Bank Negara Malaysia mandates reporting and customer notification for significant customer information breaches

Bank Negara Malaysia has issued a Policy Document on Management of Customer Information and Permitted Disclosures introducing new breach notification requirements for financial service providers, including reporting to the central bank and notifying affected customers where harm is significant. Financial service providers must notify Bank Negara Malaysia of a customer information breach that causes or is likely to cause significant harm to customers, or where the breach involves or is likely to involve a large number of customers, and must notify affected customers where the breach causes or is likely to cause significant harm. The requirements are aligned with amendments to the Personal Data Protection Act 2010 introducing mandatory data breach notification to the Personal Data Protection Commissioner, and the policy document includes templates for breach reporting (Appendix I) and applications for disclosure of customer information (Appendix V). The policy takes effect immediately.