The TrueMoveH fiasco, with customers’ personal information left exposed on a digital shelf, underlines the peril we’re in
The latest data security threat affecting more than 10,000 Thai subscribers to TrueMoveH should serve as a wakeup call for the government. It must quickly enact legislation covering data privacy and security.
Despite the much-vaunted “Thailand 4.0” initiative, the country still lacks a specific law to protect personal digital data and ensure that the owners’ right to privacy is strictly observed.
In the TrueMoveH incident, the security of personal ID card photos and 13-digit ID numbers of more than 10,000 customers – stored at the Amazon Web Service cloud
computing facility – was compromised, according to Niall Merrigan, an Irish cyber-security expert. The security threat was discovered more or less in plain sight last month, potentially enabling unauthorised access to the personal information of the Thai mobile-phone firm’s customers.
On April 18, the National Broadcasting and Telecom Commission ordered TrueMoveH to address the issue within seven days and to take preventive and remedial measures. To be sure, this incident is not going to be the last as the Thai economy and society venture
deeper into the digital era. From legal and regulatory perspectives, it is imperative that the officials involved come up with new legislation to protect the security of personal data while ensuring that the right to privacy is upheld.
One example is the European Union’s new General Data Protection Regulation (GDPR), which will come into effect on May 25. Under this framework, violators will be subject to heavy penalties. The regulations apply outside the union too. Companies in non-EU countries would also be liable if they mishandle the personal information of EU citizens. Firms within or outside the union found to have violated the legislation will be subject to fines of up to 4 per cent of their global annual turnover or 20 million euros (Bt720 million), whichever is higher.
The EU law will also strengthen conditions for gaining “consent” from data owners. Consent must be given in an intelligible and easily accessible form and it must be as easy to withdraw consent as it is to give it. If there are data breaches, notification is mandatory within 72 hours of the breach’s discovery. In other words, data leaks and other violations are punishable with hefty fines and
consumers must be notified quickly following any breach.
The Thai government should proceed quickly in enacting a similar bill, keeping the Kingdom up to date with the fast-changing world of data privacy and security. Citizens already share extensive personal data with telecom operators and the rapid pace of economic and social digitalisation will soon have us spreading it around much further. More Thais will be using mobile banking and payment services on their phones rather than physically visiting bank branches. The number of online banking accounts has already topped 10 million. The inevitable result is that a massive amount of personal financial information is now online and it’s growing fast.
In e-commerce, the same phenomenon is racing ahead, with volume and value of online purchases expanding by leaps and bounds. In insurance and healthcare, a massive amount of medical and health records of insurance policyholders will be vulnerable if there is no strict legislation covering data privacy and security.
The government has the duty to ensure that the law full protects individuals’ personal information and their right to privacy.