LETTER | Authorities have duty to probe latest data breach
LETTER | I refer to the article Data leak: RHB launches probe, assures customers data safety.
What is the response to the error in the issuance of e-statements sent via email to a number of customers? This is not the first time. Various other data breaches by organisations in Malaysia have come and gone – buried without any trace or accountability by the organisations that suffered the breaches or caused the unauthorised release.
The people are tired of being taken for granted and have had enough. Organisations in Malaysia appear nonchalant and adopt this attitude that Malaysians will get over it in a matter of time and that we can’t do without them.
Under the Personal Data Protection Act 2010 (PDPA 2010), 'Clause 9 - Security Principle' – imposes a duty on data users to put in place adequate security and indemnity measures to prevent the theft, misuse, unauthorised access, accidental disclosure, alteration or destruction of data under their care and that the data users have taken measures for ensuring the reliability, integrity and competence of personnel having access to the personal data.
'Clause 8 – Disclosure Principle' – prohibits data users from disclosing or making its data available to any third party without the consent of data subjects.
With the passing and the coming into force of the act on Nov 15, 2013, Malaysians thought that their data privacy is safeguarded by the PDPA. Apparently, this is only true on paper.
Personal data as defined in the PDPA is any information collected or processed in connection to a commercial transaction by any equipment operating automatically (e.g., ATM, Computers) that is capable of identifying a person (a.k.a. data subject). The above definition include such information as names, addresses, identification card/passport numbers, email addresses, telephone numbers, as well as banking details.
Until now, consumers have been willing to lend their data or have unknowingly given it away to get convenience or information in return. Data privacy has become one of the defining issues in the past 10 years. Due to the proliferative nature and advances in technology, the data it produces and carries has enmeshed into our lives in ways that we now take for granted, thus raising the stakes for criminal elements to `acquire’ the same `illegally’ in whichever and whatever way possible. If the data are misuse, the economic stakes and social consequences to the country are dire.
The Ministry of Communications and Multimedia has a responsibility under the PDPA Act to initiate an investigation and act if there is any wrongdoing in complying with Clause 8 and 9 of the PDPA. In 2018 and 2019, the authorities did indeed fine seven or eight different parties in total under the PDPA for violation of the act.
As for Bank Negara, it had in a statement in 2000, issued a stern warning to employees of banking institutions to adhere to the secrecy provision under section 97(1) of the Banking and Financial Institutions Act 1989 (Bafia) whereby employees of licensed banking institutions were reminded to maintain the confidentiality of customers’ information.
Section 133(1) of the Financial Service Act (FSA) which replaced Bafia and Section 97 of Bafia similarly stipulates that no person who has access to any document or information relating to the affairs or account of any customer of a financial institution, including the financial institution or any person who is or has been a director, officer or agent of the financial institution, shall disclose to another person such document or information. With that, the duty of secrecy requiring a banker to keep information relating to a customer’s account confidential is statutorily codified in the statute governing bankers.
So is Bank Negara planning to initiate an investigation into the latest incident?
To the bank,
- Was any statement sent to recipients who are not your customers?
- What investigate process and confirmation have been undertaken to verify that no `rogue’ e-mail was unintentionally sent out to non-customers?
- How does the bank assure their customers that the unintended recipients did not share or forward the email they received to some rogue elements who would then use it to scam or hack into the accounts?
- What punitive measures have been taken against those who were found to have breached the secrecy provision?
As the bank is also a listed entity and subject to the Capital Markets Act and thus the supervision of the Securities Commission, has the latter been notified of this breach within the stipulated time frame of 24 hours as specified by SC in their Guidelines on Managing Cyber Risks that was issued in 2016?
Clause 4.16 of the guidelines states that the entity must report to the SC on any detection of a cyber incident that may or has had an impact on the information assets or systems of the entity, on the day of the occurrence of the incident.
Just an apology is not enough. We realise we had enough and we have stopped listening. We believe only in deeds and acts and not in declarations. I believe what I wrote above epitomises the general feelings of almost every of the bank’s customers who are powerless and voiceless in this recent breach.
It is possible that each of them will be living in perpetual fear for the rest of their lives not knowing when their personal data will be used against them by unknown scammers in the future.
The views expressed here are those of the author/contributor and do not necessarily represent the views of Malaysiakini.
RM12.50 / month
- Unlimited access to award-winning journalism
- Comment and share your opinions on all our articles
- Gift interesting stories to your friends
- Tax deductable