With the Personal Data Protection (Amendment) Act 2024 (“PDPA”) and the new Cyber Security Act 2024 (“CSA 2024”) in force, organisations are now subject to complementary but distinct notification obligations under two legal regimes:
- the PDPA for personal data breaches, and
- the CSA 2024 for cyber security incidents involving national critical information infrastructure (NCII) entities
In this article, we break down the differences between Data Breach Notification (DBN) under the PDPA and Cyber Security Incident Reporting under the CSA 2024.
Quick comparison
| Aspect | Personal Data Breach | Cyber Security Incident |
| Definition | Any event or incident that leads or is likely to lead to the breach, loss, misuse, or unauthorised access of personal data | An act or activity carried out on or through a computer or computer system, without lawful authority, that jeopardises or adversely affects its cyber security |
| Source of breach | Accidental or deliberate; can involve internal or external parties | Cyber threat actor(s) or unauthorised computer activity |
| Regulated under | Personal Data Protection Act (PDPA) | Cyber Security Act 2024 (CSA 2024) |
| Threshold | Likely to cause “significant harm” to individuals | Incident involving or affecting National Critical Information Infrastructure (NCII) |
| Regulator | Personal Data Protection Commissioner (“PDPC”) | National Cyber Security Agency (“NACSA”) |
| Mandatory by Law | Yes | Yes |
Legal triggers and reporting thresholds
Data breach reporting
Under the PDPA (Section 12B), Circular of Personal Data Protection Commissioner No. 2/2025, and Data Breach Notification (DBN) Guideline, a data breach must be reported if it causes or is likely to cause “significant harm”.
If the organisation determines a breach does not cause or is not likely to cause significant harm, then notification is not mandatory.
However, for regulatory review purposes, it is strongly recommended to document the internal assessment process, including the basis for non-notification decision, risk evaluation findings, and any supporting documents or mitigation steps.
Cyber Security Incident reporting
Under the CSA 2024 (Section 23) and the Cyber Security (Notification of Cyber Security Incident) Regulations 2024, Cyber Security Incidents must be reported immediately when it comes to the knowledge of the NCII Entity that a cyber security incident in respect of the NCII has occurred or might have occurred.
Even suspected incidents must be reported within the prescribed time and manner (as set by regulations).
Under the CSA 2024, only entities classified as NCII are legally required to report cybersecurity incidents. However, non-NCII entities may also voluntarily report incidents.
Notification timeline and channels
| Reporting Obligation | PDPA 2024 (Data Breach) | CSA 2024 (Cyber Security Incident) |
| Notified to | PDPC | The Chief Executive of NACSA and the relevant NCII sector lead |
| Notification | As soon as practicable (within 72 hours of becoming aware of the incident) | Immediate notification submit initial report within 6 hours of becoming aware of the incident |
| Method | By electronic means (i.e., email) or by hardcopy submission | By electronic means |
| Notification to Affected Individuals | Within 7 days of PDPC notification (if there is “significant harm”) | Currently no express obligation under the CSA 2024 |
| Reporting Format | DBN Form | Via email to [email protected], submit necessary information via National Cyber Coordination and Command Center System |
| Supplementary Info | Update PDPC if more details become available | Within 14 days of the notification and further updates from time to time |
Coordinating dual notifications
Incidents involving system compromise and personal data loss need dual notification, in which case:
- Notify PDPC: If personal data is involved and individuals suffer or may suffer significant harm.
- Notify NACSA: If the incident compromises systems of the NCII entity.
To enhance coordination and minimise compliance risks, we recommend:
- establishing a cross-functional breach response team (legal, IT, communications)
- maintaining clear internal protocols and a documented breach response plan
- designating a central liaison to coordinate between PDPC and NACSA
Enforcement and penalties
Failure to notify the relevant agency of an incident carries the following potential penalties.
| PDPA | CSA 2024 |
| Fine up to RM250,000, imprisonment up to 2 years, or both. | Fine up to RM500,000, imprisonment up to 10 years, or both. |
Non-compliance may also trigger further investigations, compliance audits, and reputational harm.
Practical takeaways
Based on our experience assisting clients with breach response, we offer the following practical steps to manage the situation effectively:
- Conduct an immediate triage: Determine whether the incident involves a personal data breach, a cyber security incident, or both.
- Check whether reporting is required: Assess whether your organisation is a designated NCII entity or if the incident meets the reporting thresholds under the PDPA or CSA. Some organisations may not realise they are subject to mandatory breach notification requirements.
- Don’t delay: Even if full details are not yet available, initiate preliminary notification as required by law. Authorities expect timely notification, with updates submitted later.
- Document everything: Keep thorough records of risk assessments, notification decisions, communications, and mitigation efforts, these may be subject to regulatory scrutiny.
Conclusion
With both the PDPA and the CSA 2024 in full effect, the distinction lies in the focus: PDPA protects individuals, while the CSA governs cybersecurity risks and incident response.
In practice, the lines often blur. That’s why we help clients build integrated response frameworks that account for both legal regimes, timelines, and regulators.
If you are unsure whether your organisation’s protocols are up to date, or whether you are designated as NCII, now is the time to review and reinforce your governance framework.
