Malaysia legislation
Section 26
Section 26
(a)
to the nature of the credit information and the harm that would result from such loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction;
(b)
to the place or location where the credit information is stored;
(c)
to any security measures incorporated into any equipment in which the credit information is stored;
(d)
to the measures taken for ensuring the reliability, integrity and competence of personnel having access to the credit information; and
(e)
to the measures taken for ensuring the secure transfer of the credit information.
(2)
Where processing of credit information is carried out by a credit information processor on behalf of the credit reporting agency, the credit reporting agency shall, for the purpose of protecting the credit information from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction, ensure that the credit information processor—
(a)
provides sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out; and
(b)
takes reasonable steps to ensure compliance with those measures.
Act 710
(3)
Without limiting the generality of subsections (1) and (2), a credit reporting agency shall take the following measures to safeguard the credit information it holds against unauthorized access or misuse:
(a)
develop written policies and procedures to be followed by its credit information processors, its employees, agents and contractors, or any other person providing services to it;
(b)
impose access authentication controls such as the use of passwords, credential tokens, digital signatures or other mechanisms;
(c)
provide information and training to its employees to ensure compliance with the policies, procedures and controls;
(d)
ensure that a subscriber agreement that complies with the
Fourth Schedule is in place before disclosing the credit information to a subscriber;
(e)
identify and investigate possible breaches of the subscriber agreement, policies, procedures and controls;
(f)
take prompt and effective action in respect of any breaches that are identified;
(g)
systematically review the effectiveness of the policies, procedures and controls and promptly remedy any deficiencies; and
(h)
maintain an access log.
(4)
Without prejudice to section 27, a credit reporting agency shall ensure that if it is necessary for the credit information to be given to a person in connection with the provision of a service to the credit reporting agency, the credit reporting agency shall take all reasonable measures to prevent any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction of the credit information.
Credit Reporting Agencies 31
(5)
The access authentication controls required under paragraph (3)(b) shall include, in respect of an access made, a means of identifying both the subscriber and the specific person of the subscriber who have access to the credit information, or other person who has access to that credit information.
(6)
The access log required under paragraph (3)(h)—
(a)
shall include a record of the time and date of access to the credit information, the identity of the subscriber or other person who has access to the credit information, and the purpose in relation to each access; and
(b)
shall identify or provide a means to identify the specific person of the subscriber who has accessed that credit information and the specific customer whose credit information was so accessed.
(7)
A credit reporting agency shall ensure that the access log contains records of all accesses made for a period of not less than two years preceding the date of the access.
(8)
A credit reporting agency which contravenes this section commits an offence and shall, upon conviction, be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both.
Obligation of subscribers, etc.