This article first appeared in Free Malaysia Today, on October 8, 2019 10:00am.
By Joel Shasitiran, Free Malaysia Today on October 8, 2019 10:00 +08

“Shanthi Kandiah said currently, the Malaysian Communications and Multimedia Commission (MCMC) and the Personal Data Protection Commission (PDPC) are not legally empowered to pursue a case.

She told FMT that cyber-security cases are treated like any other criminal case, with prosecution powers in the hands of the Attorney-General’s Chambers. This means that building a case against cyber-criminals will take more time and effort.

“The burden of proof is a little bit higher, so the threshold of bringing people to task is also higher because of the nature of the liability,” the lawyer told FMT. She said getting to the root of a data breach is no easy task. Under the Personal Data Protection Act, she said, the responsibility falls on data users such as companies and not third-party data processors such as cloud service providers. She said if MCMC and PDPC had powers to impose fines, they could act quickly and bring companies that are negligent in data security to task.

“Giving the agencies such powers would send the message more quickly,” she added.

In the EU, Shanthi said, companies neglecting data security could be hauled up under the Global Data Protection Regulation, a personal data protection law applied in all EU countries.

“It’s an administrative action where agencies themselves can levy fines,” she said, citing as example a US$123 million fine imposed on the Marriott group for failing to notify customers that their data had been breached. ”

Free Malaysia Today
By Joel Shasitiran
October 8, 2019 10:00 AM