Cyber Security in Malaysia

Is it unlawful in this jurisdiction to access third party data without authorisation? Is it unlawful to store data which has been accessed without authority?

There are a number of criminal offences in relation to unauthorised access of electronic data, which carry prison sentences. The severity of the offence is related to the intention of the perpetrator in accessing and using the data. For example, if the data is accessed for purposes of committing a further crime such as fraud or dishonesty, the punishment is more severe. Persons who aid, abet, counsel, or procure someone to commit a criminal offence have also committed a criminal offence. In addition, under the Malaysian Personal Data Protection Act, 2010 (PDPA) which came into force in late 2013, the collection or disclosure of personal data held by a data user, without the consent of the data user, also amounts to a criminal offence which carries a monetary fine and/or imprisonment. In terms of civil actions, if the data accessed is confidential, there may also be claims available in contract (if there is a contractual obligation to keep the data confidential, which is common place in many employment or business contracts) or in equity for breach of confidence (if the confidential information is improperly obtained or imparted in a manner which requires it not to be divulged). If a person is asked to store data which they know to have been obtained improperly, a claim may also be made against them for a breach of confidence. The PDPA does not provide data users/data subjects with civil remedies.

Is there a legal mechanism whereby you can seek access to or retrieve the copy of data which has been accessed without authority? Is there a legal mechanism that enables you find out information about who may have accessed your data without authority and/or how it was used?

If the identity of the person(s) who either committed the data breach or are storing or have stored the data at some point in time is known, the matter could be referred to the police and/or civil proceedings could be commenced. There are two civil processes which may be appropriate depending on the circumstances: search and seizure orders and / or preliminary discovery. An Anton Piller Order is possible where there is a grave danger the defendant will dispose of or destroy incriminating evidence in its possession or control before trial, and its continued existence is necessary for the plaintiff’s case. The order is usually made ex parte and enables the plaintiff and/or its representatives to enter the defendant’s premises to search for, inspect and seize or make copies of materials so that they may be preserved until trial. Generally, the Malaysian Courts also have the discretion to order discovery of documents prior to trial. Generally speaking, such order would only be granted in rare or exceptional circumstances. If civil proceedings for breach of confidentiality obligations are brought and are ultimately successful, one of the orders made may be for the delivery up of the data accessed, damages or any account of profits.

Is there any restriction on the use that can be made of the information or documentation obtained regarding a data breach incident using a legal process?

Yes, there is a general obligation on parties to only use the documents for purposes of proceedings in which they are produced.

Is it possible to maintain confidentiality in relation to the legal steps necessary to get access to the data or information?

Generally no, as every document that is filed in the Malaysian Court can be accessed by the public through file searches at the relevant Court. Documents containing matters confidential to a party and not otherwise privileged must be disclosed, but the Court may order a controlled method of disclosure to protect confidentiality.

If it is later determined that proceedings should be commenced in another jurisdiction (for example, the perpetrator is found to reside there), can you stop the proceedings in this jurisdiction in such a way that you are not prevented from commencing proceedings on the same issue as a result of the application of res judicata, double jeopardy or some other similar principle?

Yes, but only if the issues and/or matters in relation to the proceedings have not been conclusively determined. Potential issues could arise if proceedings are being conducted concurrently in two jurisdictions on the same subject matter.

Is there an obligation in your jurisdiction to hold personal information securely?

Yes. The Security Principle of the PDPA requires that a data user shall take practical steps to protect personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction by having regard to:

  • the nature of the personal data and the harm that would result from such loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction;
  • the place or location where the personal data is stored;
  • any security measures incorporated into any equipment in which the personal data is stored;
  • the measures taken for ensuring the reliability, integrity and competence of personnel having access to the personal data; and
  • the measures taken for ensuring the secure transfer of the personal data.

The Personal Data Protection Regulations 2013 (Regulations) further elaborates on the Security Principle whereby a “data user shall develop and implement a security policy which complies with the security standards as set out from time to time by the Commissioner”. At present, no such security standards have been issued. Based on feedback from the Malaysian Personal Data Protection Department (Regulator), the implementation of and adherence to, the Security Principle is, at present, self-regulatory in nature. It is left to the data user to determine how the data user develops, implements, and ensures the security of the personal data processed.

Does the law in your jurisdiction restrict or place conditions on the transfer of personal or other information to other foreign jurisdictions?

The PDPA provides that personal data shall not be transferred outside of Malaysia unless it is to a place specified by the Minister. The Minister has not yet specified such places. The PDPA does however provide for circumstances (Exceptions) where personal data may be so transferred outside of Malaysia. The Exceptions are set out below:

  • The data subject has given his or her consent to the transfer;
  • The transfer is necessary for the performance of a contract between the data subject and data user;
  • The transfer is necessary for the conclusion or performance of a contract between the data user and a third party which (i) is entered into at the request of the data subject; or (ii) is in the interests of the data subject;
  • The transfer is for the purpose of any legal proceedings or for the purpose of obtaining legal advice or for establishing, exercising or defending legal rights;
  • The data user has reasonable grounds for believing that in all circumstances of the case (i) the transfer is for the avoidance or mitigation of adverse action against the data subject; (ii) it is not practicable to obtain the consent in writing of the data subject to that transfer; and (iii) if it was practicable to obtain such consent, the data subject would have given his or her consent;
  • The data user has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not be processed in that place in any manner which, if that place is Malaysia, would be a contravention of the PDPA;
  • The transfer is necessary in order to protect the vital interests of the data subject; or
  • The transfer is necessary as being in the public interest in circumstances as determined by the Minister.

Is there a generally applicable obligation to notify data subjects of a data breach in your jurisdiction?

Generally, no. The PDPA is also silent on this issue. It is however possible that the Regulator may take such notification into account in determining whether the data user has complied with the Security Principle under the PDPA. Formal codes of practice have yet to be issued on this matter.

Is there a generally applicable obligation to notify the authorities of a data breach in your jurisdiction?

Generally, no. The PDPA is also silent on this issue. It is however possible that the Regulator may take such notification into account in determining whether the data user has complied with the Security Principle under the PDPA. Formal codes of practice have yet to be issued on this matter.

Are there sector specific mandatory data breach notification obligations in your jurisdiction?

No. However, this may be addressed in the formal codes of practice which are intended to be issued to supplement the provisions of the PDPA.