There needs to be a law to compel Malaysian companies to disclose data breaches, especially when personal information has been stolen.

With the increasing number of data ­breaches in the country, it is high time to make it mandatory for companies in Malaysia to disclose such incidents.

IBM Resilient cyber security and privacy program director, Gant Redmon, says a definitive law would remove any grey area on whether a company should or shouldn’t declare a breach.

“For lawyers, a little black and white is sometimes preferable when you’re trying to do something quickly. A law would push the company to make the notification faster, rather than mulling if it’s in the company’s best interest,” says Redmon, a lawyer ­himself.

“Time is not your friend in incident response. You used to have 30 to 90 days to report an incident. Now 72 hours is the new 90 days,” he says, referring to the European Union’s General Data Protection Regulation (GDPR) which includes a mandatory ­declaration rule.

Redmon says a mandatory law would push companies to make disclosures faster instead of mulling over it.

Under Article 33 of the GDPR, in the event of a personal data breach, the data ­controllers must declare the incident to the appropriate authorities “without undue delay and, where feasible, not later than 72 hours after having become aware of it”.

This means within three days of an ­incident, the affected organisation must ­conduct a thorough investigation, inform both regulators and affected individuals, identify what personal data was stolen and how, and also draft a comprehensive ­containment plan.

A data breach is an event in which an individual’s name and personal info like medical or financial records are potentially put at risk whether it’s due to an attack, ­system glitch or human error.

According to IBM Resilient, which ­specialises in incident response, the scope of GDPR goes beyond data breaches – ­companies must also declare if they are no longer able to access their data, say, in the event of a ransomware attack which can lock out data.

Although the EU regulation states that a declaration must be made ­within three days of discovery, a study ­suggests breaches are often discovered months after the actual cyberattack.

A 2017 report by the Ponemon Institute found organisations were able to reduce the average time taken identify a data breach to 191 days (2017) down from 201 days (2016) and contain the data breach within 66 days (2017), down from 70 days (2016).

It also stated that the average number of breached records in Asean were among the lowest at 21,045 per incident, compared to India (33,167 records) and the Middle East (33,125 records) which had the highest ­averages.

The 35-page report sponsored by IBM Security interviewed 419 companies and took samples from 13 countries, including the United States, Britain, Germany, Australia, France, India.

CyberSecurity Malaysia (CSM) chief ­executive officer Datuk Dr Amirudin Abdul Wahab says Malaysian companies are not bound by law to declare data breaches, though the Security Commission requires financial companies to make a disclosure under certain circumstances.

“In fact, a local broadcasting company recently declared that customers’ details were compromised at least six months after identifying the incident, and only came ­forward after a tech portal highlighted the leak,” he told the press during the Forum of Incident Response and Security Teams (FIRST) conference in Kuala Lumpur.

He says CSM’s stance on the issue is simple – it wants to encourage organisations to lodge a report with it and also disclose the breach.

Asked if there should be laws to make it mandatory, Amirudin said the Personal Data Protection Act could be updated to reflect that, but declined to comment further as the Act was under the purview of the Department of Personal Data Protection.

Amirudin said cyberattacks continue to rise and data from the Malaysian Computer Emergency Response Team (MyCERT) over the last seven years shows fraud continues to account for about half of the reported cases.

However, due to there being no ­requirement to declare breaches, intrusions may be under reported.