In collaboration with Eversheds Harry Elias.
Malaysia will soon be joining the growing number of global jurisdictions that are adding specific data breach notification requirements to companies operating in Malaysia, re-emphasizing the need for multinational companies to have a global regulatory strategy when it comes to privacy and cybersecurity. Indeed, as Malaysia’s Public Consultation Paper No. 1/2018 states: personal data breach “has become a global threat,” and thus multinationals need to have plans in place to accommodate the growing number of global regulations.
In fact, for some companies operating in Malaysia, the requirements as currently drafted may differ from other domestic breach notification requirements, which may cause those companies to adopt a shortest-timeline approach to ensure no regulator in Malaysia is informed later than another (or worse, first hears about a breach in the morning’s paper).
What are the specific requirements?
The Malaysian Personal Data Protection Commissioner (the Commissioner) is currently hearing and reviewing feedback on Public Consultation Paper No. 1/2018, which would add a data breach notification (DBN) requirement to the Malaysian Personal Data Protection Act 2010 (PDPA). The DBN is likely to be implemented by the end of 2018.
The DBN would be similar to the ones already in place under Europe’s General Data Protection Regulation (GDPR) or New York’s Department of Financial Services Cybersecurity Regulation. Once in effect, they will require companies to:
(i) Provide detailed summaries of data breaches, including the type and amount of personal data compromised;
(ii) Implement containment and control measures and outline in detail the measures taken to minimize the impact of the breach;
(iii) Notify the Commissioner within 72 hours of becoming aware of a breach, providing details on the method in which the company is notifying the affected data subjects and the advice it is giving to those subjects; and
(iv) Instill data protection training programs and provide details to the Commissioner about the content of those programs, including whether company employees had received training in the last 24 months.
Who is covered?
The Commissioner indicated that companies required to obtain certificates of registration from the Commissioner will be required to comply with the DBN. Thus, companies operating in the financial, insurance, communication, and healthcare sectors, among others, are likely to be most impacted by this rule.
However, there is some crossover, and certain industries like banking and capital markets are already subject to additional data privacy protection requirements from Malaysian regulators other than the Commissioner. These breach notification rules, as currently drafted, do not necessarily align. In capital markets, for example, the Securities Commission of Malaysia requires capital market entities to report on any breaches the same day of an incident. A similar but two-day notice requirement also exists for banks that fall under the purview of the Central Bank of Malaysia.
Thus far there has been no indication from the Commissioner on the penalties for non-compliance of the DBN. If the DBN is codified into a form of regulations, it will trigger section 143 of the Personal Data Protection Act, whereby non-compliance of the regulations would be an offense and could lead to penalties of up to $60,000 and/or a two-year jail term.
Multinational companies increasingly need to keep track of a ballooning number of breach notification requirements. Keeping abreast of these developments, and incorporating them into cybersecurity and data privacy plans and programs, will help keep a bad day from becoming a tragic year by avoiding failure to meet regulatory requirements.