Understanding Data Breach Notification Requirements under Malaysia's PDPA

Compliance Hub

Compliance Hub

5 min read
Understanding Data Breach Notification Requirements under Malaysia's PDPA
Photo by Esmonde Yong / Unsplash

This article delves into the critical aspects of data breach notifications under the Personal Data Protection Act 2010 (PDPA) of Malaysia, offering a detailed guide for organizations to navigate compliance. The PDPA establishes key requirements for commercial organizations that process personal data. Recent amendments, including the Personal Data Protection (Amendment) Act 2024, have introduced more stringent requirements, such as mandatory data breach notification and the appointment of Data Protection Officers (DPO). These amendments also enhanced enforcement powers, increasing the maximum fines for non-compliance to MYR1 million and extending imprisonment terms up to three years.

Key Principles of PDPA

The PDPA is built upon several key data protection principles:

  • General Principle: Personal data processing requires consent.
  • Notice and Choice Principle: Data subjects must be informed about data collection.
  • Disclosure Principle: Data can only be disclosed for specified purposes.
  • Security Principle: Data must be protected from unauthorized access.
  • Retention Principle: Data should not be retained longer than necessary.
  • Data Integrity Principle: Data accuracy and completeness must be ensured.
  • Access Principle: Data subjects should be allowed to access and correct their data.
Global Privacy & Compliance Explorer
Interactive map for exploring global privacy regulations and compliance requirements. Navigate GDPR, CCPA, PIPEDA, and more.
Interactive Regulatory MapLovable

What Constitutes a Personal Data Breach?

A "personal data breach" refers to any event or incident that leads or is likely to lead to the breach, loss, misuse, or unauthorized access of personal data. Such breaches can arise from accidental or deliberate actions, whether internal or external.

Examples of personal data breaches:

  • Unauthorized third-party access to personal data.
  • Accidental dispatch of an email containing personal data to the wrong recipient.
  • Loss or misplacement of a company-issued laptop containing unencrypted personal data.
  • Deliberate theft of personal data by an employee.
  • External parties gaining unlawful access to a data controller’s network and extracting personal data.
  • System misconfigurations leading to data loss or inadvertent data sharing.
  • Alteration of personal data without permission.
  • Temporary or permanent loss of access to personal data.
  • Misplacing or losing physical documents containing personal data.
  • Leaving personal data unattended in open areas.
  • Sending letters or forms with personal data to the wrong recipient.

Notification to the Commissioner

Not all personal data breaches necessitate notification to the Personal Data Protection Commissioner. A data controller is obligated to notify the Commissioner only if the breach causes or is likely to cause "significant harm".

Significant harm is defined as a scenario where there is a risk that the compromised personal data:

  • May result in physical harm, financial loss, a negative effect on credit records, or damage to or loss of property.
  • May be misused for illegal purposes.
  • Consists of sensitive personal data.
  • Consists of personal data and other personal information which, when combined, could potentially enable identity fraud.
  • Is of significant scale. A breach is considered of "significant scale" if the number of affected data subjects exceeds 1,000.

Examples where notification to the Commissioner is required:

  • Loss of a laptop containing customer data that may result in significant harm, or if the breach involves more than 1,000 affected data subjects.
  • Unauthorized third-party access to patients’ medical records.
  • Temporary inaccessibility of medical records in a hospital due to a cyberattack.
  • An email containing a customer's account statement sent to the wrong recipient.
GeneratePolicy.com - AI Security Policy Generator
Generate comprehensive security policies instantly with AI. Tailored for HIPAA, GDPR, ISO 27001, and industry-specific compliance requirements.
AI-Powered Security & Compliance Policy Generator

The notification must be made as soon as practicable, but no later than 72 hours from the occurrence of the personal data breach. The 72-hour timeframe begins when the data controller is informed of a security incident or detects a breach.

The notification to the Commissioner should be made via:

  • The notification form on the Department of Personal Data Protection (JPDP) website.
  • Submitting the notification form in Annex B to [email protected].
  • Submitting a hard copy of the notification form in Annex B to the Commissioner.

The data controller must complete all mandatory fields in the notification form and submit it within the 72-hour timeframe. The Commissioner will issue a confirmation notice upon receiving the notification. Additional information can be provided in phases, but no later than 30 days from the initial notification.

Notification to Affected Data Subjects

A data controller is also required to notify data subjects if the data breach results in or is likely to result in "significant harm" to them. The definition of "significant harm" used when notifying the Commissioner also applies when determining whether to notify data subjects. However, the "significant scale" criterion (more than 1,000 affected data subjects) does not apply when determining whether notification to affected data subjects is required.

Examples of situations that require notification to affected data subjects:

  • A financial institution suffers a cyberattack resulting in the theft of customers’ personal and financial information.
  • A cybercriminal gains control of a pharmaceutical supplier’s server containing customers’ personal and financial data.
  • A cybercriminal threatens to delete data on a direct seller's server after circumventing security measures.

The notification to affected data subjects must be made without unnecessary delay, not later than seven days after the initial data breach notification is made to the Commissioner. The notification should be direct and individual, using intelligible language. If direct notification is not practical, alternative means such as public communication can be used.

Penalties for Non-Compliance

Failure to comply with Section 12B(1) of the PDPA, regarding mandatory data breach notification, can result in a fine not exceeding RM250,000, imprisonment for a term not exceeding two years, or both. Recent amendments increased maximum fines to MYR1 million and extended imprisonment terms up to three years for non-compliance.

Under Malaysia's Personal Data Protection Act (PDPA), a notifiable personal data breach is one that a data controller is required to report to the Personal Data Protection Commissioner.

A data controller must notify the Commissioner of a personal data breach if the breach:

  • Causes or is likely to cause "significant harm" to data subjects.
  • Involves a risk that compromised personal data may result in:
    • Physical harm, financial loss, negative effects on credit records, or damage/loss of property.
    • Misuse for illegal purposes.
    • Sensitive personal data.
    • Personal data combined with other information that could enable identity fraud.
    • Data breach of a significant scale.
  • Is considered to be of "significant scale" if the number of affected data subjects exceeds 1,000.

Some examples of personal data breaches that require notification to the Commissioner:

  • An employee loses a laptop containing customer data that may result in "significant harm," or the breach involves more than 1,000 affected data subjects.
  • Unauthorized access to patients' medical records, as breaches involving "sensitive personal data" are considered of "significant harm".
  • Medical records in a hospital are temporarily inaccessible due to a cyberattack.
  • An email containing a customer's account statement is sent to the wrong recipient, as it involves financial information.

The data controller must assess whether a personal data breach meets any of the notification criteria. If any criterion is met, the data controller must notify the Commissioner of the breach.

Read more

Comparative Analysis of Cybersecurity Frameworks: MOSAICS, CMMC, and FedRAMP

Comparative Analysis of Cybersecurity Frameworks: MOSAICS, CMMC, and FedRAMP

In an era where critical infrastructure systems—such as power grids, water treatment facilities, and transportation networks—are increasingly interconnected, the vulnerability to cyber threats has escalated. Recognizing this pressing issue, the Naval Information Warfare Center (NIWC) Atlantic has developed the More Situational Awareness for Industrial Control Systems (MOSAICS) framework.

By Compliance Hub