BY ELLEN HAYS
Recent data breaches in Malaysia have made for dramatic news headlines. But what exactly is a data breach? And how can they affect your life?
Data breaches may seem like a remote, technological issue that is irrelevant to our everyday lives. You may be surprised to learn that data breaches are an important human rights issue that can touch upon the lives of everyone.
What is a data breach?
A data breach is an incident where confidential information is wrongfully released without authorisation of the affected parties. Victims of data breaches may have had their personal information released such as their credit card details, medical records, birthdate or MyKad number.
Data breaches happen when cybercriminals or hackers take advantage of vulnerabilities in organisations’ online security to gain unauthorised access to data. Hackers can sell this data to make personal financial gain or use it to hold victims to ransom.
Data breaches can be caused by cyber irresponsible companies or individuals selling personal data which they have access to. Personal data is now treated as a commodity and there is a demand and as such a value to be exploited.
Many victims of data breaches will not experience any harm beyond the discomfort of having their personal information shared without their consent. However, data breaches expose victims to a number of serious risks, including identity theft, phishing and unauthorised use of their bank accounts.
In an age where we participate in digital transactions on a daily basis, the potential consequences of data breaches are perturbing. If no action is taken to stop cybercriminals, we can only expect the frequency and extent of their attacks to continue rising.
The legal framework
First and foremost, data breaches contravene the human right to privacy. According to Article 12 of the Universal Declaration of Human Rights, ‘no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence.’
Malaysians’ right to privacy is protected under the Personal Data Protection Act 2010, which provides that any person found guilty of collecting, disclosing or selling personal data can be fined up to RM500,000, jailed for up to three years or both. Article 5 of the constitution, which protects personal liberty has also been interpreted as including the right to privacy.
Despite these legal protections, data breaches continue to take place and cybercriminals continue to elude the authorities.
In October 2017, technology news site Lowyat.net reported that the data of 46.2 million mobile phone users had been compromised in a data breach from 2014. This data included phone numbers, customers’ personal details and addresses. It also included personal data from medical associations and a jobs portal.
More recently, in January 2018, Lowyat reported a data breach involving the details of 220 000 organ donors and their next of kin from 2016. This data included names, identification card numbers, race, nationality, addresses and phone numbers.
Although the Malaysian Communications and Multimedia Commission (MCMC) and the police are investigating the source of these leaks, those responsible have not yet been caught. The gravity of these leaks raises questions as to the effectiveness of the data protection framework in Malaysia.
What should be done to ensure better protection of the rights of Malaysians?
1. Update the Personal Data Protection Act 2010
A key weakness in the Personal Data Protection Act is that it exempts governments from responsibility for any leaks of personal data that they collect. This is troubling because governments hold vast amounts of personal data. Governments are also likely to have access to the most advanced cybersecurity resources, so there is little excuse for lax data protection. In a recent statement, HAKAM and other organisations called for the legislation to be amended so that governments can be held to account for data breaches.
Another failure in the legislative framework is that it gives little guidance to organisations as to what they should do in the event of a data breach. To improve this, Malaysia could draw upon measures being implemented abroad. For example, the United States already has laws that require companies to notify parties affected by data breaches.
2. Civil legal action
Civil legal action is a potential pathway to holding government agencies responsible for data breaches to account. PKR communications director Fahmi Fadzil recently filed a civil suit against MCMC and Nuemera for failing to protect the data involved in the 2014 breach.
“The massive data breach questions the fidelity and integrity of the safety mechanism in place to protect our personal data and those who are responsible for it,” he said.
He also noted the apparent confusion in the government’s priorities when it comes to cybersecurity: “Take responsibility, because it seems that they are very proactive when it comes to people who post on Facebook, but this is a mega scandal. We haven’t lost so much data before.”
Fadzil hopes the judicial process will require the authorities responsible for data protection to explain themselves to the public.
3. Investigate the leaks
HAKAM and other organisations are calling for the recent data leaks to be thoroughly and transparently investigated by the authorities. The Personal Data Protection Act should be enforced and those responsible for the leaks should be prosecuted for their wrongdoing. This would send a strong message to would-be cybercriminals that they cannot get away with abusing the rights of the public.
4. Greater investment
Malaysia lags behind other countries in its financial investment in cybersecurity, along with other ASEAN countries. ASEAN countries spend only 0.06% of their GDP on cybersecurity, which is less than half the global average. This suggests that Malaysia may not have the latest security measures in place, leaving the public more vulnerable to attacks.
As digital technology is continuing to evolve, cybersecurity measures must keep up. According to experts, new technology, such as cloud-based systems bring new risks and traditional security tools may offer inadequate protection. Investment is required to ensure the latest data protection tools are in place.
5. Policies in government agencies
Improving cybersecurity policies and standards in government agencies would help to protect the personal data they handle. In particular, staff should receive training on data protection, including keeping passwords secure and not clicking on suspicious links or files.
According to expert reports, many breaches are a result of employee negligence or human error, so implementing this change could significantly improve cybersecurity.
6. Improve public access to information
In order for the public to protect themselves against cyber-attacks, they must be able to check if their personal data has been compromised. For example, a website could be introduced that allows individuals to check whether their personal data was compromised in recent leaks.
It would also be helpful to provide the public with better information about data breaches. This should be done in an easily accessible way, such as educative videos or social media campaigns.
Although data breaches may seem like an abstract and intangible threat, they nonetheless have the potential to wreak havoc on victims’ lives. The risk posed by cybercrime is real and immediate action must be taken to prevent further violations of privacy rights.
Ellen Hays is a Monash University student completing her internship with HAKAM