Data theft and the law on protection of personal data: A thematic analysis

Erwin Asmadi; Adi Mansar; Triono Eddy; Mukti Fajar Nur Dewata; Farid Wajdi; Norhasliza binti Ghapa

Authors

Erwin Asmadi Universitas Muhammadiyah Sumatera Utara
Adi Mansar Universitas Muhammadiyah Sumatera Utara
Triono Eddy Universitas Muhammadiyah Sumatera Utara
Mukti Fajar Nur Dewata Universitas Muhammadiyah Yogyakarta
Farid Wajdi Universitas Muhammadiyah Sumatera Utara
Norhasliza binti Ghapa Universiti Sultan Zainal Abidin

Keywords:

Data Theft, Data Protection, Criminal Law, Adaptive Law

Abstract

Introduction to the Problem: Data theft and leakage have severe consequences and can harm individuals, organizations, and society. Such problems also frequently occur in Indonesia massively.

Purpose/Study Objectives: This study aims to analyze the efficacy of legal measures, particularly Law Number 27 of 2022, in addressing these issues and explores challenges hindering effective enforcement.

Design/Methodology/Approach: This study employs a qualitative approach, specifically thematic analysis, to examine the legal landscape of personal data protection in Indonesia, utilizing Law Number 27 of 2022 as the primary document for analysis. The data was then transferred to Nvivo 12 Plus for coding, classification, and coding based on units of analysis, including theme identification and text search to find words, phrases, or text patterns.

Findings: The study reveals that substantial steps, including the enactment of the Personal Data Protection law, have been taken to address data theft in Indonesia. The law establishes criminal consequences, encompassing imprisonment, fines, restitution, or a combination thereof. However, despite these measures, challenges persist, including limited law enforcement capacity, insufficient awareness of data protection, constrained inter-agency cooperation, and the swift pace of technological advancements. Furthermore, issues such as limited digital evidence, sluggish legal processes, low reporting rates, ineffective penalties, and difficulties in enforcing laws in cyberspace compound the challenges faced by law enforcement in Indonesia.

Paper Type: Research Article

References

Abidin, M. A. Z., Nawawi, A., & Salin, A. S. A. P. (2019). Customer data security and theft: A Malaysian organization’s experience. Information and Computer Security, 27(1), 81–100. https://doi.org/10.1108/ICS-04-2018-0043

Abouelmehdi, K., Beni-Hessane, A., & Khaloufi, H. (2018). Big healthcare data: Preserving security and privacy. Journal of Big Data, 5(1), 1–18. https://doi.org/ 10.1186/s40537-017-0110-7

Akman, E., İdil, Ö., & Çakır, R. (2023). An investigation into the levels of digital parenting, digital literacy, and digital data security awareness among parents and teachers in early childhood education. Participatory Educational Research, 10(5), 248–263. https://doi.org/10.17275/per.23.85.10.5

Al-Harrasi, A., Shaikh, A. K., & Al-Badi, A. (2023). Towards protecting organisations’ data by preventing data theft by malicious insiders. International Journal of Organizational Analysis, 31(3), 875–888. https://doi.org/10.1108/IJOA-01-2021-2598

Alam, M. K. (2021). A systematic qualitative case study: Questions, data collection, NVivo analysis and saturation. Qualitative Research in Organizations and Management: An International Journal, 16(1), 1–31. https://doi.org/10.1108 /QROM-09-2019-1825

Almaraz-Rivera, J. G., Cantoral-Ceballos, J. A., & Botero, J. F. (2023). Enhancing IoT network security: Unveiling the power of self-supervised learning against DDoS attacks. Sensors, 23(21), 8701. https://doi.org/10.3390/s23218701

Andraško, J., Mesarčík, M., & Hamuľák, O. (2021). The regulatory intersections between artificial intelligence, data protection and cyber security: Challenges and opportunities for the EU legal framework. AI and Society, 36(2), 623–636. https://doi.org/10.1007/s00146-020-01125-5

Aulianisa, S. S., & Indirwan, I. (2020). Critical review of the urgency of strenghthening the implementation of cyber security and resilience in Indonesia. Lesrev (Lex Scientia Law Review), 4(1), 33–48. https://doi.org/https: //doi.org/10.15294 /lesrev.v4i1.38197

Baharuddin, T., Qodir, Z., & Loilatu, M. J. (2022). Government website performance during Covid-19 : Comparative Study Yogyakarta and South Sulawesi , Indonesia. Journal of Governance and Public Policy, 9(2), 109–123. https://doi .org /10.18196/jgpp.v9i2.11474

Bechara, F. R., & Schuch, S. B. (2020). Cybersecurity and global regulatory challenges. Journal of Financial Crime, 28(2), 359–374. https://doi.org/10.1108/JFC-07-2020-0149

Boerman, S. C., Kruikemeier, S., & Zuiderveen Borgesius, F. J. (2021). Exploring motivations for online privacy protection behavior: Insights from panel data. Communication Research, 48(7), 953–977. https://doi.org/10.1177/00936502 18800915

Bossler, A. M. (2020). Cybercrime legislation in the United States. In T. J. Holt & A. M. Bossler (Eds.), The Palgrave Handbook of International Cybercrime and Cyberdeviance (pp. 257–280). Palgrave Macmillan, Cham. https://doi.org/10 .1007/978-3-319-78440-3_3

Braga, A. A., Weisburd, D., & Turchan, B. (2018). Focused deterrence strategies and crime control: An updated systematic review and meta-analysis of the empirical evidence. Criminology and Public Policy, 17(1), 205–250. https://doi.org/10. 1111/1745-9133.12353

Chatterjee, S. (2019). Is data privacy a fundamental right in India?: An analysis and recommendations from policy and legal perspective. International Journal of Law and Management, 61(1), 170–190. https://doi.org/10.1108/IJLMA-01-201 8-0013

Clough, J. (2011). Data theft? cybercrime and the Increasing criminalization of access to data. Criminal Law Forum, 22(1–2), 145–170. https://doi.org/10.1007/ s10609-011-9133-5

Cobbe, J. (2019). Administrative law and the machines of government: Judicial review of automated public-sector decision-making. Legal Studies, 39(4), 636–655. https://doi.org/10.1017/lst.2019.9

Daly, A. (2018). The introduction of data breach notification legislation in Australia: A comparative view. Computer Law and Security Review, 34(3), 477–495. https:// doi.org/10.1016/j.clsr.2018.01.005

Eboibi, F. E., & Richards, N. U. (2020). Electronic taxation and cybercrimes in Nigeria , Kenya and South Africa : Lessons from Europe and the United States of America. Commonwealth Law Bulletin, 0(0), 1–26. https://doi.org/10.1080/03050718 .2020.1726786

Feldman, E. A. (2012). The genetic information nondiscrimination act (GINA): Public policy and medical practice in the age of personalized medicine. Journal of General Internal Medicine, 27(6), 743–746. https://doi.org/10.1007/s11606-012-1988-6

Freitas, P. M. F., & Gonçalves, N. (2015). Illegal access to information systems and the directive 2013/40/EU. International Review of Law, Computers and Technology, 29(1), 50–62. https://doi.org/10.1080/13600869.2015.1016278

Gill, M. (2022). The handbook of security. The Handbook of Security, 1–1029. https:// doi.org/10.1007/978-3-030-91735-7

Goddard, M. (2017). Viewpoint: The EU general data protection regulation (GDPR): European regulation that has a global impact. International Journal of Market Research, 59(6), 703–706. https://doi.org/10.2501/IJMR-2017-050

Gootman, S. (2016). OPM hack: The most dangerous threat to the federal government today. Journal of Applied Security Research, 11(4), 517–525. https://doi.org/ 10.1080/19361610.2016.1211876

Gottschalk, P., & Tcherni-Buzzeo, M. (2017). Reasons for gaps in crime reporting: the case of white-collar criminals investigated by private fraud examiners in norway. Deviant Behavior, 38(3), 267–281. https://doi.org/10.1080/01639625 .2016.1196993

Gupta, C. M., & Kumar, D. (2020). Identity theft: A small step towards big financial crimes. Journal of Financial Crime, 27(3), 897–910. https://doi.org/10.1108/ JFC-01-2020-0014

Hallinan, D., Friedewald, M., & McCarthy, P. (2012). Citizens’ perceptions of data protection and privacy in Europe. Computer Law and Security Review, 28(3), 263–272. https://doi.org/10.1016/j.clsr.2012.03.005

Holtfreter, K., Reisig, M. D., Pratt, T. C., & Holtfreter, R. E. (2015). Risky remote purchasing and identity theft victimization among older Internet users. Psychology, Crime and Law, 21(7), 681–698. https://doi.org/10.1080/1068316 X.2015.1028545

Hoofnagle, C. J., Sloot, B. van der, & Borgesius, F. Z. (2019). The European Union general data protection regulation: What it is and what it means. Information and Communications Technology Law, 28(1), 65–98. https://doi.org/10.1080/136 00834.2019.1573501

Hutchings, A., & Holt, T. J. (2017). The online stolen data market: Disruption and intervention approaches. Global Crime, 18(1), 11–30. https://doi.org/10.1080/ 17440572.2016.1197123

Ibrahim, A. H. H., Baharuddin, T., & Wance, M. (2023). Bibliometric analysis of e-government and trust : A lesson for Indonesia. Jurnal Borneo Administrator, 19(3), 269–284. https://doi.org/10.24258/jba.v19i3.1303

Isabella, Alfitri, Saptawan, A., Nengyanti, & Baharuddin, T. (2024). Empowering digital citizenship in Indonesia : Navigating urgent digital literacy challenges for effective digital governance. Journal of Governance and Public Policy, 11(2), 142–155. https://doi.org/https://doi.org/10.18196/jgpp.v11i2.19258

Jarrett, A., & Choo, K. R. (2021). The impact of automation and artificial intelligence on digital forensics. WIREs Forensic Science, 3(6), 1–17. https://doi.org/10.1002 /wfs2.1418

Jones, A. (2008). Industrial espionage in a hi-tech world. Computer Fraud and Security, 2008(1), 7–13. https://doi.org/10.1016/S1361-3723(08)70010-1

Kesari, A. (2022). Do data breach notification laws reduce medical identity theft? Evidence from consumer complaints data. Journal of Empirical Legal Studies, 19(4), 1222–1252. https://doi.org/10.1111/jels.12331

Le, D.-N., Kumar, R., Mishra, B. K., Khari, M., & Chetterjee, J. M. (2019). Cyber security in parallel and distributed computing: Concepts, techniques, applications and case studies. In John Wiley & Sons. John Wiley & Sons, Ltd. https://doi.org /10.1002/9781119488330.ch6

Lee, D. S., & McCrary, J. (2017). The deterrence effect of prison: Dynamic theory and evidence. Advances in Econometrics, 38, 73–146. https://doi.org/10.1108/ S0731-905320170000038005

Levi, M. (2017). Assessing the trends, scale and nature of economic cybercrimes: Overview and Issues: In cybercrimes, cybercriminals and their policing, in crime, law and social change. Crime, Law and Social Change, 67(1), 3–20. https://doi. org/10.1007/s10611-016-9645-3

Mantelero, A. (2016). Personal data for decisional purposes in the age of analytics: From an individual to a collective dimension of data protection. Computer Law and Security Review, 32(2), 238–255. https://doi.org/10.1016/j.clsr.2016.01.01 4

Matthess, M., & Kunkel, S. (2020). Structural change and digitalization in developing countries: Conceptually linking the two transformations. Technology in Society, 63, 101428. https://doi.org/10.1016/j.techsoc.2020.101428

McGee, J. A., & Byington, J. R. (2015). Corporate identity theft: A growing risk. Journal of Corporate Accounting & Finance, 26(5), 37–40. https://doi.org/https:// doi.org/10.1002/jcaf.22061

Mohammed, A., Kumar, S., Mu’Azu, H. G., Kumar, R., Shah, P., Memoria, M., Rawat, A., & Gupta, A. (2022). Data security and protection: A mechanism for managing data theft and cybercrime in online platforms of educational institutions. 2022 International Conference on Machine Learning, Big Data, Cloud and Parallel Computing, COM-IT-CON 2022, 758–761. https://doi.org/10.1109/COM-IT-CON54601.2022.9850702

Mugarura, N., & Ssali, E. (2020). Intricacies of anti-money laundering and cyber-crimes regulation in a fluid global system. Journal of Money Laundering Control, 24(1), 10–28. https://doi.org/10.1108/JMLC-11-2019-0092

Mulgund, P., Mulgund, B. P., Sharman, R., & Singh, R. (2021). The implications of the California Consumer Privacy Act (CCPA) on healthcare organizations: Lessons learned from early compliance experiences. Health Policy and Technology, 10(3), 100543. https://doi.org/10.1016/j.hlpt.2021.100543

Mulyadi, & Rahayu, D. (2019). Indonesia national cybersecurity review: Before and after establishment national cyber and crypto agency (BSSN). 2018 6th International Conference on Cyber and IT Service Management, CITSM 2018, 1–6. https://doi.org/10.1109/CITSM.2018.8674265

Mustaufiatin Ni’Mah, A., & Syufa’at. (2021). Legalitas impor vaksin Covid-19 perspektif maqashid syariah. Volksgeist: Jurnal Ilmu Hukum Dan Konstitusi, 4(1), 11–24. https://doi.org/10.24090/volksgeist.v4i1.4695

Nagar, A., Elluri, L., & Joshi, K. P. (2021). Automated compliance of mobile wallet payments for cloud services. 7th IEEE International Conference on Big Data Security on Cloud (BigDataSecurity 2021) Automated, 38–45. https://doi.org/ 10.1109/BigDataSecurityHPSCIDS52275.2021.00018

Njoku, I. S., Njoku, B. C., Chukwu, S. A. J., & Ravichandran, R. (2023). Fostering cybersecurity in institutional repositories: A case of Nigerian universities. African Journal of Library Archives and Information Science, 33(1), 1–21.

Nurhadi. (2022, September 8). Inilah 7 kasus dugaan kebocoran data pribadi sepanjang 2022. Tempo.Co. https://nasional.tempo.co/read/1632043/inilah-7-kasus-dugaan-kebocoran-data-pribadi-sepanjang-2022

Okeke, R. I., & Eiza, M. H. (2022). The application of role-based framework in preventing internal identity theft related crimes: A qualitative case study of UK Retail Companies. Information Systems Frontiers, 25, 451–472. https://doi.org/ 10.1007/s10796-022-10326-w

Ometov, A., Molua, O. L., Komarov, M., & Nurmi, J. (2022). A survey of security in cloud, edge, and fog computing. Sensors, 22(3), 1–27. https://doi.org/10.3390/s220 30927

Ozili, P. K. (2022). Central bank digital currency in Nigeria: Opportunities and risks. Contemporary Studies in Economic and Financial Analysis, 109, 125–133. https://doi.org/10.1108/S1569-37592022000109A008

Purtova, N. (2018). The law of everything. Broad concept of personal data and future of EU data protection law. Law, Innovation and Technology, 10(1), 40–81. https://doi.org/10.1080/17579961.2018.1452176

Rashighi, M., & Harris, J. E. (2017). Privacy in the Age of Medical Big Data. Physiology & Behavior, 176(3), 139–148. https://doi.org/10.1053/j.gastro.2016.08.014. CagY

Reyns, B. W., & Randa, R. (2017). Victim reporting behaviors following identity theft victimization: Results from the national crime victimization survey. Crime and Delinquency, 63(7), 814–838. https://doi.org/10.1177/0011128715620428

Rodríguez, R. J., & Garcia-Escartin, J. C. (2017). Security assessment of the Spanish contactless identity card. IET Information Security, 11(6), 386–393. https://doi.org/10.1049/iet-ifs.2017.0299

Roy, J. (2016). Secrecy, security and digital literacy in an era of meta-data: Why the Canadian westminster model falls short. Intelligence and National Security, 31(1), 95–117. https://doi.org/10.1080/02684527.2014.941250

Salahudin, S., Nurmandi, A., & Loilatu, M. J. (2020). How to Design qualitative research with NVivo 12 plus for local government corruption issues in Indonesia? Jurnal Studi Pemerintahan, 11(3), 469–498. https://doi.org/10.18196/jgp.113124

Shi, Y. (2022). Earth observation applications and the right to privacy: Within and beyond the COVID-19 Pandemic. Jurnal Media Hukum, 29(2), 107–119. https://doi.org/https://doi.org/10.18196/jmh.v29i2.14435

Simpson, S. S., Galvin, M. A., Loughran, T. A., & Cohen, M. A. (2022). Perceptions of white-collar crime seriousness: Unpacking and translating attitudes into policy preferences. Journal of Research in Crime and Delinquency, 1–41. https://doi.org /10.1177/00224278221092094

Solami, E. Al, Kamran, M., Alkatheiri, M. S., Rafiq, F., & Alghamdi, A. S. (2020). Fingerprinting of relational databases for stopping the data theft. Electronics (Switzerland), 9(7), 1–20. https://doi.org/10.3390/electronics9071093

Strom, K. J., & Smith, E. L. (2017). The future of crime data: The case for the national incident-based reporting system (NIBRS) as a primary data source for policy evaluation and crime analysis. Criminology and Public Policy, 16(4), 1027–1048. https://doi.org/10.1111/1745-9133.12336

Sudarwanto, A. S., & Kharisma, D. B. B. (2022). Comparative study of personal data protection regulations in Indonesia, Hong Kong and Malaysia. Journal of Financial Crime, 29(4), 1443–1457. https://doi.org/10.1108/JFC-09-2021-0193

Supriyadi, D. (2023). The Regulation of Personal and Non-Personal Data in the Context of Big Data. Journal of Human Rights, Culture and Legal System, 3(1), 33–69. https://doi.org/10.53955/jhcls.v3i1.71

Talesh, S. A. (2018). Data breach, privacy, and cyber insurance: How insurance companies Act as “compliance managers” for businesses. Law and Social Inquiry, 43(2), 417–440. https://doi.org/10.1111/lsi.12303

Thaduri, A., Aljumaili, M., Kour, R., & Karim, R. (2019). Cybersecurity for eMaintenance in railway infrastructure: risks and consequences. International Journal of System Assurance Engineering and Management, 10(2), 149–159. https://doi. org/10.1007/s13198-019-00778-w

Toma, T., Décary-Hétu, D., & Dupont, B. (2023). The benefits of a cyber-resilience posture on negative public reaction following data theft. Journal of Criminology, 1–24. https://doi.org/10.1177/26338076231161898

Trepte, S., Teutsch, D., Masur, P. K., Eicher, C., Fischer, M., Hennhöfer, A., & Lind, F. (2015). Do people know about privacy and data protection strategies? towards the “online privacy literacy scale” (OPLIS). In S. Gutwirth, R. Leenes, & P. de Hert (Eds.), Reforming European Data Protection Law (pp. 333–365). Springer, Dordrecht. https://doi.org/10.1007/978-94-017-9385-8_14

Vajjhala, N. R., & Strang, K. D. (2023). Cybersecurity for Decision Makers. Cybersecurity for Decision Makers, 1–393. https://doi.org/10.1201/9781003319887

van de Weijer, S. G. A., Leukfeldt, R., & Bernasco, W. (2019). Determinants of reporting cybercrime: A comparison between identity theft, consumer fraud, and hacking. European Journal of Criminology, 16(4), 486–508. https://doi.org/10.1177/ 1477370818773610

van de Weijer, S. G. A., & Moneva, A. (2022). Familial concentration of crime in a digital era: Criminal behavior among family members of cyber offenders. Computers in Human Behavior Reports, 8, 100249. https://doi.org/10.1016/j.chbr.2022. 100249

Viano, E. C. (2017). Cybercrime: Definition, typology, and criminalization. In Cybercrime, Organized Crime, and Societal Responses (pp. 3–22). Springer. https://doi.org/10.1007/978-3-319-44501-4

Wachter, S. (2018). Normative challenges of identification in the Internet of Things: Privacy, profiling, discrimination, and the GDPR. Computer Law & Security Review, 34(3), 436–449. https://doi.org/https://doi.org/10.1016/j.clsr.2018. 02.002

Wang, Y. (2023). CNS: Research on data security technology and network data security regulations driven by digital economy. International Journal of Cooperative Information Systems, 32(4), 2024. https://doi.org/10.1142/S02 1884302150009X

Warikandwa, T. V. (2021). Personal data security in South Africa’s financial services market: The protection of personal information act 4 of 2013 and the european union general data protection regulation compared. Potchefstroom Electronic Law Journal, 24, 17159. https://doi.org/10.17159/1727-3781/2021/v24i0a 10727

Warkentin, M., & Willison, R. (2009). Behavioral and policy issues in information systems security: The insider threat. European Journal of Information Systems, 18(2), 101–105. https://doi.org/10.1057/ejis.2009.12

Wicki-Birchler, D. (2020). The Budapest convention and the general data protection regulation: Acting in concert to curb cybercrime? International Cybersecurity Law Review, 1, 63–72. https://doi.org/10.1365/s43439-020-00012-5

Zimmerle, J. C., & Wall, A. S. (2019). What’s in a Policy? evaluating the privacy policies of children’s apps and websites. Computers in the Schools, 36(1), 38–47. https://doi.org/10.1080/07380569.2019.1565628

Zulu, C. L., & Dzobo, O. (2023). Real-time power theft monitoring and detection system with double connected data capture system. Electrical Engineering, 105(5), 3065–3083. https://doi.org/10.1007/s00202-023-01825-3