Data Breach: The First 72 Hours

Since 2025, Malaysia’s data protection landscape has undergone a fundamental shift. With the introduction of mandatory data breach notification under the Personal Data Protection Act 2010 (“PDPA”) and the Personal Data Protection Guideline on Data Breach Notification (“DBN Guideline”) issued by the Personal Data Protection Commissioner (“Commissioner”), organisations acting as data controllers are now subject to strict statutory timelines when a personal data breach occurs.

A “personal data breach” refers to any breach involving personal data, including loss, misuse or unauthorised access.

Under the PDPA and the DBN Guideline, once a data controller has reason to believe that a personal data breach has occurred, it must notify the Commissioner as soon as practicable and no later than 72 hours from the occurrence of the breach. Failure to comply may result in criminal liability, including a fine of up to RM250,000, imprisonment of up to two years, or both.

Against this backdrop, the first 72 hours following the discovery of a breach are critical. The speed, structure and quality of the organisation’s response can significantly influence regulatory exposure, reputational impact and legal risk.

Below is a practical guide on how data controllers should approach this critical window.

1. Immediate containment

Once a breach is suspected or detected, swift containment is essential to prevent further compromise or ongoing breach.

Affected systems, networks or applications should be identified and isolated without delay. Access credentials for compromised accounts may need to be suspended or reset. Identified vulnerabilities should be patched where feasible. Crucially, system logs and forensic evidence must be preserved to support investigation and potential regulatory review.

The objective at this stage is to stabilise the situation and prevent escalation.

Activating a coordinated response structure

Simultaneously, the matter should be escalated internally and the organisation’s response framework activated.

This typically involves IT, legal, compliance, risk management and senior leadership. Where necessary and appropriate, external cybersecurity and forensic experts should be engaged promptly.

Clear reporting lines and secure communication channels within the incident response team should be established. Coordination during this phase is critical to ensure accuracy, consistency and speed in decision-making.

2. Conducting a rapid investigation

A preliminary investigation must follow immediately. The purpose is not to achieve forensic certainty, but to gather sufficient information to enable a reasoned legal assessment on whether a personal data breach has occurred, and whether any notification obligation is triggered.

During the investigation, key issues to identify include:

• • the type of personal data involved;
  • the number of affected data subjects;
  • the systems, servers, databases, platforms and services affected;
  • the chronology of events leading to the data breach;
  • the severity of the data breach;
  • the root cause of the data breach, and whether it is still ongoing;
  • the harm and potential harm that may result from the data breach;
  • the measures that should be taken to contain the data breach, and mitigate its possible adverse effects; and
  • the remedial actions that should be taken to reduce the harm to affected data subjects.

Following the investigation and assessment, an internal incident report should be prepared, summarising the findings, impact and recommended actions. This report should be shared with senior management and relevant stakeholders.

3. Determining when the 72-hour clock starts

The notification obligation is triggered when the data controller has reasons to believe that a personal data breach has occurred.

The clock does not necessarily start at the time of system intrusion. Based on the DBN Guideline, in cases such as ransomware attacks or suspected network compromise, the 72-hour period begins once the data controller confirms, during its system inspection, that the system has indeed been compromised or a personal data breach has indeed occurred.

The threshold is one of reasonable awareness.

4. Assessing “significant harm”

Not every breach requires notification. Notification is required only where the breach causes or is likely to cause significant harm.

“Significant harm” is defined to include situations where compromised data:

• • may result in physical harm, financial loss, a negative effect on credit records or damage to or loss of property;
  • may be misused for illegal purposes;
  • consists of sensitive personal data;
  • consists of personal data and other personal information which, when combined, could potentially enable identity fraud;
  • is of significant scale, i.e., it affects more than 1,000 individuals.

This assessment is contextual and risk-based and should include evaluation of both actual harm and reasonably foreseeable harm.

5. Notifying the Commissioner

If the significant harm threshold is met, the data controller must notify the Commissioner within 72 hours using the prescribed notification form.

Where certain information is not yet available, phased notification is permissible, with supplemental notification containing such additional information be submitted within 30 days from the initial notification.

If notification is made after the 72-hour period, the data controller must provide written reasons for the delay, together with supporting evidence, including documentation of the incident timeline, internal communications and any technical issues or external factors that contributed to the delay.

The notification form must designate a representative as the main point of contact to address any inquiries or requests from the Commissioner regarding the personal data breach. If the data controller is subject to the mandatory requirement to appoint a data protection officer (“DPO”) under the PDPA, the DPO must act as the contact person. Otherwise, a representative with sufficient seniority and expertise must be designated.

Submission may be made by email or hardcopy. Importantly, notification is considered as submitted only upon issuance of a confirmation notice by the Commissioner.

6. Notifying affected individuals

Where the breach causes or is likely to cause any significant harm to data subjects, affected data subjects must be notified without unnecessary delay, and no later than seven days after notifying the Commissioner.

There is no prescribed format or template, but the notification must include:

• details of the breach;
• details on the potential consequences resulting from the breach;
• measures taken or proposed to be taken by the data controller to address the breach, including, where appropriate, measures to mitigate its possible adverse effects;
• measures that the affected data subjects may take to eliminate or mitigate any potential adverse effects resulting from the breach; and
• the contact details of the DPO or other contact point from whom more information regarding the breach can be obtained.

Notification should be clear, intelligible and appropriate to the circumstances. Direct notification (such as email, SMS, direct messaging or postal communication) is preferred.

However, where direct notification is impracticable or requires disproportionate effort, such as contacting a very large number of data subjects across multiple states or countries, public communication may be used. Examples of public communication include website notice, media notice, social media and automated notification (push notification).

7. Governance and remediation

Beyond immediate response, the data controller should conduct a comprehensive review of its data breach management and incident response process. This includes identifying procedural gaps, reviewing the effectiveness of containment measures, assessment procedures and reporting protocols, as well as updating security controls, data protection policies and procedures.

Additional safeguards should be implemented to prevent similar breaches in the future, such as enhanced access controls, intrusion detection systems, data encryption measures and penetration testing. Periodic staff training and simulation exercises are equally important to ensure preparedness for future incidents.

8. Documentation and record-keeping

Careful documentation is essential throughout this period.

The DBN Guideline requires data controllers to keep records and maintain a register of personal data breach for at least two years from the date of the notification to the Commissioner, including breaches that did not meet the notification threshold.

While there are no prescribed format and method to document the breach, the register should, at the minimum, include:

• a description of the breach, including the date and time the data controller became aware of the breach, an analysis and identification of the root cause, the type of personal data involved, the estimated number of affected data subjects, the estimated number of affected data records and the compromised personal data system which allowed the breach to occur;
• a description of the likely consequences of the breach;
• a description of a chronology of the events leading to the breach;
• containment and recovery measures taken to address the breach; and
• details of notifications made to the Commissioner and/or affected data subjects and justification for not making notifications, where applicable.

In the event of regulatory scrutiny, proper records are critical in demonstrating compliance and good faith.

Conclusion

Cybersecurity incidents have become an operational reality in today’s digital environment. What ultimately matters are how the organisation reacts and responds.

Malaysia’s data breach notification regime is nascent, and enforcement practices are progressively developing. In this evolving regulatory landscape, a structured, cautious and well-documented approach is essential when responding to a personal data breach.

The first 72 hours are critical. This period often determines how regulators, customers and stakeholders perceive the organisation’s handling of the incident. While a data breach may sometimes be unavoidable, poor response management is not. Prompt containment, a proper investigation, clear internal coordination and timely notification (where required) demonstrate accountability, transparency and good governance.

Data breach response is therefore not merely a technical exercise. It is a governance and risk management issue. Senior management should ensure that robust incident response plans are established, tested and understood before an incident occurs.

In many cases, regulatory exposure arises not from the breach itself, but from delay, inadequate assessment or failure to comply with notification obligations. A disciplined, structured and well-documented response within the first 72 hours can significantly mitigate that risk.

This article is authored by our Partner, Ms Lee Lin Li and Senior Associate, Ms Chong Kah Yee. The information in this article is intended only to provide general information and does not constitute any legal opinion or professional advice.