This article sets out all legal protections for all internet users in Malaysia, be it via computers, smartphones or any other internet devices. It is also relevant to all online applications users such as Lazada, Facebook, Twitter, etc.
It is impossible to argue the importance of Cyber Security Law at this time and age.
There was a survey published in the Star online news portal in 2016
which show that Malaysians, on an average, spends more than 3 hours a day on the smartphone. This is excluding the amount of time that we are already spending on other devices or gadgets; which would greatly add to the existing number of hours.
We rely heavily on the internet and various other online applications day in and out, to deal with our finances, shopping, corresponding, news-reading and many other activities, it is no wonder that criminals or misusers would be tempted to seek for their target in the cyber world, and such misdemeanors are often motivated by financial gains, revenge, or even curiosity or apathy.
In Malaysia, we do not have a standalone Cyber Security Law, but a number of sporadic laws in this area to counter cybercrimes. These include:-
- Computer Crimes Act 1997 (similar to UK’s Computer Misuse Act 1990)
- Communications and Multimedia Act 1998
- Penal Code
- Copyright Act 1987
- Personal Data Protection Act 2010
- Digital Signature Act 1997
- Strategic Trade Act 2010
- Sedition Act 1948
- Case laws
- Other specific guidelines/policies
In reference to these, we set out 9 types of cyber offences or activities that can be caught under this legal framework.
Cyber offence #1 – Offences Relating to Misuse of Computers
Computer Crimes Act 1997 (‘CCA’) is the first ever specific legislation enacted in Malaysia to counter cybercrimes. It criminalizes the following:-
- Act of hacking, or, in technical terms, unauthorized access to computer material, whether or not with intent to commit further offence. A good case study can be found in the case of Basheer Ahmad Maula Sahul Hameed v PP (2016) which involves the use debit card belonging to the victim of MH 370 incident by a bank staff to withdraw cash from the ATM and transferring money without authorization.
- Spreading of computer viruses, or, in technical terms, modification of the contents of any computer.
- Unlawful communication of any means to access to a computer by an unauthorized person.
In another words, the CCA captures hacking activities such as
- creating viruses or malware for the purpose of hacking,
- hacking into Wi-Fi connections or credit card information by using hacking tools,
- denial of service attacks (this is where hackers attempt to prevent users from accessing the network service, which could be motivated by business interests or blackmailing),
- electronic theft (where hackers or misusers steal a business-sized, company-sized, or even industrial-sized database).
The punishments, depending on the type of offence committed, ranges from a fine of RM25,000 to RM150,000, or imprisonment of 3 to 10 years, or both.
Cyber offence #2 – Offences Relating to Communication and Multimedia Industries
It is worth noting that the Communications and Multimedia Act 1998 (‘CMA’) was an enactment intending to regulate the granting of licenses for the network service providers (a.k.a. internet service providers (‘ISP’) such as Maxis, Celcom, Digi) and other application service providers (e.g. Astro GO, KiniTv, WhatsApp) which is a perfect legal tool for Malaysia Communications and Multimedia Commission (‘MCMC’), being their regulator, to monitor the activities of its licensees.
In fact, the MCMC has the power to direct its licensees to deny access of netizens to websites in order to prevent the commission or attempted commission of an offence under the CMA.
Section 233 of the CMA is one of the notable provisions against making offensive statements online which are
‘… obscene, indecent, false, menacing or offensive in character with intent to annoy, abuse, threaten or harass another person’.
Its punishment carries a maximum RM50,000 fine or up to one year’s jail, or both, upon conviction. Section 114A of the Evidence Act 1950 (“Section 114A”) creates a legal presumption that any registered user having in his control any computer on which any publication originates from, is presumed to be the publisher of a publication sent from a computer which is linked to that network service or that computer, unless the contrary is proved.
There are also provisions under
- Sections 231, 232, 234 and 235 of the CMA against hacking, including communication interception and tamper with network facilities or Wi-Fi, and
- Section 236 against possession devices/software used to commit cybercrimes (e.g. network/ Wi-Fi hacking devices, stealing of credit card information from devices (especially targeted at the credit card ‘Paywave’ feature).
The legislative intent of CMA is no doubt proper, however, there were some obvious misuse of the CMA by the executives in the recent running up towards the 9 May 2018 general election.
One example was the infamous direction given by the MCMC to a few ISPs in Malaysia to deny access to The Malaysian Insider online news portal, for their alleged violation of Section 233 of the CMA for publishing offensive statement against the executives. There were critiques that it was misused to stifle the voice of the opposition political parties.
We also see many prosecutions under the CMA since 2016, including Mohd Zaid Bin Ibrahim and Khairuddin Abu Hassan, who were among the politicians charged under Section 233 for making ‘offensive statements’ against the then executives via social media by calling for the investigation and resignation of government executive in the democratic context.
Recently, in 2018, we have also seen the Malaysiakini’s editor-in-chief, Steven Gan, and online news portal operator, KiniTV Sdn Bhd, were charged under Section 233 for airing an allegedly offensive video on KiniTV’s website, all of which were political comments or news against the establishment’s favour.
In the fortunate turn of events, these charges were mostly dropped against the politicians and civil activists following the establishment’s defeat in the 9 May 2018 general election.
Cyber offence #3 – Phishing
Phishing is a form of identity theft or fraud. It often happens by emails masquerading as communication from purported government agencies, banks or reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.
Despite the obvious wrong by committing phishing or identity theft or fraud, in Malaysia, there is no specific provision against such crime. However, Section 416 of the Penal Code, which provides against ‘cheat by impersonation’, or rather, pretending to be someone else with intention to cheat, serves to counter such crime.
The offence is committed whether the individual personated is a real or imaginary person. Such offence carries the jail term up to five years or with fine, or with both upon conviction, according to Section 417.
Cyber offence #4 – Online Harassment
Online harassment, including cyber bullying, online stalking or sexual harassment, are found to be against Section 509 Penal code, which states that
‘whoever intending to insult the modesty of any person, utters any word, makes any gestures or exhibits any object, intending that such words or sound shall be heard, or that such gestures or objects shall be seen by such person shall be punished with imprisonment for a term which may extend to five years or with fine, or with both’.
Should sexual harassment happen in employment or at a work place, whether online or offline, be rest assured that there is a specific legislation devising self-help legal procedures in dealing with sexual harassment, which can be found in the Employment Act 1955 (Sexual Harassment Law at Private Employment in Malaysia). Such provisions are applicable to all employers or employees in the private sector.
It is hoped that the parliament will emulate that of UK or Singapore’s Protection from Harassment Law by devising a legislation against various other forms of harassment behaviors found in our society, whether physically or through online, rather than being restricted to sexual harassment.
Section 233 of the CMA is also a provision against online harassment in Malaysia.
Cyber offence #5 – Online Spreading of Terrorist Propaganda
Online spreading of terrorist propaganda or activities using social media is a serious criminal offence under section 130J Penal code, which is punishable with up to 30 years of imprisonment. Back in year 2016, we saw a few Malaysian charged under this provision for spreading Islamic State of Iraq and Syria (a.k.a. ISIS) propaganda.
Cyber offence #6–Facilitating Delivery of Weapons of Mass Destruction
Consistent with Malaysia’s national security and international obligations against the transshipment and brokering of strategic items, including arms and weapons of mass destruction, the Strategic Trade Act 2010 is aimed at preventing the proliferation of weapons of mass destruction and to thwart their delivery systems.
Cyber offence #7 – Electronic Theft
Electronic theft is where hackers or misusers steal a business-sized, company-sized or even industrial-sized database. Such act normally involves copyright infringement. It can be criminal or civil offence depending on which parties initiate the legal action. For instance, illegal download of films or software may expose someone to prosecution under the Copyright Act 1987.
Should this act involves stealing of copyrighted material at work specifically, it may expose someone to civil action by the employer for breach of employment contract under confidentiality clause should the employer find an evidence against the employee.
Cyber offence #8 – Failure of Data User to Secure Personal Data
Section 9 of the Personal Data Protection Act 2010 (‘PDPA Act 2010’) imposes a strict liability on data user who processes personal data in a commercial context, such as banks, telecommunication companies, ISPs or application service providers, to take practical steps to protect the personal data from any loss, unauthorized or accidental access or disclosures, alteration or destruction. Failing which may expose the data user to prosecution under the PDPA Act 2010 and subject to criminal penalty with a maximum fine of RM500,000 or up to three years in jail, or both.
Cyber offence #9 – Online Defamation
Publishing an online defamatory statement or malicious posting against another person in social media platforms (such as Facebook) may also expose someone to civil action in tort. There are many cases reported since year 2016. One of the leading examples is found in the case of Foo Hiap Siong v Chong Chin Hsiang  1 LNS 1196.pdf.
The cybercrimes, despite against the law, it is difficult to recoup what had been lost once the damage is done; data, especially, as well as collective intelligence throughout the years of hard work.
For this, prevention is always better than cure. In real life, there are some effective self-help practices, such as simply installing antivirus software or device a Bring-Your-Own-Device (‘BYOD’) policy at work.
Additionally, there are several legal compliances to be exercised, some are strict but some merely serves as guidelines: –
- Personal Data Protection Act 2010 – Compliance with PDPA Act 2010 is strictly imposed on all data users. There is registration requirement for data users in certain industries, failing which may expose them to criminal penalty with a maximum fine of RM500,000 or up to three years in jail, or both.
- Digital Signatures Act 1997 – Compliance is also strict with all secure electronic transaction service providers.
- National Cyber Security Policy (‘NCSP’) –this is a national policy devise to ensure compliance with information security standards in respect of information critical to national interests and security and potentially collapse the nation’s economy.
(NB: Singapore has recently enacted the Cybersecurity Act 2018 which mainly imposes obligations on the operator of the computer system in essential services to take precautionary measure against cyber-attacks in their operations, i.e. services essential to the national security, defense, foreign relations, economy, public health, public safety or public order of Singapore.)
- Guidelines on Management of Cyber Risk – issued by Securities Commission of Malaysia to be complied by the capital market industry and capital market entities.
- Guidelines on Management of IT Environment – issued by Bank Negara Malaysia to be complied by the banking and financial sector.
It is worth noting that there are also a few cyber security enforcement agencies in Malaysia such as: –
- Cyber Security Malaysia – a national cyber security agency formed under the Ministry of Science, Technology and Information, which is tasked with roles of providing a wide range of cyber security services to strengthen the national cyber security interest.
- Malaysia Computer Emergency Response Team (‘MyCERT’) – the response arm of Cyber Security Malaysia, to provide a point of contact for internet users who are affected by security related incidents which operates Cyber999 as an emergency response agency to private companies and home users.
- Cyber Security Malaysia’s Outreach & Corporate Commitment Department (‘CyberCSI’) – In court, we often see CyberCSI being lead as the prosecution witness in substantiating the prosecution case against cyber criminals. CyberCSI also provides full-fledged digital forensics investigations.
About the Author:
This is the presentation script of our partner, Chia Swee Yik (+6016 2148 218, firstname.lastname@example.org) who has given a presentation on the topic of ‘Cyber Security Law and Framework In Malaysia’ on 25 September 2018 during the Law Awareness Week 2018 organized by the 22nd INTI Law Society Committee of INTI International University Nilai. Chia Swee Yik has provided advice in this area of the law.
Feel free to contact him if you have any queries.