The Jakarta Post
Calls for digital companies to implement stronger data protection measures are growing following recent reports of a data breach against Indonesia’s e-commerce unicorn Tokopedia.
Experts have argued that the data protection bill, which is currently being debated at the House of Representatives (DPR), should set a minimum-security standard for digital companies, as the current regulation does not stipulate the technicalities of data protection.
“If we take a look at Government Regulation (PP) No.71, the government did not regulate the technicalities of data protection,” IT expert Tony Seno Hartono said in an online discussion on April 20, referring to PP No.71/2019 on the implementation of electronic systems and transactions.
Tokopedia said its internal database had been breached by an unidentified party in March, resulting in a massive data leak of the personal information of more than 15 million users.
Communications and Information Minister Johnny G. Plate urged on May 15 companies to improve their cybersecurity systems following the breach, saying that the country’s digital economy was “under attack”.
While PP No.71/2019 does mandate digital service providers to “ensure the safety of information and internal communication systems,” Tony said it stopped short of setting a minimum safety standard for data protection.
He said digital companies should meet the requirements of the ISO27001 standard, which measures and evaluates information security management systems, in order to provide adequate data safety for their users.
“If a company meets the ISO standard, the chance for a data breach becomes extremely small. Even if there is a breach, we could trace the breach’s source and figure out what went wrong,” he said.
However, in order to be certified for the standard, a digital company must hire a third-party security auditor to analyze its security system, which is not possible for small start-ups.
“We are always striving to adopt the highest level of security. However, it’s very expensive for start-up companies to adopt ISO standards,” Indonesia E-Commerce Association’s (idEA) government relation manager Rofi Uddarojat said during the discussion.
Even if a company has received the certification or has an independent security auditor to routinely analyze its security system, Tony said many Indonesian companies did not improve their security systems in line with the audit results.
“From my experience, many institutions ignore [audit results]. If there’s a breach, I believe it’s not because the auditor missed the security gap but rather because their assessment was not followed up by the institutions,” he said.
During the discussion, Rofi also criticized the draft of a Communications and Information Ministry regulation that follows PP No.17/2019, for bureaucratizing data placement.
While the PP gives companies the option to choose whether to store their data inside the country or abroad, Article 6 of the ministry regulation requires private companies to obtain a permit from the minister to store their data abroad, according to the latest draft released on March 10.
“While we appreciate the PP for giving us the freedom to store our data inside the country or abroad, there seems to be an attempt at bureaucratization in the draft regulation,” Rofi said.