Jurisdiction - Australia
Reports and Analysis
Asia Pacific – Cybersecurity – Six Important Facts you Should Know About Data Privacy

 

21 September, 2011

 

Information technology breaches are now considered as one of the top risk management concerns for companies and their executives.  In a recent report, The Ponenom Institute’s Security Tracking Study[1] found that 83% of multinational companies had been targeted by a cyber attack over the past 12 month and concluded that there has been a 20.6% rise in cyber attacks in the same period.  According to the same study, the average cost of an attack is US$3.6 million. Similar cyber security surveys by Symantec, Pricewaterhouse and Accenture also found similar trends in the increase of malicious security breaches.

 

However, prevention is always much better response than cure itself . This is why it is critical that companies and their management understand that the reputational costs and damage to the brand often far exceeds the immediate financial impact.

 

Here are six key facts that companies must keep in mind .

 

  1. Attacks can happen anywhere and anytime: It used to be physical threats that were big concerns but cyber criminals today can threaten companies from any where in the world.
  2. Legal Environment is changing fast: Authorities are constantly updating and strengthening Data Privacy legislations and regulations that are very consumer friendly
  3. “It’s more than the website”:  Companies are extremely dependent on technology in all aspects of their business. Companies are looking beyond just the internet.
  4. Size does not matter:Cyber criminals are out to steal and expose data and they do not seek out companies based on size, business type, location or country of origin. So any company is a target as long as you keep records of customers, suppliers and employees.
  5. Counting the cost of data breaches and attacks.  Even with the best security in place,  the costs of managing and paying for a data breach can be huge.
  6. Sorry LettersAn expensive affair.   Data Privacy laws in Asia Pacific now specifies strict rectification duties on companies that has suffered data breaches which requires companies to disclose security breaches to customers residing in those countries. These notification letters or “sorry letters” can range from US$50 to US$100 per customer, but in some countries as much as $200 if you need immediate assistance.

 

Getting the Board up to speed with CyberSecurity – the stake holders

 

When a data breach happens or company secrets are stolen, the question that will come from shareholders, customers, suppliers and the authorities would be “what did the board of directors do to protect the data?”  In the past, it was the responsibility of the IT department; however company leaders are now equally answerable to these stake holders because it is now well established that data protection is as much a matter of good governance as it is a technology issue.

 

The reality is that today, companies are heavily reliant on technology to interact with almost every aspect of their business. As a result,  

 

·         Customer records or data are the new currency that are subject to theft . Every company is exposed because data includes credit card information or purchasing history transactions.

 

·         Anyone that transacts with the company could be a potential hacker  and this would also include an employee of the company , a supplier, or outside consultants.

 

The Legal Climate in Asia-Pacific is fast changing.

 

A number of countries have taken a giant leap towards the enactment of a comprehensive data protection framework.  Recent developments include:

 

·         Hong Kong– Following a number of high profile mishandlings of personal data by private sector entities (including the controversial story of a company selling personal data), attention is once again drawn towards the need for a more stringent personal data protection regime in Hong Kong.  In October 2010, the Hong Kong government published a public consultation report on review of the Personal Data (Privacy) Ordinance, together with reform proposals.  A new law is likely to be implemented in the course of 2012.  It is expected that the new law will impose heavier penalties and vest more power with the Privacy Commissioner.  For example, the fine for misusing personal data for direct marketing will increase from HK$10,000 (approx. US$1,300) to HK$500,000 (approx. US$64,500).

 

·         Singapore– A new data privacy legislation is likely to be introduced very soon.  To date, Singapore does not have any comprehensive data privacy regime, except certain voluntary schemes as model code or industry-specific regulations (including the telecommunications or financial services sectors).  One of the specific objective of the new legislation is to regulate unauthorized collection, use and transfer of personal data.

 

·         Taiwan– the new Taiwan Personal Data Protection Act (the Taiwan Act) is an overhaul of its predecessor Computer Processed Personal Data Protection Act.  The Taiwan Act now "provides protection to personal data across all public and private entities and across all sectors".  Interestingly, besides civil remedies and criminal sanctions, it is expressly contemplated in the Taiwan Act that class action is available to aggrieved data subjects.

 

·         Malaysia– Malaysia became the first country in ASEAN which passed a comprehensive personal data protection law.  The Personal Data Protection Act 2010 was gazetted in June 2010.  It is expected that this legislation will soon come into operation.  It stipulates in detail the rules for the collection and handling of any personal data by private sector entities.  Violation of the new law is subject to a maximum penalty of a fine up to RM500,000 (approx. US$165,000) plus up to 3 years imprisonment.

 

However, we need to keep in mind the threat of cyber breach is not just confined to where companies operate since use and reach of information technology recognizes  no boundaries

 

[1]Source:  http://www.ponemon.org.  

 

 

 

 

 

 

 

Leave a Reply

You must be logged in to post a comment.