Protecting the Unprotected Consumer Data in Internet of Things: Current Scenario of Data Governance in Malaysia
Abstract
:1. Introduction
2. Literature Review
2.1. IoT Data Protection and Security
2.2. Principles of IoT Data Governence
2.3. Collaborative Governence Framework for IoT Data
3. Malaysia’s Progress in IoT: Data Security and Governance
4. Methods
4.1. Exploratory View on IoT and Personal Data Protection in Malaysia
4.2. Expert Interviews
5. Data and Analysis
5.1. Scenario Setting and Perceptions on Consumer Data Governance
5.2. Qualitative Insights into Secured Data in IoT Ecosystem
5.2.1. Cybersecurity Readiness Issues
- Absence of a well-coordinated institutional setting and regulatory framework for handling issues related to cybersecurity—legal instruments and regulatory (governance) agencies seem scattered;
- Due to the rapid pace of technological change together with the lack of resources and talent faced by regulatory agencies, said agencies need to focus on talent management and alternative measures in order to keep up with the new technological advancements;
- The lack of priority placed on security, especially when it comes to budget and resource allocation. This is related to the importance of leadership in setting organisational security as a priority, in which resources are found to be channelled towards the operational and infrastructure needs of companies rather than to security. Moreover, there is a lack of enforcement within the current legislation and a lack of reporting on actions taken by enforcement agencies. This gives rise to the assumption that enforcement agencies are not playing an adequate enough role. This shortfall in handling data breaches is also observed in the industry (or service providers). This relates back to the obligation of data users to report any breaches to the authorities. Appendix B presents the main themes of cybersecurity readiness issues.
5.2.2. Data Governance Fundamentals
- The role of regulators and industry in tackling data security issues requires consumer education and empowerment. Since the global challenges of late (e.g., falling oil prices and COVID-19), it is worrying that security and personal data protection might be a lesser priority which may be reflected in national budgets. Therefore, smart partnerships between government, industry, NGOs, and civil society may provide a win–win situation for the relevant stakeholders;
- Therefore, the active participation of NGOs and civil society is required to establish these smart partnerships. In fact, civil society and NGOs play crucial roles in monitoring data and privacy protection. When conducting outreach, there needs to be clear demarcation of which sectors are championed by which organisation. Not only will the message be clearer and better received, but the reduction of redundant activities will allow for wider and more effective outreach activities;
- ‘Buy-in’ from the stakeholders is key to successful roll-out of policy measures. In the case of industry, personal data protection needs to be seen as a priority which could disrupt business continuity. It is suggested that awareness programmes are stepped up and the number of touch points with consumers and businesses are increased, as this will in turn increase the overall acceptance rate. Adequate time will be necessary for the mindset changes required. It was highlighted that in the past, regulatory changes had been introduced within a short span of time for implementation—which caused difficulties for businesses to adjust. Industry should also be made aware of incorporating privacy values into their business practices. They should also be required to share some responsibility and accountability in creating awareness. Appendix C summaries the main themes of data governance fundamentals.
5.2.3. Enhancing Regulatory Frameworks
- Government is still expected to drive the agenda on regulatory framework, and the appropriate stage and types of measures for government interventions need to be determined. There is a norm whereby developing countries will face challenges when global monopolies are involved (which promote their own interests and have very little incentive to protect global consumers). Existing regulations need updating in order to address the new threats. As the existing PDPA does not apply to data that are processed overseas or handled by a third-party data processor, the onus is on the data user to ensure that adequate security measures are taken and overseen. Additionally, the use of non-legislative measures (such as standard code of practice) to promote awareness and shared responsibility among industry players needs to be considered. This is important especially when dealing with third-party service providers such as cloud storage or Internet service providers;
- When asked about the accountability of third-party vendors (which is not addressed in the current legislation), consumer interviewees were unconvinced that the present regulations are able to fully cater for the new technological advancements in IoT. The rapid advancement of technology poses a threat, whereby some of the clauses (or words) within the context of the act may be outdated. The role of third parties in this context is not really key, as the business (or the devices manufacturer) should hold the main responsibility for data protection;
- It is a key role of regulatory bodies to ensure that the IoT products imported into Malaysia conform to Malaysian and International standards. This includes certification of IoT devices. Appendix D presents the summary of respondents’ concerns on regulatory frameworks.
5.2.4. Summary of Findings
6. Discussions
6.1. IoT Data Governance Institution
6.2. Collective Responsibility and Practical Implications
7. Limitations and Ethics
- The research deals with a topic that is not well known in Malaysia. Therefore, whilst the problems and issues discussed are well known in developed countries, the full impact of the risks involved in consumer IoT and personal data protection is not realised by the respondents and expert interviews;
- The research framework was developed along the course of the research. This was because the research was exploratory and there was limited local knowledge on the subject matter. This led to “snowballing” in terms of data collection. Toward the tail end of the research, there were several more data breaches and this has caused increased awareness and reporting on the subject matter;
- The respondents and interviewees were from middle or upper class, educated, fluent in English, and IT savvy backgrounds. This may have influenced their perception of the issues to do with IoT and personal data protection. This may not be the case with different groups of people.
8. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Acknowledgments
Conflicts of Interest
Appendix A. Examples of Survey Questions on Public Perception on IoT and Personal Data Protection in Malaysia
- Section on IoT and Personal Data Security.
- 1.
- Are you aware of the recent data breaches in Malaysia (i.e., the incidence of data breach of Uber or/and Telco data)?
- Yes
- No
- Not sure
- 2.
- How do you feel knowing that your personal data may be at risk? _________________________
- 3.
- What do you think is the MOST IMPORTANT role of IoT device manufacturers in order to provide adequate personal data protection for the consumer?
- Engagement with stakeholders (i.e., consumers, regulators or government bodies)
- Proactive monitoring of threats
- Transparency and quick handling of any breach
- Built-in security features for IoT devices
- Others (please mention): ____________________
- 4.
- What do you think should be the MOST IMPORTANT role of the regulators [i.e., government bodies such as Suruhanjaya Komunikasi dan Multimedia Malaysia (SKMM) or the Jabatan Perlindungan Data Peribadi Malaysia (JPDP)]?
- Coordination between stakeholders (i.e., consumers or manufacturer)
- Proactive monitoring of threats
- Transparency and quick handling of any breach
- Developing and implementing of policy and standards on IoT devices
- Others (please mention): ____________________
- Section on privacy-by-design model.
- 5.
- What do you think of the concept of “privacy-by-design”? Do you think it will be suitable to be implemented in Malaysia?
- Yes
- No
- Not sure
- 6.
- Please specify reasons (optional) __________________
- 7.
- As a consumer, if you were choosing between two brands of smart watches, Brand A and Brand B, please choose THREE (3) most favoured characteristics that will influence your decision*
- Price
- Additional Features (e.g., customisable watch faces for smart watch or social networking for smart TV)
- Data protection
- Brand/ Reputation/Trust
- Long-lasting
- Product support throughout lifecycle
- Design and attractive look
- Current trends/fashion
- Consumer involved in product development
- Others
- 8.
- Should companies incorporate privacy by design with price increase, do you think you would still buy the product?
- Yes
- No
- Not sure
- 9.
- Please specify reasons (optional): ________________
- Section on consumer data governance: Smart Watches brands like Apple or Fitbit collect consumer health data including activity levels and heart rate through sensors.
- 10.
- Based on the statement above, who do you think has the most authority to collect, share and use data?
- IoT Device owner/consumer (e.g., yourself)
- IoT Device manufacturer (e.g., Apple/ Fitbit)
- Third party Internet and data storage partners (e.g., Telco)
- Regulatory agencies (e.g., SKMM)
- Others
- 11.
- Based on the statement above, who do you think has the MOST RIGHT to own the data collected by IoT devices? Please select the most relevant answer.
- IoT Device owner/consumer (e.g., yourself)
- IoT Device manufacturer (e.g., Apple/ Fitbit)
- Third party Internet and data storage partners (e.g., Telco)
- Regulatory agencies (e.g., SKMM)
- Others
- 12.
- In your opinion, who should be championing IoT data protection in Malaysia?
- Government (e.g., SKMM)
- Industry (e.g., IoT device manufacturers/Telcos)
- Civil society (consumer associations, NGOs)
- Others, please specify
Appendix B
Theme | Empirical Evidence |
---|---|
Institutional and legal instruments | Without legal instruments, it’s difficult to instruct any organisation. All the regulatory agencies have their own laws, so they are more concerned about their own laws (EXR1). Because of legacy issues, everybody claims to be doing cybersecurity…… we hope there will be better coordination between all the entities (EXR2). The current regulation is still lacking to cater for new technology and devices in handling huge data…… there needs to be a balance between innovations that we want to spur and the data that needs to be exposed (EXI1). It’s good not to put so much restriction on the industry. Also, don’t suddenly introduce regulations that may stifle industries that have been running for several years already (EXI1). With IoT the attack could come from a personal device and through that to the banks which would be a national level security issue. (EXR2). MCMC, NACSA and JPDP are interrelated because most of the cyber security issues are related to data, personal data or trade data (EXR1). |
Adaptive capabilities and capable staff | The trend is moving so fast; the regulators have the challenge to keep up with the technology (EXI1). For the last few years, Malaysia has been ranked top 10 in terms of the government’s commitment in implementing cybersecurity measures. However, it seems that other countries are bucking up. They are actually improving strategies while Malaysia remains as it is (EXR5). Government experts are very limited in the field of ICT security. Government needs to invest in terms of people and think about how to retain talent at a place where they can grow. It’s not only the information technology scheme but the lawyers specializing in cyber security (EXR2). In terms of cybersecurity readiness, institutionally and regulatory wise, we are positioned quite well globally. However, challenges are in terms of coordination and leadership and readiness for government and industry to share information (EXR3). EU GDPR has cross border implication. Malaysia cannot run away from that. PDPA needs to be amended to adapt to the higher standards (EXI2). |
Priority setting, enforcement and transparency | Everyone who works in the security environment needs to be trustworthy. Awareness should be right from the top of the organization and they need to allocate certain budget for security (EXI1). From the company’s point of view, cybersecurity is the least of their investment, the focus is more on operating the system (EXR4). Enforcement still has a lot of work to do. Despite several significant data breach incidents, there doesn’t seem to be much enforcement action taken. (EXI2). Organisations are not transparent if they are in a situation where they encounter breaches. They report only if they can’t handle it anymore (EXR3). Especially personal data like phone, credit card, address, etc. Leaking this information is unforgiveable. Therefore, the regulatory agencies should penalise harshly these organisations that leak the data whether intentionally or not (EXI1). |
Appendix C
Theme | Empirical Evidence |
---|---|
Consumer education and smart partnership | Consumers themselves need to be empowered, and I think not enough is being done for consumer education (EXC2). There needs to be a partnership between government, industry and civil society to empower people (EXC2). There’s a lot of watch dogs... third party organisations such as privacy protection type of agencies or NGOs...I think they play a key role (EXI4). But we don’t see any major strategy or systematic approach in educating and empowering consumers to deal with this (EXC2). Awareness can be increased through education. But we need to be careful not to encourage fear of technology (EXI1). Data users need to take practical steps as outlined in PDPA. This is very subjective. So, the burden becomes on the tech companies to prove that they have taken the necessary steps (EXI2). If they increase engagement, increase the number of touchpoints with consumers as well as businesses, you can see the acceptance rate will roughly increase (EXI4). |
Active participation of NGOs and civil society | Civil society brings credibility and the ability to reach the community. The regulators should work with civil society to reach the consumers. Whether it’s schools, whether it’s communities or young workers (EXC2). There is need to engage a lot of local communities and government itself cannot do so, so they can empower or work with agencies, NGOs and community groups in order to spread the word around (EXI4). Integrate all the awareness initiatives. Because awareness is expensive. Some private entities are doing their own advocacy. Repository of awareness materials. Share the materials and send the same message to the people (EXR2). Whistleblowing—there are communities that follow news and inform (EXR2). |
Industry buy-in and fair privacy practices | Companies can adhere as long as we understand what the principles are and measures that need to be put in place (EXI4). None of the products really focus on enlightening you….. Very much the consumers are left on their own (EXC2). Data protection should be included for the earliest stages from the development of the business model. You need to determine who owns the data etc. and plan your business around it (EXI1). Government should put in regulation to ensure that tech companies are transparent about how data is being handled and practice fair privacy practices (EXI2). It should be the responsibility of the organisation to make sure they collect the right amount of data for the right purpose rather than collect as much data as they can (EXI4). If you want to protect your data, you need to check how you protect it, who is the provider of the solution. The owner of the data is responsible, all these needs to be spelled out in the Service Level Agreements (SLA). Security requirements needs to be spelled out clearly (EXR2). |
Appendix D
Themes | Empirical Evidence |
---|---|
Targeted intervention | It is totally inadequate to deal with the current personal data leakages. I think definitely the current legislation deals with physical but this is happening at a whole different level (EXC2). We are over focused on growth... but we are in the terrain where it’s tough for consumers to protect themselves. So, we are depending on the regulators to a large extent (EXC2). It should not be necessary for the regulators to intervene all the time. If we have a standard code of practice, the industry should be able to follow (EXR3). |
Accountability of regulation and responsibility of business | Actually, there can’t be third party... If a business uses a third party for their business, they still need to be responsible that our data is protected and only data processed related to the purpose (EXC2). Businesses have to think of ways in which they can ensure that consumer data is protected (EXI4). Board to declare their cyber security risks. Security should be seamless and embedded to the user. Not an option to user but a requirement (EXR2). In GDPR, the data processor is included whilst in PDPA it is excluded. Therefore, the contract between data user and processor needs to be compliant to PDPA (EXR1). |
Standards setting and compliance | The commission or MCMC plays a key role in ensuring that only the right type of equipment is brought into Malaysia... that meets and conforms to our minimum standards that Malaysia has set. Having said that, I think whilst Malaysia may set certain standards, we also need to adhere to international standards (EXI4). I mean there are already certification processes for normal products. Because of the lack of capability of consumers to protect themselves, the regulators have to play a bigger role (EXC2). Government needs to have standards and specifications in place to ensure security at all points (EXI1). Most of the companies involved in the pilot projects are supplying to MNCs. As such if they don’t comply to international standards, they may have issues with their MNCs (EXR4). |
References
- Lee, I.; Lee, K. The Internet of Things (IoT): Applications, investments, and challenges for enterprises. Bus. Horiz. 2015, 58, 431–440. [Google Scholar] [CrossRef]
- Khan, M.A.; Salah, K. IoT security: Review, blockchain solutions, and open challenges. Future Gener. Comput. Syst. 2018, 82, 395–411. [Google Scholar] [CrossRef]
- Tang, C.-P.; Huang, T.C.-K.; Wang, S.-T. The impact of Internet of things implementation on firm performance. Telemat. Inform. 2018, 35, 2038–2053. [Google Scholar] [CrossRef]
- Atzori, L.; Iera, A.; Morabito, G. The internet of things: A survey. Comput. Netw. 2010, 54, 2787–2805. [Google Scholar] [CrossRef]
- Strielkina, A.; Illiashenko, O.; Zhydenko, M.; Uzun, D. Cybersecurity of healthcare IoT-based systems: Regulation and case-oriented assessment. In Proceedings of the 2018 IEEE 9th International Conference on Dependable Systems, Services and Technologies (DESSERT), Kyiv, Ukraine, 24–27 May 2018. [Google Scholar]
- Hogewoning, M. IoT and regulation–striking the right balance. Netw. Secur. 2018, 2018, 8–10. [Google Scholar] [CrossRef]
- Chatterjee, S.; Kar, A.K. Regulation and governance of the Internet of Things in India. Digit. Policy Regul. Gov. 2018, 20, 399–412. [Google Scholar] [CrossRef]
- Al-Ruithe, M.; Mthunzi, S.; Benkhelifa, E. Data governance for security in IoT & cloud converged environments. In Proceedings of the 2016 IEEE/ACS 13th International Conference of Computer Systems and Applications (AICCSA), Agadir, Morocco, 29 November–2 December 2016. [Google Scholar]
- Urquhart, L.; McAuley, D. Avoiding the internet of insecure industrial things. Comput. Law Secur. Rev. 2018, 34, 450–466. [Google Scholar] [CrossRef]
- Perera, C.; Zaslavsky, A.; Christen, P.; Georgakopoulos, D. Context aware computing for the internet of things: A survey. IEEE Commun. Surv. Tutorials 2014, 16, 414–454. [Google Scholar] [CrossRef] [Green Version]
- Kawamoto, Y.; Nishiyama, H.; Kato, N.; Yoshimura, N.; Yamamoto, S. Internet of Things (IoT): Present state and future prospects. IEICE Trans. Inf. Syst. 2014, 97, 2568–2575. [Google Scholar] [CrossRef] [Green Version]
- ASEAN Secretariat. ASEAN Human Rights Declaration and the Phnom Penh Statement on the Adoption of the ASEAN Human Rights Declaration (AHRD); ASEAN Secretariat: Jakarta, Indonesia, 2013. [Google Scholar]
- Cheryl, B.-K.; Ng, B.-K.; Wong, C.-Y. Governing the progress of internet-of-things: Ambivalence in the quest of technology exploitation and user rights protection. Technol. Soc. 2021, 64, 101463. [Google Scholar] [CrossRef]
- Müller, J.M.; Kiel, D.; Voigt, K.-I. What drives the implementation of Industry 4.0? The role of opportunities and challenges in the context of sustainability. Sustainability 2018, 10, 247. [Google Scholar] [CrossRef] [Green Version]
- Kalsoom, T.; Ahmed, S.; Rafi-Ul-Shan, P.M.; Azmat, M.; Akhtar, P.; Pervez, Z.; Imran, M.A.; Ur-Rehman, M. Impact of IoT on manufacturing industry 4.0: A new triangular systematic review. Sustainability 2021, 13, 12506. [Google Scholar] [CrossRef]
- Bonilla, S.H.; Silva, H.R.O.; Terra da Silva, M.; Gonçalves, R.F.; Sacomano, J.B. Industry 4.0 and sustainability implications: A scenario-based analysis of the impacts and challenges. Sustainability 2018, 10, 3740. [Google Scholar] [CrossRef] [Green Version]
- Carr, M.; Lesniewska, F. Internet of Things, cybersecurity and governing wicked problems: Learning from climate change governance. Int. Relations 2020, 34, 391–412. [Google Scholar] [CrossRef]
- Katherine-Chen, Y.-N.; Ryan-Wen, C.-H. Taiwanese university students’ smartphone use and the privacy paradox. Comunicar 2019, 27, 61–70. [Google Scholar] [CrossRef]
- Rice, M.D.; Bogdanov, E. Privacy in doubt: An empirical investigation of Canadians’ knowledge of corporate data collection and usage practices. Can. J. Adm. Sci. Rev. Can. Sci. l’Adm. 2019, 36, 163–176. [Google Scholar] [CrossRef]
- Johnson, S.D.; Blythe, J.M.; Manning, M.; Wong, G.T.W. The impact of IoT security labelling on consumer product choice and willingness to pay. PLoS ONE 2020, 15, e0227800. [Google Scholar] [CrossRef]
- McDermott, Y. Conceptualising the right to data protection in an era of Big Data. Big Data Soc. 2017, 4, 1–7. [Google Scholar] [CrossRef] [Green Version]
- Albalawi, A.M.; Almaiah, M.A. Assessing and reviewing of cyber-security threats, attacks, mitigation techniques in IoT environment. J. Theor. Appl. Inf. Technol. 2022, 100, 2988–3011. [Google Scholar]
- Ashton, K. That’Internet of Things’ thing. RFID J. 2009, 22, 97–114. [Google Scholar]
- Williams, R.; McMahon, E.; Samtani, S.; Patton, M.; Chen, H. Identifying vulnerabilities of consumer Internet of Things (IoT) devices: A scalable approach. In Proceedings of the 2017 IEEE International Conference on Intelligence and Security Informatics (ISI), Beijing, China, 22–24 July 2017. [Google Scholar]
- Jing, Q.; Vasilakos, A.V.; Wan, J.; Lu, J.; Qiu, D. Security of the internet of things: Perspectives and challenges. Wirel. Networks 2014, 20, 2481–2501. [Google Scholar] [CrossRef]
- Chang, S.-I.; Chang, L.-M.; Liao, J.-C. Risk factors of enterprise internal control under the internet of things governance: A qualitative research approach. Inf. Manag. 2020, 57, 103335. [Google Scholar] [CrossRef]
- Karygiannis, T.; Eydt, B.; Barber, G.; Bunn, L.; Phillips, T. Guidelines for securing radio frequency identification (RFID) systems. NIST Spec. Publ. 2007, 80, 1–154. [Google Scholar]
- Dawy, Z.; Saad, W.; Ghosh, A.; Andrews, J.G.; Yaacoub, E. Toward Massive Machine Type Cellular Communications. IEEE Wirel. Commun. 2016, 24, 120–128. [Google Scholar] [CrossRef]
- Yang, D.-L.; Liu, F.; Liang, Y.-D. A Survey of the Internet of Things. In Proceedings of the 2010 International Conference on E-Business Intelligence (ICEBI), Online, 19–21 December 2010; pp. 358–366. [Google Scholar]
- Kavianpour, S.; Shanmugam, B.; Azam, S.; Zamani, M.; Samy, G.N.; De Boer, F. A Systematic Literature Review of Authentication in Internet of Things for Heterogeneous Devices. J. Comput. Networks Commun. 2019, 2019, 5747136. [Google Scholar] [CrossRef] [Green Version]
- Neisse, R.; Baldini, G.; Steri, G.; Mahieu, V. Informed consent in Internet of Things: The case study of cooperative intelligent transport systems. In Proceedings of the 2016 23rd International Conference on Telecommunications (ICT), Thessaloniki, Greece, 16–18 May 2016. [Google Scholar]
- Conner, L.G.; Gill, R.A.; O’Connor, R. Connecting to the Data-Intensive Future of Scientific Research. 2013. Available online: https://digitalcommons.usu.edu/spacegrant/2013/Session2/2/ (accessed on 20 August 2021).
- Cavoukian, A. Privacy by Design: The 7 Foundational Principles. January 2011. Available online: https://iapp.org/media/pdf/resource_center/pbd_implement_7found_principles.pdf (accessed on 24 March 2022).
- Philipp, A.J. How the GDPR will change the world. Eur. Data Prot. Law Rev. EDPL 2016, 3, 287–289. [Google Scholar]
- Goddard, M. The EU General Data Protection Regulation (GDPR): European Regulation that has a Global Impact. Int. J. Mark. Res. 2017, 59, 703–705. [Google Scholar] [CrossRef]
- de Prieelle, F.; de Reuver, M.; Rezaei, J. The Role of Ecosystem Data Governance in Adoption of Data Platforms by Internet-of-Things Data Providers: Case of Dutch Horticulture Industry. IEEE Trans. Eng. Manag. 2022, 69, 940–950. [Google Scholar] [CrossRef] [Green Version]
- Dasgupta, A.; Gill, A.; Hussain, F. A conceptual framework for data governance in IoT-enabled digital IS ecosystems. In Proceedings of the 8th International Conference on Data Science, Technology and Applications, Prague, Czech Republic, 26–28 July 2019. [Google Scholar]
- Yebenes, J.; Zorrilla, M. Towards a Data Governance Framework for Third Generation Platforms. Procedia Comput. Sci. 2019, 151, 614–621. [Google Scholar] [CrossRef]
- Weber, R.H. Internet of things—Need for a new legal environment? Comput. Law Secur. Rev. 2009, 25, 522–527. [Google Scholar] [CrossRef]
- Viale Pereira, G.; Cunha, M.A.; Lampoltshammer, T.J.; Parycek, P.; Testa, M.G. Increasing collaboration and participation in smart city governance: A cross-case analysis of smart city initiatives. Inf. Technol. Dev. 2017, 23, 526–553. [Google Scholar] [CrossRef]
- Llorente, C.; Revuelta, G.; Carrió, M. Characteristics of Spanish citizen participation practices in science. J. Sci. Commun. 2021, 20, A05. [Google Scholar] [CrossRef]
- Karim, R.; Bonhi, T.C.; Afroze, R. Governance of cyberspace: Personal liberty vs. national security. Int. J. Sci. Technol. Res. 2019, 8, 2636–2641. [Google Scholar]
- Varney, M. Effective redress of grievance in data protection: An illusion? Maastricht J. Eur. Comp. Law 2016, 23, 550–567. [Google Scholar] [CrossRef] [Green Version]
- Maheswaran, M.; Misra, S. Towards a social governance framework for Internet of Things. In Proceedings of the 2015 IEEE 2nd World Forum on Internet of Things (WF-IoT), Milan, Italy, 14–16 December 2015. [Google Scholar]
- Weber, R.H. Internet of things—Governance quo vadis? Comput. Law Secur. Rev. 2013, 29, 341–347. [Google Scholar] [CrossRef]
- Almeida, V.A.; Doneda, D.; Monteiro, M. Governance Challenges for the Internet of Things. IEEE Internet Comput. 2015, 19, 56–59. [Google Scholar] [CrossRef]
- Emerson, K.; Nabatchi, T.; Balogh, S. An integrative framework for collaborative governance. J. Public Adm. Res. Theory 2012, 22, 1–29. [Google Scholar] [CrossRef] [Green Version]
- Ansell, C.; Gash, A. Collaborative governance in theory and practice. J. Public Adm. Res. Theory 2008, 18, 543–571. [Google Scholar] [CrossRef] [Green Version]
- Huxham, C.; Vangen, S.; Huxham, C.; Eden, C. The challenge of collaborative governance. Public Manag. Int. J. Res. Theory 2000, 2, 337–358. [Google Scholar] [CrossRef]
- Johnston, E.W.; Hicks, D.; Nan, N.; Auer, J.C. Managing the inclusion process in collaborative governance. J. Public Adm. Res. Theory 2011, 21, 699–721. [Google Scholar] [CrossRef]
- Zaeem, R.N.; Barber, K.S. The effect of the GDPR on privacy policies: Recent progress and future promise. ACM Trans. Manag. Inf. Syst. TMIS 2020, 12, 1–20. [Google Scholar] [CrossRef]
- Datoo, A. Data in the post-GDPR world. Comput. Fraud. Secur. 2018, 2018, 17–18. [Google Scholar] [CrossRef]
- European Union. General Data Protection Regulation (GDPR). Off. J. Eur. Union. 2016. Available online: https://gdpr-info.eu/ (accessed on 26 January 2018).
- Li, H.; Yu, L.; He, W. The impact of GDPR on global technology development. J. Glob. Inf. Technol. Manag. 2019, 22, 1–6. [Google Scholar] [CrossRef] [Green Version]
- Ananthalakshmi, A.; Wagstaff, J. Leaked Data from Massive Malaysian Breach ‘Likely Available Online for Long Time’. 2 November 2017. Available online: https://www.reuters.com/article/us-malaysia-cyber-idUSKBN1D21P4 (accessed on 26 January 2018).
- Reuters. Malindo Data Leak: Breach Caused by Ex-Staff. 24 September 2019. Available online: https://www.nst.com.my/news/crime-courts/2019/09/524082/malindo-data-leak-breach-caused-ex-staff#:~:text=Malindo%20data%20leak%3A%20Breach%20caused%20by%20ex-staff.%20Some,contractor%20were%20responsible%20for%20its%20passenger%20data%20breach (accessed on 30 August 2021).
- Yu, E. Malaysia Airlines Suffers Data Security ‘Incident’ Affecting Frequent Flyer Members. 2 March 2021. Available online: https://www.zdnet.com/article/malaysia-airlines-suffers-data-security-incident-spanning-nine-years/ (accessed on 30 August 2021).
- Cyrus, C. IoT Cyberattacks Escalate in 2021, According to Kaspersky. 2021. Available online: www.iotworldtoday.com/2021/09/17/iot-cyberattacks-escalate-in-2021-according-to-kaspersky/ (accessed on 22 April 2022).
- Prime Minister’s Department. Malaysia Cyber Security Strategy 2020–2024; National Security Council: Putrajaya, Malaysia, 2020.
- MIMOS. National Internet of Things (IoT) Strategic Roadmap; MIMOS: Kuala Lumpur, Malaysia, 2014. [Google Scholar]
- Nasution, S.H. Improving Data Governance and Personal Data Protection through ASEAN Digital Masterplan 2025 (Policy Paper No. 46); Center for Indonesian Policy Studies: Jakarta, Indonesia, 2021. [Google Scholar]
- Taherdoost, H. Sampling Methods in Research Methodology—How to Choose a Sampling Technique for Research; SSRN: Rochester, NY, USA, 2016; Volume 5, pp. 18–27. [Google Scholar]
- Sivakumar, D.; Jusman, M.F.B.; Mastan, A. A case study review: Future of Internet of Things (IoT) in Malaysia. In Proceedings of the ASCENT International Conference Proceedings–Information Systems and Engineering, Online conference, 23–24 November 2017. [Google Scholar]
- Meuser, M.; Nagel, U. The expert interview and changes in knowledge production. In Interviewing Experts; Springer: Berlin/Heidelberg, Germany, 2009; pp. 17–42. [Google Scholar]
- Morse, J.M.; Richards, L. Read Me First for a User’s Guide to Qualitative Methods; Sage: Thousand Oaks, CA, USA, 2002. [Google Scholar]
- Saldaña, J. The Coding Manual for Qualitative Researchers; Sage: Thousand Oaks, CA, USA, 2009. [Google Scholar]
- Robinson, D.L. Brain function, emotional experience and personality. Neth. J. Psychol. 2008, 64, 152–168. [Google Scholar] [CrossRef]
- Shin, D. A socio-technical framework for Internet-of-Things design: A human-centered design for the Internet of Things. Telemat. Inform. 2014, 31, 519–531. [Google Scholar] [CrossRef]
Level of Coverage | ||||
---|---|---|---|---|
IoT Specific | General Personal Data Protection | |||
Main Regulation/ Policy | Status (As of July 2022) | Main Regulation/ Policy | Status (As of July 2022) | |
Regulatory | No specific regulation; existing cyber laws (including NCSP); National IoT Strategic Roadmap | No further information available | Personal Data Protection Act (2010) | In force, approved by parliament on 5 April 2020 |
Institutional | No specific institution | - | Department of Personal Data Protection Malaysia | Operational, established on 16 May 2011 |
Countries | Specific PDPA | Coverage of PDPA—For Data Collection and Data Use | Notification to the Data Owner in the Event of Data Breach | Specific Independent Data Protection Authority |
---|---|---|---|---|
Philippines | Data Protection Act (2012) | Public and private sector | Notification is required | Yes—National Privacy Commission (NPC) |
Singapore | Personal Data Protection Act (2012) | Private sector | Notification is required | No, but has data protection agencies housed under ministry |
Malaysia | Personal Data Protection Act (2010) | Private sector | Notification is not required | No, but has data protection agencies housed under ministry |
Thailand | Personal Data Protection Act B.E. 2562 (2019) | Public and private sector | Notification is required | No |
Vietnam | No, but there are Law on Network Information Security (2015), Law on Cyber Information, Security (2015) and Law on Cyber Security (2018) | |||
Indonesia | No, the country is still discussing its PDP bill |
Stakeholders | Scope of Interviews |
---|---|
Regulators | Scenario of personal data protection, cyber security, and Industry 4.0 Risks related to increased usage of IoT Devices Regulatory and enforcement issues Expectations from industry and consumers Privacy by design in incorporating safeguarding measures into product design |
Industries | Managing risks related to increased usage of IoT devices Possibility of embedding privacy by design in device development Role of industry Expectations from government and consumers |
Consumers | Awareness of risks related to increased usage of IoT devices Acceptance of privacy by design Role of industry Expectations from government and industry |
Code | Interviewees | Field of Expertise |
---|---|---|
EXR1 | Department of Personal Data Protection Malaysia (JPDP) | Regulator and authority on personal data protection in Malaysia |
EXR2 | National Cyber Security Agency (NACSA) | Regulator and authority on cyber security in Malaysia |
EXR3 | Malaysian Communications and Multimedia Commission (MCMC) | Regulator and authority on cyber security in Malaysia |
EXR4 | Industry 4.0 Unit, Ministry of International Trade and Industry (MITI) | Regulator and National 4th Industrial Revolution policy custodian |
EXR5 | CyberSecurity Malaysia | Regulator and authority on cyber security in Malaysia |
EXI1 | FAVORIOT Sdn. Bhd. | IoT Industry Expert |
EXI2 | GLT Law | Personal Data Legal Practitioner |
EXI3 | IFCA MSC Bhd. | IoT Industry Expert |
EXI4 | The National ICT Association of Malaysia (PIKOM) | Industry Expert |
EXC1 | Influencer and Consumer Cybersecurity Spokesperson (formerly from CyberSecurity Malaysia) | Consumer Rights |
EXC2 | Federation of Malaysian Consumers Association (FOMCA) | Consumer Rights |
Categories | Respondents’ Expression |
---|---|
Negative | Worried; insecure; scared; concerned; disappointed; terrified; angry; vulnerable; exposed; upset; suddenly anxious; feel unsafe; unknown calls; loss of trust; betrayed; disappointed. |
Apathy | As long as it does not jeopardise me it’s okay; accepted as a fact of life; privacy doesn’t exist in the digital realm. |
Positive | It is our responsibility to ensure that all data of ours is well kept; keep aware all the time; personal data is the economy of the modern era; worried but putting hope on the government; hope relevant authorities play their parts immediately. |
Roles | Percentage |
---|---|
Manufacturers | |
Built-in security features for IoT devices | 43.1% |
Proactive monitoring of threats | 23.1% |
Transparency and quick handling of any breach | 20.8% |
Coordination with stakeholders (i.e., consumers, regulators or government bodies) | 11.4% |
Others | 1.6% |
Regulators | |
Developing and implementing policies and standards | 43.9% |
Proactive monitoring of threats | 23.1% |
Transparency and quick handling of any breach | 16.5% |
Coordination with stakeholders (i.e., consumers, regulators or government bodies) | 14.9% |
Others | 1.6% |
Stakeholders | Very Trustworthy | Trustworthy | Neutral | Untrustworthy | Very Untrustworthy |
---|---|---|---|---|---|
National government & regulatory agencies | 33.3% | 45.1% | 18.7% | 2% | 0.8% |
Intermediaries & government linked companies | 16.3% | 49.6% | 26% | 6.5% | 1.6% |
IoT manufacturing companies | 4.1% | 32.1% | 44.3% | 15% | 4.5% |
Third-party Internet providers | 0.8% | 19.9% | 34.1% | 30.1% | 15% |
Media including social media | 2.4% | 18.7% | 26% | 29.3% | 23.6% |
Political parties | 1.2% | 18.3% | 25.2% | 23.2% | 32.1% |
Consumer associations | 8.1% | 29.7% | 37% | 17.5% | 7.7% |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Cheryl, B.-K.; Ng, B.-K. Protecting the Unprotected Consumer Data in Internet of Things: Current Scenario of Data Governance in Malaysia. Sustainability 2022, 14, 9893. https://doi.org/10.3390/su14169893
Cheryl B-K, Ng B-K. Protecting the Unprotected Consumer Data in Internet of Things: Current Scenario of Data Governance in Malaysia. Sustainability. 2022; 14(16):9893. https://doi.org/10.3390/su14169893
Chicago/Turabian StyleCheryl, Barr-Kumarakulasinghe, and Boon-Kwee Ng. 2022. "Protecting the Unprotected Consumer Data in Internet of Things: Current Scenario of Data Governance in Malaysia" Sustainability 14, no. 16: 9893. https://doi.org/10.3390/su14169893