KUALA LUMPUR: Government departments and agencies, as well as private companies, must establish their own guidelines and policies for employees when working from home (WFH) to prevent breaches, leakages and abuse of data and sensitive information.
Jeeva Partnership managing partner Datuk J. Shamesh said that if employees fail to adhere to these WFH guidelines and policies, employers have the right to lodge police reports against them for any violations, particularly concerning sensitive data or information.
“When you do not have these policies, employees could take it for granted that they can use confidential information or personal data openly and thus subject to exposure,” he said after appearing as a guest on Bernama TV’s The Nation programme, entitled “WFH and Data Breaches: What You Need to Know”, hosted by Gerard Ratnam.
Shamesh said that in the absence of such WFH policies, employers might be solely liable for breaches of personal data and sensitive information.
He compared the information that employers and government departments possess to intellectual property, asserting that the owner has rights to their logo, creations, and data.
The advocate said the Personal Data Protection Act 2010 (PDPA) in Malaysia, particularly under the Personal Data Protection (Class of Data Users) Order 2013, mandates registration for 13 specific sectors that process personal data in commercial transactions.
These sectors include banking, insurance, health, tourism, transportation, education, direct selling, and services like legal, accounting and engineering.
“Our system is very homegrown, but if someone else enters our system, it is very dangerous (and) we do not realise that sensitivity, (therefore) the onus is on the data controller to keep the info safe.
“What we have learned from WFH during COVID-19 is that companies’ confidential information may be at jeopardy if employees do not handle the information given by their employers well,” said Shamesh.
In defending employers in numerous cases, he said it would only be prudent if they have proper policies, governance, guidelines and employee training on ways to use this data.
Shamesh highlighted how various groups were eager for sensitive information to exploit, particularly to determine whether someone is a high or low net worth potential client.
This is why protecting data, especially personal data, is so valuable, he said, adding that employees using a dongle for connectivity in remote areas, for instance, risk data breaches as it may not have the required firewall.
Shamesh said devices could be insecure when using Wi-Fi, especially in public places.
Employers must be cautious about data breaches, particularly those involved in accounting, law, healthcare, and insurance, because they handle sensitive information like financial records, criminal records, medical records, and personal data.
No less important are the police, the Immigration Department and departments in the Ministry of Finance.
He said information carries value in terms of ringgit, so it is incumbent on the employer to ensure that the employee is well-trained to tackle cyber attacks and cybercrime.
Elaborating on WFH policies and guidelines, he emphasised that it is all about managing employees and the do’s and don’ts when they WFH.
Clear parameters are crucial to ensure that employees work within the confines of the company’s WFH policy, said Shamesh.
“This requires workers to follow instructions and not assert that their personal computers or devices have been hacked.
“All employees take part in awareness training to learn the policies, guidelines and parameters they should work with,” he said.
While information technology (IT) departments “must be on top to create virtual private networks (VPN), encryption, among others, hackers too are on the ball, and they are getting innovative”.
They use artificial intelligence (AI) to mimic voices, for instance, of bosses to instruct employees to relay sensitive data and information to others.
There may be instances where employees who have received termination notices download sensitive information onto their personal computers or emails, potentially sharing it with a competitor company.
“AI is complicating efforts to prevent data breaches and protect sensitive information,” said Shamesh, referencing a case in which a client received computer-generated invoices that included the customer’s name, signature, and the products ordered.
Subsequently, the company disbursed several million ringgit because the finance department believed it was a legitimate purchase order and an invoice received from the customer, only to realise later that it was not. – BERNAMA
