Fri, May 22, 2020
Data matters: A saleswoman holds up her mobile phone to show a home loan app. The government has proposed a bill on data protection in response to many reports of the misuse and theft of customer data. (JP/Dhoni Setiawan)
Calls for digital companies to implement stronger data protection measures are growing following recent reports of a data breach against Indonesia’s e-commerce unicorn Tokopedia.
Experts have argued that the data protection bill, which is currently being debated at the House of Representatives (DPR), should set a minimum-security standard for digital companies, as the current regulation does not stipulate the technicalities of data protection.
“If we take a look at Government Regulation (PP) No.71, the government did not regulate the technicalities of data protection,” IT expert Tony Seno Hartono said in an online discussion on April 20, referring to PP No.71/2019 on the implementation of electronic systems and transactions.
Tokopedia said its internal database had been breached by an unidentified party in March, resulting in a massive data leak of the personal information of more than 15 million users.
Communications and Information Minister Johnny G. Plate urged on May 15 companies to improve their cybersecurity systems following the breach, saying that the country’s digital economy was “under attack”.
While PP No.71/2019 does mandate digital service providers to “ensure the safety of information and internal communication systems,” Tony said it stopped short of setting a minimum safety standard for data protection.
He said digital companies should meet the requirements of the ISO27001 standard, which measures and evaluates information security management systems, in order to provide adequate data safety for their users.
“If a company meets the ISO standard, the chance for a data breach becomes extremely small. Even if there is a breach, we could trace the breach’s source and figure out what went wrong,” he said.
However, in order to be certified for the standard, a digital company must hire a third-party security auditor to analyze its security system, which is not possible for small start-ups.
“We are always striving to adopt the highest level of security. However, it’s very expensive for start-up companies to adopt ISO standards,” Indonesia E-Commerce Association’s (idEA) government relation manager Rofi Uddarojat said during the discussion.
Even if a company has received the certification or has an independent security auditor to routinely analyze its security system, Tony said many Indonesian companies did not improve their security systems in line with the audit results.
“From my experience, many institutions ignore [audit results]. If there’s a breach, I believe it’s not because the auditor missed the security gap but rather because their assessment was not followed up by the institutions,” he said.
During the discussion, Rofi also criticized the draft of a Communications and Information Ministry regulation that follows PP No.17/2019, for bureaucratizing data placement.
While the PP gives companies the option to choose whether to store their data inside the country or abroad, Article 6 of the ministry regulation requires private companies to obtain a permit from the minister to store their data abroad, according to the latest draft released on March 10.
“While we appreciate the PP for giving us the freedom to store our data inside the country or abroad, there seems to be an attempt at bureaucratization in the draft regulation,” Rofi said.
数据很重要：一位女售货员举起手机展示房屋贷款应用。政府针对许多滥用和盗窃客户数据的报告提出了一项数据保护法案。 （JP /多尼·塞蒂亚万）
IT专家托尼·塞诺·哈托诺（Tony Seno Hartono）在4月20日的在线讨论中表示，“如果我们看一下第71号政府法规（PP），政府就没有规范数据保护的技术，”提到第71/2019号PP关于电子系统和交易的实施。
通信和信息部长Johnny G. Plate于5月15日敦促各公司改善其网络安全系统，称该国的数字经济正在“受到攻击”。
在讨论中，Rofi还批评了遵循PP No.17 / 2019的通信和信息部法规草案，以使数据放置官僚化。