Law sought for data protection
Consumer group says security breach a wakeup call; true move H gets seven days to implement additional measures.
THE FOUNDATION for Consumers has urged the government to enact legislation for data privacy protection to safeguard customers’ personal data from being leaked and abused by the private sector and cybercriminals.
Saree Aongsomwang, the foundation’s secretary-general, said the latest data security issue faced by TrueMove H, one of the country’s three major mobile-phone operators, serves as a reminder that consumers’ personal data, such as ID card photos and 13-digit number, must be protected by law.
She cited the European Union’s General Data Protection Regulations (GDPR) as an example that should be adopted by Thailand, as there are strong preventive measures for data security such as a heavy fine on companies whose databases are leaked.
The EU’s GDPR, which will be effective on May 25, also bars companies from taking personal data of EU citizens overseas, while specific consent must be given by owners of personal data before the data can be used.
Thailand’s National Broadcasting and Telecom Commission (NBTC) on Tuesday summoned executives of TrueMove H for questioning following reports that the personal data of about 14,000 customers kept by the mobile phone operator was possibly compromised over the past 2-3 years while being stored on the cloud facility of Amazon Web Service.
NBTC yesterday issued an order for TrueMove H to take several preventive and other related measures to protect public interests and ensure that the possible data leak would not happen again.
The mobile-phone operator is required to increase the security precautions on customers’ personal data used in the registration of SIM cards.
The security arrangement also has to be audited by cybersecurity specialists to ensure that it is up to date with the fast-changing technology in this area.
Second, the firm has to provide channels for consumers whose data might have been compromised, to check the security of their personal data with no additional expenses paid.
Third, the firm has to take responsibility for potential damage to customers, in accordance with criminal and civil laws.
Fourth, the firm is required to report its actions on these measures to the NBTC within the next seven days.
Unless the firm abides by this order, the NBTC said it would impose a heavy fine of Bt20,000 per day.
Meanwhile, the Foundation for Consumers also criticised the NBTC’s insufficient action against mobile-phone operators whose SMS services are predatory.
Due to numerous complaints about unsolicited SMS services, the foundation said the NBTC should not have allowed operators to pass on the burden of rejecting SMS paying services to consumers.
According to the foundation, mobile-phone operators have flooded their subscribers with paying SMS services, which are unsolicited and would end without expense only when customers press no after receiving the messages. Otherwise, the customers will be charged automatically.
However, many consumers, especially older persons, are not aware of the trick and often miss the chance.
This has resulted in additional charges while these consumers do not want the services.