I. Legislative Overview
There is no one single all-encompassing legislation dealing with cybersecurity in Malaysia. The important space is governed by a series of legislation addressing cybersecurity matters as and when they arise.
The legislation in question includes:
Anti-Fake News (Repeal) Act 2020
Communications and Multimedia Act 1998
Computer Crimes Act 1997
Copyright (Amendment) Act 1997
Copyright Act 1987 (Act 332)
Defamation Act
Digital Signature Act 1997
Electronic Commerce Act 2006
Electronic Government Activities Act 2007
Personal Data Protection Act 2010
Penal Code
Sedition Act
Strategic Trade Act 2010
Telemedicine Act 1997
II. Cybersecurity Issues
1. Communication and MultiMedia
The Communications and Multimedia Act 1998 (“CMA“) is a key legislation covering cyber security laws in Malaysia, with ensuring information security, network reliability and network integrity amongst its the main objectives.
The CMA regulates various cyber security matters through conditions attached to licenses issued to various licensees involved in activities such as network facilities, network services and applications services.
Various activities have been legislated as offences including:
Hindering interoperability
Compromising public safety
Fraudulent use of network facilities.
Improper use of network facilities.
Damage to network facilities.
Fraud and related activity in connection with access devices.
Unauthorised interception and disclosure of communications.
Counterfeit access device or unauthorised access device.
2. Misuse of Computers
The Computer Crimes Act 1997 (‘CCA’) is Malaysia’s legislation enacted to penalize misuse of computers.
The CCA covers offences in four key areas:
(i) Unauthorized access to computer material;
(ii) Unauthorized access with intent to commit or facilitate commission of further offense;
(iii) Unauthorized modification of the contents of any computer; and
(iv) Wrongful communication (eg. of password).
The penalties for offenses range from fines of up to RM150,000 and imprisonment of up to 10 years. Abetments and attempts are punishable as commitment of the offences.
3. Copyrights
The Copyright Act 1987 is a vital piece of legislation that protects intellectual property rights in Malaysia. Although its main goal is to protect different types of copyrighted works, it has multiple unintended consequences for cyber security. Even though Malaysia’s legal system heavily relies on the Copyright Act for protection on “brick and mortar” works traditionally, the advent of computer technology and the internet have extended the reach of the Copyright Act to the realm of cyber space and security.
4. Electronic Commerce
Concerns about validity of electronic transactions are covered under the Electronic Commerce Act 2006 (“ECA”). The Act provides for the use of digital signatures in authentication. Service providers, intermediaries, and users in electronic transactions are all subject to requirements under the ECA 2006.
5. Cyber Crimes
The Penal Code of Malaysia is the core legislation for combating crimes in Malaysia and this extends to cybercrimes as well. Although there is no explicit definition of cyber crimes in the Penal Code, certain laws apply to offenses committed using electronic devices. Hacking, illegal access to computer systems, data theft, online fraud, cyberbullying, and the distribution of dangerous software are only a few examples of these acts.
The relevant provisions in the Penal Code which are relevant to cybercrimes in Malaysia include:
Section 403: Theft of digital assets and illegal access to computer systems are examples of criminal misuse of property covered by this provision.
Section 406: Deals with criminal breach of trust, which may extend to the cyber security space.
Section 420: Deals with deception and dishonestly pressuring someone to deliver property; includes a variety of internet fraud and scams.
Section 503: Deals with criminal intimidation, which includes threats sent via electronic messages and other online means
Section 509: Addresses the issue of criminal intimidation which could extend to internet abuse and cyberbullying.
Penalties:
Depending on the severity of the offense, fines and jail times in the Penal Code shall extend to cybercrimes.
Limitations and Challenges:
Although the Penal Code contains laws addressing cybercrimes, there are obstacles in the way of successfully prosecuting such acts. These hurdles include online jurisdictional problems, tracking down offenders, and the constant need for upgrades to stay up to date with new threats and developing technologies.
6. Digital Signatures
Another legislation which has some impact on cyber security issues in Malaysia is the Digital Signature Act 1997 (“DSA”) which regulates the use of digital signatures and matters connected thereto. The Act enhances the overall security of electronic transactions in Malaysia by recognizing digital signatures. Digital signatures based on asymmetric cryptosystems are also recognized by the DSA.
Under Section 62 of the DSA, there are requirements to be satisfied for a digital signature to be legally binding, namely:
(a) that digital signature is verified by reference to the public key listed in a valid certificate issued by a licensed certification authority;
(b) that digital signature was affixed by the signer with the intention of signing the message; and
(c) the recipient has no knowledge or notice that the signer has breached a duty as a subscriber or does not rightfully hold the private key used to affix the digital signature.
7. Sedition and Free Speech
The Sedition Act 1948 also have an impact on the cybersecurity space in Malaysia. Seditious acts are punishable by law under the Sedition Act 1948. The Act attempts to restrict or criminalise activities that could foster animosity toward the government or create hostility between various racial or religious groups. Although the Sedition Act does not specifically address cybersecurity, its provisions may have an influence on digital communications and online activities.
8. Strategic Trade
The Strategic Trade Act 2010 (STA) also has impact on cyber security issues in Malaysia. The STA, which was implemented by the Malaysian government in 2010, attempts to regulate the export of materials and technologies that are related to proliferation of nuclear weapons, terrorism, and the spread of Weapons of Mass Destruction. The STA covers both the physical and cyberspace realms.
9. Defamation
The mains laws governing defamation in Malaysia is the Defamation Act together with case laws in Malaysia and the English common law on defamation through importation via section 3 of the Civil Law Act 1956. By and large, the principles and practice in regard to defamation laws apply in the physical space and by extension, to the cyber space as well.