As the year draws to a close, legal, compliance, and regulatory teams are deep in preparations, strategy setting, and budgeting for 2025. In Malaysia, 2025 brings a series of significant regulatory shifts with the introduction of new compliance obligations, which will affect not only business operations externally but, more importantly, reshape internal processes within in-house legal departments.

Among these changes are two critical developments: the cyber security incident notification and personal data breach notification under the Cyber Security Act 2024 and the Personal Data Protection (Amendment) Act 2024. Both Cyber Security Act 2024 and Personal Data Protection (Amendment) Act 2024 have been gazetted and came into force this year. For in-house legal departments, understanding the differences between cyber security incident notifications and personal data breach notifications will be crucial in ensuring compliance and readiness moving forward. However, many organizations are still grappling with understanding the distinctions between these two types of notifications—raising questions about which companies will be impacted and how they should respond.

This article aims to clarify these differences and provide practical insights to help general counsels and legal teams align their compliance frameworks for 2025.

We will explore 6 key aspects that will allow companies to better understand the nuances of cyber security incident notification and personal data breach notification and tailor their internal processes accordingly.

 

1. 1. Are Cyber Security Incident Notification and Personal Data Breach Notification the Same?
2. At first glance, the two notifications may seem interchangeable, often lumped together under the broad term “data breaches.” However, they are distinct obligations governed by different legislations, with separate procedural and substantive requirements.

• • ● Cyber Security Incident Notification:
  • This requirement stems from the Cyber Security Act 2024, which was gazetted and came into force on 26 June 2024. It specifically addresses threats or disruptions to national critical information infrastructure (“NCII”).

• • ● Personal Data Breach Notification:
  • This obligation arises under the Personal Data Protection (Amendment) Act 2024, which came into effect on 17 October 2024. It mainly pertains to the compromise, loss, or mishandling of personal data.
• These notifications address different issues governed by separate laws, with varying compliance requirements, thresholds, and procedures. For general counsels and legal teams, understanding these foundational differences is critical, as the company’s internal response strategy will need to align accordingly.
• .

2. 2. Who Will Be Impacted by These Notifications?
3. One of the most important aspects to understand is which companies will be subject to these notification obligations:

• • ● Cyber Security Incident Notification:
  • Contrary to what some may assume, the Cyber Security Act 2024 does not impose blanket cyber security incident notification obligations on all companies. Instead, the cyber security incident notification obligation applies only to organizations designated as NCII entities
  • Under the Cyber Security Act 2024, NCII Leads are responsible for identifying and designating companies that operate or own NCII as NCII entities. While no companies have officially been designated as NCII entities at the time of writing, we understand that some companies have already received informal notifications that they may be subject to future designation. Companies must stay alert to their status, as being designated as an NCII entity will trigger cyber security incident notification obligations.

• • ● Personal Data Breach Notification:
  • In contrast, the Personal Data Protection (Amendment) Act 2024 introduces broader applicability. The obligation applies to all “data controllers”, it is a new term replacing the previous concept of “data users.”
  • A data controller is defined as an individual or organization who processes any personal data or has control over or authorizes the processing of any personal data. Given this broad definition, many companies will likely fall under the scope of the amended PDPA and will need to comply with personal data breach notification requirements.
  • /

3. 3. What Constitutes a Cyber Security Incident or a Personal Data Breach?

• • ● Cyber Security Incident Notification:
  • The Cyber Security Act 2024 defines a cyber security incident as:

“An act or activity carried out on or through a computer or computer system, without lawful authority, that jeopardizes or adversely affects the cybersecurity of that computer or computer system or another computer or computer system.”

The key terms to note here are “jeopardize” and “adversely affects.” These words help determine the level of materiality and seriousness that will qualify an event as a cyber security incident. Simply put, the act or activity must be serious enough to jeopardize or adversely affect the cyber security of the system in question for it to meet the legal definition and necessitates a notification.

However, while the law does not provide detailed guidance on the exact threshold of jeopardy or adverse effect, a strict reading of the definition suggests that the activity must meet a certain level of seriousness to fall within the scope of the definition and trigger the notification requirement. A reasonable interpretation may indicate that minor attempts at unauthorized access to the IT environment, if detected, prevented, and flagged by routine firewall operations, might not trigger the obligation to notify. In contrast, any successful bypass of the firewall by threat actors—particularly if it jeopardizes or adversely affects cybersecurity—should trigger the notification requirement, regardless of whether the threat is subsequently neutralized, whether the critical IT environment is accessed, or whether disruptions occur. As the regulatory landscape evolves, future regulations or guidelines may offer clearer benchmarks on the level of seriousness or materiality required to qualify as a reportable cybersecurity incident.

• • ● Personal Data Breach Notification:
  • The Personal Data Protection (Amendment) Act 2024 does not provide a specific definition for “personal data breach.” However, we can draw parallels from other jurisdictions for reference:

• • • ◦ EU’s General Data Protection Regulation (“GDPR”): A personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.”
    • ◦ Singapore’s Personal Data Protection Act 2012: A data breach includes “the unauthorized access, collection, use, disclosure, copying, modification or disposal of personal data, or the loss of any storage medium on which personal data is stored in circumstances where the unauthorised access, collection, use, disclosure, copying, modification or disposal of the personal data is likely to occur.”

While Malaysia has yet to issue detailed guidance on the scope of personal data breaches, it is reasonable to expect alignment with these international standards. Further guidance is anticipated from the relevant regulators to clarify the scope of personal data breach notifications.

.

4. 4. What Actions Should Companies Take When Notification Obligations Are Triggered?

• • ● Cyber Security Incident Notification:
  • As explained in our recent article (Responding to Cyber Security Incidents: The Strategic Guide for In-House Counsels Under Malaysia’s Cyber Security Act 2024 – HHQ), the Cyber Security Act 2024 requires NCII Entities to act swiftly when a cyber security incident occurs. The process involves three key steps:

 

Step 1: Immediate Notification Upon Discovery

Once the NCII Entity becomes aware that a cyber security incident has occurred or may have occurred, an authorised person must immediately notify the relevant authorities via electronic means. This first immediate official notification should be sent via email to cert@nc4.gov.my.

Step 2: Submission of Initial Information within 6 Hours

Within 6 hours of the NCII Entity becoming aware of the cyber security incident, the authorised person must submit information on the cyber security incident, including the type and description of the cyber security incident, and the severity of the cyber security incident.

Step 3: Supplementary Information within 14 Days

Within 14 days after the initial six-hour notification, the authorised person shall to the fullest extent practicable submit the following supplementary information, including the estimated number of host affected by the cyber security incident, the particulars of the cyber security threat actor, and the artifacts related to the cyber security incident.

 

• • ● Personal Data Breach Notification:
  • For personal data breaches, the Personal Data Protection (Amendment) Act 2024 introduces a two-tier notification process:

 

Tier 1: Notifying the Commissioner:

If a data controller has reason to believe that a personal data breach has occurred, the data controller shall, as soon as practicable, notify the Commissioner.

Tier 2: Notifying Affected Data Subject:

Where the personal data breach causes or likely to cause any significant harm to the data subject, the data controller shall notify the personal data breach to the data subject.

While the Personal Data Protection (Amendment) Act 2024 does not yet provide specific timelines for these notifications, we expect further guidance to be issued. Should Malaysia adopt an approach similar to Singapore’s Personal Data Protection Act 2012, organisations may be required to notify the Commissioner within three calendar days.

.

5. 5. Does an Incident Require Compliance with Both Notification Obligations?

A critical question for legal departments is whether a single event can trigger both cyber security incident and personal data breach notification obligations. The answer is yes, depending on the extent of the compromise or breach.

In the event of a hack or cyber attack that results in both a cyber security incident and a personal data breach, organisations classified as NCII Entities and data controllers will need to comply with both notification obligations. Given the complexities of responding to such incidents, it is vital for companies to develop clear implementation roadmaps and establish compliance frameworks that outline roles, responsibilities, policies, and procedures. A structured approach will ensure swift and effective responses when incidents arise

.

6. 6. What Are the Penalties for Non-Compliance?

 The penalties for failing to comply with these notification obligations are severe.

• • ● Cyber Security Act 2024:

NCII Entities that do not comply with the cyber security incident notification requirements may face fines of up to RM500,000, imprisonment of up to 10 years, or both.

• • ● Personal Data Protection (Amendment) Act 2024:

Data controllers who fail to notify either the Commissioner or affected data subject may be fined up to RM250,000, imprisoned for up to 2 years, or both.

Given these severe penalties, companies must treat these obligations with utmost seriousness to avoid both financial and reputational risks.

.

Conclusion and Upcoming Event: Preparing for 2025

As companies prepare for 2025, understanding and implementing compliance measures for both cyber security incident notification and personal data breach notification will be critical. Failure to comply can result in severe financial and legal consequences, but with a structured plan in place, organisations can effectively navigate these new requirements.

To support this, we are pleased to announce that Halim Hong & Quek will be co-organising a Cyber Security Incident Simulation Summit in collaboration with S-RM this November. This event will provide practical insights into managing and responding to cyber security incidents effectively under the legal framework of the Cyber Security Act 2024.

By understanding the nuances between cyber security incident notification and personal data breach notification, general counsels and compliance teams will be better positioned to navigate the regulatory challenges of 2025. Now is the time to act, align strategies, and ensure your compliance frameworks are ready for the new regulatory era ahead.

For tailored advice and assistance in navigating this new cyber security framework, our Technology Practice Group is ready to help. Contact us today to ensure your company is fully aligned with the new legal framework and equipped to handle any cyber security challenges that may arise.

---

About the authors

Ong Johnson
Partner
Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”),
Fintech, TMT Disputes, TMT Competition, Regulatory
and Compliance
johnson.ong@hhq.com.my

.

Lo Khai Yi
Partner
Co-Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”), Technology
Acquisition and Outsourcing, Telecommunication Licensing and
Acquisition, Cybersecurity
ky.lo@hhq.com.my.

---

More of our Tech articles that you should read:

• • Telco Tower Acquisitions and Investments: Issues to Pay Attention to During Due Diligence
• • Top 10 FAQs on Licensing for Cyber Security Service Providers Under the Cyber Security Act 2024
• • Compliance Update: 10 Key Takeaways from Malaysia’s New Regulatory Framework for Internet Messaging and Social Media Services