Malaysian Businesses, What Is Your Responsibility For Your Client Data?

Many Malaysian businesses see a lock on their office door, or their filing cabinet as the extent of their responsibility to protect their client’s data.

Unfortunately things are more complicated now, there’s a lot more to consider.

PDPA

The Malaysian Personal Data Protection Act 2010 (PDPA) states

Cybersecurity

The PDPA enumerates the security principle as one of its data protection principles. Under this principle, an organisation must ensure both technical and organisational security measures are well in place to safeguard the personally identifiable information that it processes. The ISO/IEC 27001 Information Security Management System (ISMS), an international standard, which deals with information technology systems risks such as hacker attacks, viruses, malware and data theft, is the leading standard for cyber risk management in Malaysia.

It applies to almost all businesses. If you have an invoice or receipt, you are expected to keep it secure

The PDPA applies to any person who processes or has control over the processing of any personal data in respect of commercial transactions.

Security Auditors?

Accountants and Auditors should be particularly aware of these issues.

Recently a client mentioned they had received an unusual email from their auditors (a company that incidentally purports to provide security audits).

It was a targeted phishing email sent from the personal gmail account that the auditor sometimes used .
When contacted, he said “Oh yeah, I think my account got hacked”.
Quite a surprising statement from someone who does security audits.

In this is situation:

  • all emails sent to and from that account will have been downloaded,
  • along with any scanned, signed documents and financial details that had been sent as attachments
  • to and from all of this auditor’s clients.

Which means even though my client ceased using the services of this auditor, he will still have to monitor all of his financial dealings extremely carefully from now on.

Imagine if all of the documents that have ever travelled between you and your accountant, auditor or lawyer fell into the hands of criminals.

Legal Action

The simple fact is that insufficient protection of IT infrastructure, and poor practices are now considered negligence, and those affected are in a position to take legal action.

Is it really worth having your company struck off, or loosing it all together for the sake of doing the right thing?

 

Access Devices Asia provides a full range of IT Security Solutions and services.
We help your company learn and follow best practices, as well as implement Disaster Recovery plans, to protect your business should the worst happen.

WhatsApp chat