IS YOUR DATA SAFE?
HERE’S HOW TO MAXIMISE THE SECURITY OF YOUR BUSINESS DATA AGAINST AI DRIVEN PRIVACY RISKS.
by Thulasy Suppiah, Managing Partner
Data. Big Data. Metadata. These are powerful commodities for modern businesses to thrive and survive. Datasets have become such invaluable assets, they need to be stored somewhere safe. Each year, more and more corporate data is being stored in the cloud – a metaphor for the Internet’s services managed by third parties. Everywhere and in Malaysia, this has surged demand for AI-powered cloud storage solutions and applications to manage, process and protect the growing volume of sensitive data. In this article, we examine how a business can identify the right cloud storage services for robust data protection despite unique challenges spawned by Generative AI (Gen AI). These include the misuse of data and shortage of skills to protect against AI-enabled cybercrime. Without proactive oversight, companies leveraging AI risk exposing customer data and IP rights to unauthorized access or manipulation.
BENEFITS OF SOVEREIGN CLOUD SERVICES
Traditionally, companies used public clouds or cloud computing systems located outside the country to store their data. However, this meant little control or accountability over the use of that data. Heedfully, Malaysia has taken steps to safeguard data sovereignty within our borders by providing ways for locally managed services to offer cloud storing platforms to secure business data from foreign access. Today, organisations can store data either in a private cloud or sovereign cloud, regulated by local laws.
A sovereign cloud is a cloud computing environment which enable’s each organisation’s data to be stored on a system of servers located within their own country. This system is hosted by locally managed services, is required to abide by domestic rules governing data privacy; while having to adopt special security measures for the vicinity of the stored data.
Sovereign cloud providers are an important link with expertise to handle and track the flow of data. They can categorise various types of industry data, whether confidential, public, corporate or personal. Their proximity within the country is said to increase their efficiency tenfold through faster execution speeds and greater network stability. By maintaining valuable data within a country’s borders, sovereign cloud offers a more secure means of data protection.
Recent amendments to Malaysia’s Personal Data Protection Act provide further flexibility and higher protection over stored datasets:
- Biometric Data is now explicitly defined as sensitive personal data
- Data portability rights allow individuals to request the transfer of their data
- Data breach definitions are expanded, increasing accountability for data controllers and processors Mandatory
- Data Protection Officers are required for better oversight
While these amendments are much welcomed, they don’t fully address the risks associated with the growing use of AI systems in data processing, in particular, regarding facial recognition technology. Hopefully in time, our government will fine tune our laws to address gaps.
RISK FACTORS IN LEVERAGING AI TOOLS FOR DATA PROCESSING AND STORAGE
As technology users, we tend to focus on interfaces and tools, but not really the accountability and oversights of their internal functions. Machine learning presents a formidable challenge – who governs it? Who is protecting data being hosted by third parties from misuse and theft and the issues surrounding the accuracy of AI tools?
Malaysia has a multifaceted framework to protect personal data in commercial transactions, govern information security, to ensure network reliability and infrastructure integrity and to safeguard data sovereignty. Malaysia’s cyber security laws include:
The Personal Data Protection Act 2010 (PDPA)
This is the key framework that regulates personal data processing in commercial transactions in Malaysia. It mandates the implementation of practical measures to protect personal data from loss, misuse, modification, unauthorised access, disclosure, alteration, or destruction. Non compliance with the PDPA may result in fines ranging from RM100,000 to RM500,000, imprisonment for one to three years, or both.
Communications and Multimedia Act 1998 (CMA)
This Act regulates the communications and multimedia industry and places a premium on information security and network reliable cybersecurity services. The CMA prohibits:
- Fraudulent or improper use of network facilities
- Possession of counterfeit access devices
- Unauthorised access attempts
- Interception of communications without lawful authority
Cyber Security Act 2024
This Act is designed to safeguard the nation’s critical information infrastructure (CII) against complex cyber threats. A notable feature of the act is its focus on cybersecurity service providers, mandating a licensing regime to ensure only qualified entities are authorised to deliver cyber security services. Offenses under the Act are:
- Failing to conduct required risk assessments and audits
- Not notifying relevant authorities about cybersecurity incidents
- Non-compliance with licensing requirements
- Failure to implement mandated cybersecurity practices
Additionally, the Act holds not just organisations but also their employees and agents accountable, extending liability to individuals responsible for compliance within the entity.
Copyright Act 1987
- This Act protects intellectual property, including digital content, by prohibiting:
- Unauthorised transmissions of copyrighted works over the Internet
- Circumvention of technological protection measures that applied to copyrighted works
- Offering technology or devices that enable such circumvention
Electronic Commerce Act 2006
This Act provides a legal framework for electronic transactions, ensuring the security and reliability of online transactions.
CHOOSING THE RIGHT SOVEREIGN CLOUD PROVIDER
As businesses handover their data to third party services, legal professionals with deep understanding of technology and computing systems, can help your company asses the security controls managed services have in place and how your data is being utilised beyond your ambit.
It is crucial to investigate how closely these managed services comply with local laws, are fully licensed for the services they provide and if their cybersecurity is provided only by qualified entities as mandated by the law.
In Malaysia we have reputable and established providers who offer sovereign cloud services and there are several criteria they should meet. These include full certification and compliance with local laws, able to guarantee the sovereignty of data within local borders, able to ensure data privacy, able to conduct Data Protection Impact Assessments, have the skills to classify data, and offer scalability and flexibility as the need for your organisation’s data evolves. They should also have robust security protocols, are able to respond to security incidents efficiently and promptly and are able to pivot well in case of service disruptions or in executing disaster recovery to ensure data remains secure and accessible even in adverse situations.
Technology lawyers can also advice and oversee the terms and conditions of the Service Level Agreements between your organisation and the cloud provider, to ensure they align with your business’ needs and offer acceptable language for dispute resolutions. They can scrutinise the quality of customer support and response time and the structure and transparency of costs associated with storing your data.
CONCLUSION
The rapid growth of cloud computing and the widespread adoption of AI and cloud technologies presents significant opportunities if well leveraged, but this must be matched with caution and a strong focus on safeguarding personal data and copyrights. Businesses have the obligation to ensure their data practices align with local laws and to receive, send, track and store data safely. As local regulatory landscapes and the challenges of Gen AI continue evolve, legal services with sound understanding of technology, can help your business stay abreast, compliant and safe.
REFERENCE
- Data Privacy in the Age of AI: Are Your Cloud Services Putting You at Risk of Non-Compliance? Innoedge. (October 2024).
- Malaysia’s Cyber Security Act 2024: What Businesses Need to Know. ASEAN BRIEFING, Dezan Shira & Associates. Medina, Ayman Falak. (August 2024).
- Gen AI in Data Security: The Double Edged Sword. CyberMagazine. (August 2024).
- Malaysia Pushes Out Groundbreaking Amendment to Personal Data Protection Act – Impact on Businesses. Squire Patton Boggs. Aw, Charmian and Lai, Brandon. (August 6, 2024).
- What is Data Sovereignty? Oracle Cloud Infrastructure (OCI), Oracle Malaysia. Chen, Michael. (May 2024).
- AI and Cloud Computing top tech risks for firms in 2024 Horizon report. ORX. (April 2024).
- Sovereign Cloud: A Necessity for Protecting Malaysia Enterprises’ Data Sovereignty. Exabytes. Xiao Hui. (October 2023).
- As Malaysia embraces cloud, data sovereignty debate intensifies. Moxie Insights. Henderson, James. (September 2023).
- Glossary: Sovereign Cloud. opendatasoft.com. (Accessed 2024).
© 2025 Suppiah & Partners. All rights reserved. The contents of this newsletter are intended for informational purposes only and do not constitute legal advice.
