PETALING JAYA: Victims of online fraud, including data phishing cases, should be able to take legal action against companies under the Personal Data Protection Act (PDPA) 2010, according to the National Consumer Complaints Centre (NCCC).
NCCC chief executive officer Indrani Thuraisingham said that during the engagement session on the act’s amendment, the government recommended that authorities be able to act against any party, including financial institutions and telcos, should there be a data breach.
“However, users currently do not have room to take civil action against these industries. So, we hope this can be implemented.
“(The government should) follow the European Union’s excellent General Data Protection Regulation to protect users,” she told FMT.
Indrani also noted that the Monetary Authority of Singapore (MAS) and the republic’s Infocomm Media Development Authority (IMDA) had last week issued a joint consultation paper proposing a Shared Responsibility Framework (SRF) to remedy phishing data fraud.
The SRF assigns responsibilities to financial institutions and telcos to reduce data phishing fraud, requiring them to compensate affected fraud victims when these responsibilities are not met.
In June, deputy finance minister Ahmad Maslan said the losses accumulated from online fraud since 2019 to May this year amounted to RM2.6 billion, with the highest losses involving investment scams at RM984 million.
This was followed by phone scams (RM637 million), online purchases (RM365 million), love scams (RM268 million), non-existent loans (RM210 million), business email scams (RM134 million), and SMS service fraud (RM7.5 million).
Fong Choong Fook, an information technology expert in application security testing for e-commerce brands and major local banks, said efforts to increase user awareness should go hand in hand with better law enforcement.
“Most online fraud cases involve bank accounts, stemming from users downloading apps and clicking on suspicious links. If we want to follow Singapore’s approach, we need to look at it from the perspective of the cases,” he said.
According to Fong, sales of customers’ data to third parties by bank employees do occur, but they are “very rare” compared with users themselves having revealed their personal details.
“Before penalising companies, there should be a thorough investigation to determine that the fault does not come from the user. Only then does it make sense to request that banks compensate users.”