Employers, Employees Liable For Data Breaches Under WFH, Says Lawyer

By N.Sevagamy

KUALA LUMPUR, March 28 (Bernama) -- Employees and employers working remotely remain fully liable for data breaches under Malaysian law, despite the growing shift to work-from-home (WFH) arrangements, a lawyer said.

Datuk J. Shamesh said that while employees must uphold confidentiality and act in good faith, employers are equally responsible for providing secure systems and safeguards to protect sensitive information.

“Working remotely does not reduce an employee’s responsibility, as the obligation to protect confidential information remains firmly in place. 

“Under Section 9 of the Personal Data Protection Act 2010 (PDPA), data users must take practical steps to safeguard personal data, considering the type of data, the risks involved, and the environment in which it is stored or processed, including remote work settings," he told Bernama.

The emphasis on data security comes as countries increasingly adopt WFH arrangements to mitigate the impact of global oil supply disruptions, with Malaysia also refining flexible work policies.

Shamesh warned that both employers and employees could face criminal penalties, including several years of imprisonment, for failing to protect company and client data under the PDPA.

He noted that while office-based data is typically protected by enterprise-grade firewalls and physical security controls, the use of personal devices and unsecured home Wi-Fi in a WFH setting can bypass these protections, increasing the risk of unauthorised access or accidental disclosure.

“Employees owe an implied duty of good faith and fidelity to their employers. Storing or processing confidential information on personal devices without authorization can be treated as a serious breach,” Shamesh said. 

The legal expert cited the case of Norzuliyana Zulkefli v. Malayan Banking Berhad (2024), where an employee was dismissed for retaining sensitive customer data on a personal mobile phone that was later accessed by a third party.

He also referred to Equity Trust (Labuan) Limited v Mohammad Sofian Mohamad & Anor (2011), where transferring proprietary data to personal devices or emails was held to be a breach of confidentiality and fiduciary duty.

On employer liability, Shamesh said companies can also be held accountable under the doctrine of vicarious liability, particularly if internal checks are lacking. 

He cited Kumpulan Wang Persaraan (Diperbadankan) v Meridian Asset Management Sdn Bhd (2012) 6 MLRH 189, where the High Court ruled that an employer cannot hide behind employees’ actions if proper internal procedures are not in place.

“The court emphasised that professional organisations must protect client interests through strict operating procedures,” he said.

Shamesh added that under Section 9(1) of the PDPA, organisations must take practical measures to prevent loss, misuse, or unauthorised access to sensitive data, including ensuring devices are secured with encryption and strong authentication, training employees handling data, and transferring information safely via secure channels.

“Tools like virtual private networks (VPNs) and approved company systems help maintain data security. Section 12B of the PDPA also requires companies to report personal data breaches promptly to the Commissioner. These measures help build a culture of responsibility and trust, keeping data safe even in a remote work environment,” he said.

The WFH model gained widespread traction during the COVID-19 pandemic, when movement restrictions forced organisations to rapidly shift to remote operations, accelerating digital adoption and reshaping workplace practices.

On Thursday, Prime Minister Datuk Seri Anwar Ibrahim said the government is refining flexible work arrangements, including WFH for civil servants, to mitigate the impact of global oil supply disruptions arising from the West Asia crisis.

--  BERNAMA