The Indonesia House of Representatives (DPR) has listed the Personal Data Protection Bill (PDP Bill) in the National Legislation Program (Prolegnas), which will be prioritized in 2021 along with 32 other bills. However, there is no guarantee that this bill will be passed soon in 2021, considering that this bill was on the list of Prolegnas since 2018. But until now, it has not been passed.
The PDP Bill is urgently needed because data is a commodity in this "Big Data" age. Data exploitation is carried out continuously, with or without our consent. As a resource, data needs to be more seriously regulated to minimize its misuse. The provisions regarding personal data protection in Indonesia have been regulated under the ITE Law and its derivative regulations under Government Regulation No. 71 of 2019, Regulation of Minister of Communication and Information No. 20 of 2016, and other sectoral regulations. However, to provide a more comprehensive arrangement in protecting personal data, the Government has become the initiator for drafting this PDP Bill.
The Global Data Privacy Laws 2021 shows that there are 145 countries that already have provisions regarding data protection. This number increased by 10% from the previous year. Most of these countries were influenced by the implementation of the General Data Protection Regulation (GDPR) in Europe, including Indonesia for its PDP Bill.
Several incidents have increased the urgency to pass the PDP Bill immediately. The Government and the DPR need to agree on matters that are currently still being discussed quickly. Major cyber incidents such as alleged data breach in an e-commerce site and BPJS Kesehatan should have given enough warnings for raising the awareness to pass the bill.
On the other hand, there is a need for proper electronic system security. Entities that act as data controllers need to follow the applicable international standards related to electronic system security. The ISO 27000 series has become one of the most popular international standards related to electronic system security. However, the lack of awareness of cyber threats has resulted in not many data controllers implementing this security standard in Indonesia.
Even with the most secure system, loopholes for breaches of the security system continue to lurk. The security system will always have an update to overcome any recent cyber threat, but this is in line with the ability to breach the security system, which has increased and finding its way to find a crack. So that the data controller is also obliged to continue to find ways to improve its security system. Through a crowdsourced security platform or bug bounty such as HackerOne and Bugcrowd, ethical hackers could provide services to data controller to identify loopholes in their security systems.
"There Is No Such Thing As Absolute Security" so that the risk of breaching the security system which can lead to financial losses, will always go along behind the data controller. This is where the insurance company's role as an entity that accepts risk through its product called cyber insurance.
Cyber insurance is a product that is growing exponentially for the past ten years in the United States and Europe, considering that this product has been developed for a long time and the GDPR has increased the awareness to obtain layered cyber protection.
Typically dedicated cyber insurance provides 2 types of coverage, 1st party coverage, which covers the insured's damages resulting from a cyber incident. And 3rd party coverage is the liability protection provided in the event of a cyber incident harm the client or related parties. Those types commonly include coverage for any expenses related to public relation, legal cost and business interruption. Cyber insurance policies are generally written on a “claims-made basis”, whereas the insured must notify the claims during the policy period.
Even though this insurance product is quite popular overseas, there are not many cyber insurance players in Indonesia. Companies that provide coverage for cyber insurance are dominated by joint ventures insurance companies. The readiness of the risk carriers in Indonesia also needs to be improved due to lack of knowledge and experience in handling cyber insurance.
The OECD concludes that there are 3 challenges in providing cyber risk coverage, including (i) lack of accurate historical data related to cyber incidents for pricing, (ii) changes in the nature of cyber risk; and (iii) access to information regarding the security system of a corporation which is required in the underwriting process. Another obstacle is that the insurance company requires reinsurance back-up to cover the risk. However, local and international reinsurer capacity is quite limited to cover cyber insurance at the moment.
This insurance product is starting to be needed by the stakeholders, particularly the one who act as data controller due to the various obligations and sanctions in the PDP Bill. For example, data controller has an obligation to ensure the protection of personal data from unauthorized processing of personal data. Failure to fulfill this obligation can lead to sanctions extending from written notification to administrative fines. These sanctions can also be cumulative. The data controller also has the possibility to face lawsuit, which could consume a lot of time and cash. By obtaining cyber insurance, data controller could minimize their potential financial loss when a cyber incident occurs.
Cyber insurance is a product developed by the insurance industry as a tool in risk management. But keep in mind, insurance has a limit of liability, so it doesn't eliminate cyber risk as a whole.