Cybersecurity Law in Malaysia: How to Protect Your Business from Legal Liability in 2024

Understanding Cybersecurity Law in Malaysia

In today's digital economy, cybersecurity is no longer just an IT concern—it is a legal imperative. Malaysian businesses handling personal data face significant legal obligations under the Personal Data Protection Act 2010 (PDPA) and related legislation. Failure to comply can result in fines of up to RM500,000, imprisonment, and severe reputational damage.

This guide examines the key legal requirements for cybersecurity in Malaysia and provides practical steps to protect your business from liability.

The Personal Data Protection Act 2010 (PDPA)

The PDPA is Malaysia's primary legislation governing the processing of personal data in commercial transactions. It applies to any person or organisation that processes personal data in Malaysia, whether the data subject is Malaysian or foreign.

Who Must Comply?

The PDPA applies to businesses that process personal data in commercial transactions if they are established in Malaysia, or if they use equipment in Malaysia to process personal data. This includes companies incorporated under the Companies Act, partnerships formed under Malaysian law, and foreign entities maintaining an office, branch, or regular practice in Malaysia.

Notably, the PDPA does not apply to the Federal Government and State Governments, nor to personal data processed entirely outside Malaysia unless intended for further processing within the country.

The Seven Data Protection Principles

The PDPA establishes seven principles that data users must follow. Understanding these is essential for cybersecurity compliance.

The Security Principle

This principle is most directly relevant to cybersecurity. Under Section 9 of the PDPA, data users must take practical steps to protect personal data from loss, misuse, modification, unauthorised or accidental access or disclosure, alteration, or destruction.

When implementing security measures, businesses must consider the nature of the personal data and potential harm from a breach, the storage location, security measures built into storage equipment, reliability and competence of personnel with data access, and measures for secure data transfer.

If you engage a third-party data processor, you remain responsible for ensuring they provide sufficient technical and organisational security measures and comply with those measures.

Other Key Principles

The General Principle requires that personal data be processed only with consent and for lawful purposes. The Notice and Choice Principle mandates that data subjects be informed about data collection and given choices. The Disclosure Principle restricts disclosure to purposes related to the original collection. The Retention Principle requires that data not be kept longer than necessary. The Data Integrity Principle ensures data accuracy. The Access Principle gives data subjects the right to access and correct their data.

Penalties for Non-Compliance

The penalties under the PDPA are substantial and should not be underestimated.

Criminal Penalties

Contravening the data protection principles carries a fine of up to RM300,000, imprisonment for up to two years, or both. Processing personal data without a valid certificate of registration attracts a fine of up to RM500,000, imprisonment for up to three years, or both. Unlawful collection, disclosure, or sale of personal data carries a fine of up to RM500,000, imprisonment for up to three years, or both. Transferring personal data outside Malaysia in contravention of the Act results in a fine of up to RM300,000, imprisonment for up to two years, or both.

Corporate Liability

When an offence is committed by a body corporate, directors, managers, and officers who consented to or connived in the offence may be personally liable alongside the company. This means cybersecurity failures can have personal consequences for business leaders.

Data Breach Response: What the Law Requires

While the PDPA does not currently mandate data breach notification to authorities or affected individuals, businesses should implement breach response procedures as part of their Security Principle compliance. Industry best practices and evolving regulatory expectations suggest that voluntary notification may become increasingly important.

Recommended Breach Response Steps

Businesses should contain the breach immediately to prevent further data loss, assess the scope and impact of the breach, document all actions taken, consider voluntary notification to affected parties where significant harm may result, review and strengthen security measures, and preserve evidence for potential investigations or legal proceedings.

The Computer Crimes Act 1997

Beyond the PDPA, the Computer Crimes Act 1997 creates criminal offences for unauthorised access to computers and data. This legislation is relevant when your business is the victim of a cyberattack, as it provides the legal framework for prosecuting perpetrators.

However, businesses must also ensure their own employees and contractors do not commit offences under this Act by accessing systems or data without proper authorisation.

Practical Steps to Minimise Legal Liability

1. Conduct a Data Audit

Identify what personal data your business collects, where it is stored, who has access, and how long it is retained. This forms the foundation of your compliance programme.

2. Implement Written Policies

Develop comprehensive data protection and cybersecurity policies. These should cover data handling procedures, access controls, incident response, employee training, and third-party data processor requirements.

3. Technical Security Measures

Deploy appropriate technical safeguards including encryption for data at rest and in transit, access controls and authentication systems, regular security updates and patches, network security measures, and backup and recovery systems.

4. Staff Training

Human error remains a leading cause of data breaches. Regular training ensures staff understand their obligations and can identify potential security threats such as phishing attempts.

5. Vendor Management

Under the PDPA, you remain responsible for data processed by third parties on your behalf. Ensure contracts with data processors include appropriate security obligations and audit rights.

6. Prepare for Incidents

Have an incident response plan ready before a breach occurs. This should identify response team members, contain step-by-step procedures, include communication templates, and establish relationships with relevant authorities and legal advisors.

Cross-Border Data Transfers

Section 129 of the PDPA restricts the transfer of personal data outside Malaysia except to countries specified by the Minister. Before transferring data internationally, businesses must verify the destination country is approved, obtain data subject consent where required, and implement appropriate safeguards.

Contravention carries a fine of up to RM300,000, imprisonment for up to two years, or both.

Registration Requirements

Certain classes of data users must register with the Personal Data Protection Commissioner. The Minister may specify which classes require registration. Operating without registration where required is an offence carrying a fine of up to RM500,000, imprisonment for up to three years, or both.

Looking Ahead: Evolving Cybersecurity Regulation

Malaysia's cybersecurity regulatory landscape continues to develop. Businesses should monitor developments including potential amendments to introduce mandatory breach notification, sector-specific cybersecurity requirements, and enhanced enforcement by the Personal Data Protection Commissioner.

Proactive compliance today positions your business well for future regulatory changes.

Conclusion

Cybersecurity compliance in Malaysia requires a comprehensive approach combining legal understanding, technical measures, and organisational commitment. The potential penalties—fines of up to RM500,000 and imprisonment—make non-compliance a serious business risk.

By implementing robust data protection practices, training staff, managing third-party risks, and preparing for incidents, Malaysian businesses can minimise their legal exposure while building customer trust in an increasingly data-conscious market.

Disclaimer

This article provides general information only and does not constitute legal advice. The information is current as of the date of publication but laws and regulations may change. Every business situation is unique, and you should consult a qualified lawyer for advice specific to your circumstances. Naidu Chambers accepts no liability for any actions taken based on this general information.