Asia moves towards tougher data breach rules

08 December 2017

A massive data breach in Malaysia has coincided with moves towards tougher data protection laws in Asia, including the introduction of mandatory notification requirements.

In October details emerged of data breaches at 12 Malaysian telecommunications companies, a job-seeker website and databases belonging to three medical associations. Combined, the breaches are thought to have compromised some 46 million personal records dating to 2014, which were recently offered for sale on the dark web.

Malaysia, like Hong Kong and Singapore, does not currently have a mandatory data breach notification requirement. However, times are changing and a number of countries in Asia Pacific have recently announced plans to tighten their data protection laws.


In February of this year Australia passed its Privacy Amendment Notifiable Data Breaches Act 2017, creating a mandatory notification regime. Due to be implemented on 22 February 2018, the law will require organisations to notify data subjects and the Office of the Australian Information Commissioner (OAIC) in the event of a data breach.

Australia is one of the largest markets in Asia Pacific to introduce mandatory data breach reporting rules, but it is by no means alone in this regard. South Korea, Taiwan, Indonesia and the Philippines already have data breach notification requirements, while Japan and China are moving in a similar direction.


China has been strengthening its cyber security laws in recent years, and the country’s data protection laws recently took a significant leap forward with the Cyber Security Law (CSL). Under the CSL, which came into effect on 1 June 2017, network operators are required to promptly inform the regulator and data subjects if their personal information is disclosed.

Hong Kong and Singapore have not yet gone the route of mandatory notification requirements, although they do have voluntary breach notification regimes. Singapore, however, recently consulted on a cyber security bill that would require infrastructure operators, including banks, telecoms and energy companies to report breaches to the regulator as soon as they are discovered.


Japan also does not yet require companies to notify individuals of a data breach, but the country has taken steps this year to increase protections for its citizens’ data, better aligning its rules with the EU’s General Data Protection Regulations (GDPR).

Changes to Japan’s Personal Information Protection Act (PIPA) in May, for example, added processing rules and a requirement to appoint a data protection officer. Also, like the GDPR, the amended PIPA introduced restrictions on the cross-border transfer of personal data.

The new rules require companies to seek permission from data owners before transferring data to foreign countries, although there is an exemption for transfers to countries regarded as having adequate data protection laws in place.

Such an agreement may soon exist between the EU and Japan. In July, the European Commission and Japan issued a joint statement confirming that an adequacy decision on international data transfers is expected in early 2018. The statement said that recent reforms of their respective privacy legislation have further increased the convergence between their two systems.


Although Asia has not seen the same frequency of large data breaches as the US, awareness of cyber risk and interest in cyber insurance has been growing in recent years.

A number of Asian companies are now purchasing cyber insurance, and JLT in Asia has experienced a rise in enquiries from Asian companies. This is a reflection of increasing data protection rules, leading to growing board-level awareness of cyber risk.

Demand is also being driven by the international nature of some Asian businesses, which are exposed to more stringent data protection rules in the US and EU. Asian companies are increasingly required to purchase cyber insurance under contractual requirements with customers and business partners.

Download Cyber Decoder

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on