FOLLOWING the recent claims of data leaks, Lembah Pantai MP Fahmi Fadzil has questioned the status of the proposed amendments to the Personal Data Protection Act (PDPA) 2010, which were first raised by the communications and multimedia minister in February 2020.

Based on publicly available reports, the proposed amendments will widen the act to include data processors that make it compulsory for data users to report data breaches to authorities; expanding the rights of data subjects; and, easing cross-border data transfer processes.

The then communications minister also said the then government was considering tightening personal data protection, as well as expanding existing authority and action on those who illegally obtain or come into possession of leaked data.

However, the proposed amendments do not include the possibility of the federal and state governments, who are currently exempted, to be included in the application of the PDPA.

And the series of claims of data leaks in the last few years were from government agencies, their sub-contractors/vendors or public higher learning institutions.

Whether authorities admit it or not, government agency data leaks are one of the largest threats to Putrajaya. And these agencies are usually unaware of the leaks.

There is no easy answer on how to deal with data leaks or punish the agencies or ministries that have broken laws to the extent that there are applicable laws in the first place.

Data leaks are not initiated by cybercriminals. They come from overlooked vulnerabilities and remain unknowingly exposed to the public for years before they are discovered by either cybercriminals or security teams.

Data breaches, on the other hand, are caused by cybercriminals. They are the intended objectives of planned cyberattacks.

Though different in origin, both data leaks and breaches can result in the compromise of sensitive data.

Data leaks usually occur before data breaches and provide cybercriminals with the necessary ammunition to conduct much faster cyberattacks.

A news portal in a special report in July last year said it audited 700 government websites with the domain name “gov.my” and reported at least 175 are “not secure”.

Experts warned that this can lead to personal data breaches and other cybersecurity risks.

The websites include but are not limited to different agencies, departments and ministries at federal and state levels, local councils, land offices and hospitals.

Those involved said they will tighten their site security.

The Malaysian Communications and Multimedia Commission said a cybersecurity audit will be conducted on the websites.

The news portal revisited the websites in December last year, five months after the announcement, and found that the security status of 90 websites remain unchanged.

If a news portal can access and uncover the vulnerabilities of 175 of 700 government sites, will amending the Act to include coverage of government agencies and ministries stop data leaks in future?

A consultative paper titled Public Consultation Paper 1/2018: The Implementation of Data Breach Notification was issued, but nothing materialised from it.

The paper seeks to introduce a data breach notification regime, where, in the event of a breach, data users are required to notify regulators within 72 hours of becoming aware of the breach and provide details about at-risk data, actions taken or will be taken to mitigate the risks, details of notifications to affected individuals, as well as details of the organisation’s data protection training programmes.

Making it compulsory for data users to report data breaches will not fix data leaks; it just sheds some light on it.

Legislators like to pass a data breach notification law as it makes it look like they are doing something about security, when they are not.

Data leaks and breaches are never going to go away. There is no silver bullet.

Government agencies and ministries will continue to screw up our data.

Many people are unaware and continue to remain ignorant of how common modern security threats work.

Even if the proposed amendments are legislated, it will not give Malaysians any extra comfort unless strong anti-data leak/breach bills are legislated that allow the victims to sue the negligent data managers. – June 7, 2022.

* FLK reads The Malaysian Insight.

* This is the opinion of the writer or publication and does not necessarily represent the views of The Malaysian Insight. Article may be edited for brevity and clarity.