the information they hold is accurate, and adequately protected.

While global multinationals have had a lot of experience in this area, due to similar legislations in the United States and Europe, for many of the local smaller enterprises in Malaysia, this is a new frontier.

With the rapid adoption of IT technology to improve the customer experience, through web portals or affinity and membership programmes, these enterprises have also collected a lot of personal data of their customers, and today share similar responsibilities under the Act.

Small and Medium Businesses (SMBs) are an important part of Malaysia’s economy as they

constitute 99.2% of the total business establishments, contribute about 32% of Gross Domestic Product (GDP) and 59% of total employment.

SMBs are also a crucial part of the ecosystems as partners of multi-national corporations (MNCs) as they do business in Malaysia.

However, it is also increasingly apparent that MNCs see a risk in doing business with partners who are not able to protect the sensitive data being shared with them.

In 2011, 18% of all targeted cyber attacks globally were on enterprises with 250 employees or less. In the first half of this year, Symantec saw this percentage double to 36%.

Cybercriminals recognise that because of the lower security posture of SMBs, they are much easier targets, who would also have information (their own or partners’

customer data, or Intellectual Property) which can be stolen and monetised.

In addition, compromised systems of SMBs are also used as stepping stones into the systems of their business partners.

It is thus important that SMBs recognise the exposure they have to cyber attacks, and the possible damage to their companies, through loss of reputation, business, and even legal censure, in the case where cybercriminals are able to steal data from inadequately protected systems.

In the more than two years since the enactment of the Act in Malaysia, the cybersecurity threat landscape has increased in complexity and scale. News of large scale breaches of companies database have been a constant and even the largest and best protected systems have not been spared.

It is thus timely for the Government to also consider the introduction of mandatory breach notification within the Act.

This would be in line with many other jurisdictions which have either implemented such legislations or are in the process of doing so.

Mandatory breach notification is an important part of any data protection legislation as it gives a definitive course of action to companies of what must be done in the case of a data breach.

By informing affected stakeholders, this also gives them the opportunity to take the required remedial actions (such as changing passwords, or having their financial institutions change their credit card numbers) to mitigate the consequences of the breach.

While it is recognised that this may increase the regulatory overheads of the Act, and represent an increased burden on companies, but the resulting improved consumer confidence in the data protection regime as well as e-commerce can only be helpful to Malaysia, as it moves towards developing its own digital economy.

NG KAI KOON
Symantec Corporation
Kuala Lumpur