C

alls are growing for digital companies to implement stronger data protection measures after a data breach that targeted Indonesian e-commerce unicorn Tokopedia in March.

Experts say that the data protection bill being deliberated at the House of Representatives should set a minimum security standard for digital companies.

“If we take a look at PP No. 71, the government did not regulate the technicalities of data protection,” IT expert Tony Seno Hartono said in an online discussion on April 20, referring to Government Regulation (PP) No. 71/2019 on the implementation of electronic systems and transactions that regulates data protection.

Tokopedia announced in early May that its database containing user information had been breached by an unidentified third party in March and that the personal information of more than 15 million users had been leaked.

Communications and Information Minister Johnny G. Plate on May 15 urged companies to improve their cybersecurity systems following the massive breach, saying that the country’s digital economy was “under attack”.

While PP No.71/2019 mandates digital service providers (DSPs) to “ensure the safety of information and internal communication systems”, Tony said that it stopped short of setting a minimum standard for data safety and protection.

He said that DSPs should meet the ISO/IEC 27001 standard on information security management systems in order to provide adequate data security for users.

“If a company meets the ISO standard, the chance of a data breach becomes extremely small. Even if there is a breach, we could trace the source of the breach and figure out what went wrong,” said Tony.

However, in order to receive certification under the standard, a company must hire an accredited third party to audit its digital security system, something that is not possible for small start-ups.

“We are always striving to adopt the highest level of security. However, it’s very expensive for start-up companies to adopt ISO standards,” government relations manager Rofi Uddarojat of the Indonesia E-Commerce Association (idEA) said during the discussion.

Even if a company has received ISO certification or hired an independent auditor to review its security system regularly, Tony said that many Indonesian companies did not upgrade their security systems according to the audit results and recommendations.

“From my experience, many organizations ignore them [the audit results]. If there’s a breach, I believe it is not because the auditor missed the security loophole, but rather because the organization did not follow up on their assessment,” he said.

During the discussion, Rofi also criticized a draft implementing regulation for PP No. 17/2019 from the Communications and Information Ministry for bureaucratizing data storage.