• Rahmat Adrian

Data Breach Ready Company

Updated: Aug 31

By: Rahmat Adrian (rahmat.adrian@launcher.id) and Rahel Manurung

Personal data stores intrinsic values to the internet user as the data owner. Consent and trust are deemed essentials for the internet users in handing over their personal data to an internet company. As a result, the company needs to ensure decent data security system in order to protect the “trust” given by the users. Nowadays, however, there are many instances of data infringement that arise. A National News Media summarizes 5 alleged infringement cases this year alone, involving a total of approximately 107,730,000 personal data.

Data breaches may be caused by various factors, such as external hackers, outdated security controls, negligence on the part of the company's stakeholders, leakage from the insider and many more. No matter how sophisticated a company's security system is, there still a high probability for any company to experience a data breach. And if this happens, the way a company responds to it will determine the fate of the company, including whether customers will ever trust the company again. It is therefore very important to have a data breach ready for the company.

Company’s Obligations in Regard to Data Breach

To be a data breach ready company, the first and foremost rule is being aware of its obligations in regard to data breach. The Government Regulation No. 71 of 2019 on the Implementation of Electronic Systems and Transactions (“GR 71/2019”) and Minister of Communication and Informatics Regulation No. 20 of 2016 on the Protection of Personal Data (“MOCI Reg. 20/2016”) regulate that in the event of data breach, the company must notify in writing the Personal Data Owner, which must include the reasons or causes of the data breach, no longer than 14 days after the data breach is known. This notification may be carried out electronically only if the Personal Data Owner has granted approval for it at the time when the acquisition and collection of their personal data took place. In the event of data breach contains potential harm against the Personal Data Owner, then the company must ascertain that the notification has been received by Personal Data Owner.

Furthermore, if there is a system failure or disturbance due to a third party which has a serious impact and therefore causes a data breach, the company is obligated to immediately report it to the law enforcer and relevant authorities.

Personal Data Owner’s Rights in Regard to Data Breach

Other than being aware of its obligations, a company must be aware as well of every right that a Personal Data Owner has in regard to the data breach. Law No 11 of 2008 on Electronic Information and Transaction, as amended by Law No. 19 of 2016 (“EIT Law”) along with MOCI Reg. 20/2016 regulate that a Personal Data Owner has the right to file a complaint to the MOCI as an attempt to resolve a dispute by way of deliberation or through other alternative settlement efforts on the following basis:

  1. No written notice of the data breach was made by the company, regardless of such breach was potentially or non-potentially harmful; or

  2. Personal Data Owner has suffered loss, even though a written notice of the data breach was made but the time of notification is already too late.

This complaint shall be made no later than 30 business days after the Personal Data Owner became aware of either of the above. In the event that such settlement effort has yet to settle the data breach dispute, Personal Data Owner may file a lawsuit on the occurrence of the data breach.

Company’s Liabilities in Regard to Data Breach

It is necessary for every company to be aware of the upcoming liability in regard to the data breach. Under the prevailing law and regulation in Indonesia, a company that experience data breach might be subject to 3 types of liabilities, which are:

Civil Liability.

EIT Law states that any person whose right has been violated may file a lawsuit. Under the Indonesian Civil Code, a data breach could be filed based on tort.

Administrative Liability.

EIT Law, GR 71/2019 and MOCI Reg. 20/2016 regulate the administrative sanctions that shall be imposed in regard to violation upon the existing data breach provision. This sanction shall be imposed by MOCI or relevant body in the form of a written warning letter, administrative fine, temporary suspension, access termination, and/or removal from the registry.

Criminal Liability.

As mentioned in the beginning, a data breach may also be caused by leakage from an insider who distributes the personal data outside the company’s system. A company must be responsible for the security system both physically and logically. EIT Law regulates criminal liability in regard to data breach as follow:

  1. Six to eight years’ imprisonment and/or an amount of IDR 600 million up to IDR 800 million fine for unlawful access;

  2. Ten years’ imprisonment and/or an amount of IDR 800 million fine for interception or wiretapping of transmission; and

  3. Eight to ten years’ imprisonment and/or an amount of IDR 2 billion up to IDR 5 billion fine for alteration, reduction, transmission, tampering, deletion, moving, or hiding electronic information or electronic records.

A Glance at Data Breach Ready based on Personal Data Protection Bill

On 24 January 2020, the Indonesian Government has submitted the final draft of Personal Data Protection Bill (“PDP Bill”) to the Indonesian House of Representatives. If the Indonesian House of Representative passes this bill, it will be the first Indonesian law which provides comprehensive regulations for personal data protection in Indonesia. And it also means that every party will have to follow this new law, including the companies. Therefore, it’s important to start learning how to be a data breach ready company based on this upcoming law.

In the event of a data breach, PDP Bill requires the company to notify the Personal Data Owner and MOCI within 3 x 24 hours. This notification shall contain the information about the personal data that is revealed, when and how this personal data is revealed, and any effort in handling and recovering the revealed data. To some extent, the company is also obligated to provide public notice regarding the data breach.

PDP Bill regulates 2 types of liabilities which are administrative and criminal liability. The administrative sanction shall be imposed by MOCI in the form of written warning, temporary suspension, deletion of personal data, compensation and/ or administrative fine. The criminal sanction shall be imposed in the form of 1 to 7 years’ imprisonment or IDR 10 billion up to IDR 70 billion fine.

LID Advisory is a publication prepared by Launcher.id. It is intended to inform in general topics covered only, and should not be treated as a legal advice or relied upon when making business activities or investment decisions. Should you have any inquiries on the matters contained in LID Advisory, or other comments generally, please contact us at contact@launcher.id.