What a PDPA Data Breach Costs Your Business
What a PDPA Data Breach Actually Costs a Malaysian Business
A personal data breach in Malaysia costs far more than a fine. From day one you're paying for forensic investigation, legal advice, notifying the regulator within 72 hours and customers within 7 days, credit monitoring, lost trading time and, weeks later, third-party claims. The fine is often the smallest line. Cyber insurance is the cover built to pay for the rest.
You already know the law changed. Since 1 June 2025, a breach that could cause significant harm has to be reported to the regulator within 72 hours, and to affected people within 7 days. This article isn't about the law again. It's about the bill: what actually happens on day 1, day 7 and day 90 of a breach, and who pays for each part.
If you've just realised the Personal Data Protection Act (PDPA), the law that governs how you handle personal data, applies to your business, read this before you assume a breach is a small problem. For the compliance detail, see our PDPA amendments guide.
The First 72 Hours: You Don't Even Know the Scope Yet
The hardest part of day one is that you're on a clock before you know what happened. A breach is detected, an email account is compromised, a database is copied, a laptop is stolen, and the 72-hour reporting window to the Personal Data Protection Commissioner (PDPC) starts running.
In those first hours you have to do several things at once: work out what data was exposed and how, contain the damage, decide whether it crosses the "significant harm" line that triggers reporting, and prepare the notification. Almost no SME can do the forensic part alone. That's the first real cost: bringing in people who investigate breaches for a living, fast.
Day 1 to Day 90: How the Bill Builds
The costs don't arrive all at once. They stack over three rough phases, and the biggest ones tend to come last.
| Phase | What Happens | Costs That Land |
|---|---|---|
| Day 1 to 3 | Detect, contain, investigate scope, report to the PDPC within 72 hours. | Forensic investigation, legal advice, and the internal scramble that stops normal work. |
| Day 3 to 7 | Notify affected individuals within 7 days where significant harm is likely; manage the fallout. | Notification (letters, emails, a help line), credit monitoring, and PR or crisis communications. |
| Week 2 to 12 | Respond to the PDPC, rebuild systems, and handle the people who were affected. | Regulatory engagement and possible fines, system restoration, lost income while disrupted, and third-party claims. |
Notice the shape. The regulator's deadlines hit first, but the larger, slower costs, business disruption and third-party claims, arrive once the immediate crisis is over. A breach isn't an event; it's a season.
The Cost Anatomy: Who Pays for Each Part
Here's every major cost of a breach, when it hits, and who carries it if you have no cover. We don't publish figures for these, because they swing wildly with the size of the breach, but the categories are always the same.
| Cost | What It Is | Which Cover Responds |
|---|---|---|
| Forensic investigation | Working out what was taken, how, and whether it's still happening. | Cyber insurance (incident response). |
| Legal advice | Guidance on your PDPA duties, notification wording, and exposure. | Cyber insurance (incident response). |
| Notifying the PDPC and individuals | Preparing and sending the required notices, and running a help line. | Cyber insurance (notification costs). |
| Credit monitoring | Identity-protection services offered to affected people. | Cyber insurance. |
| Regulatory defence and fines | Responding to a PDPC investigation, and penalties where insurable by law. | Cyber insurance (regulatory defence). |
| Lost income during disruption | Revenue you can't earn while systems are down or under investigation. | Cyber insurance (business interruption). |
| Third-party claims | Customers or partners suing over their exposed data. | Cyber insurance (privacy and network liability). |
| System upgrades | Improving your systems beyond their pre-breach state. | Nobody; this is your own cost. |
The last row matters. Insurance restores you to where you were; it doesn't fund an upgrade. Everything above it, though, is exactly what a cyber policy is built to carry. For what those policies cover and exclude in detail, see our cyber insurance guide.
Just realised the PDPA applies to your business?
Tell us what personal data you hold and how you trade, and we'll talk you through the cyber insurance that pays for a breach response. No jargon, no pressure.
Who You Have to Tell, and When
The reporting duties are fixed, and missing them is its own offence, separate from the breach. Here's the short version.
| Who | When | Condition |
|---|---|---|
| The Personal Data Protection Commissioner (PDPC) | Within 72 hours of becoming aware | Where the breach causes or is likely to cause significant harm. Written reasons required if you're late. |
| The affected individuals | Within 7 days of notifying the PDPC | Where significant harm is likely. You must explain the breach and the steps they can take. |
| Your own breach register | Ongoing | All breaches recorded and kept for at least 2 years for PDPC inspection. |
Failing to notify the PDPC when required carries a fine of up to RM250,000, on top of any penalty for the breach itself, where breaching the data protection principles can now reach RM1,000,000. Those are maximums, and real enforcement fines to date have been far lower, but the direction is clear: the cost of getting it wrong went up.
What to Have Ready Before It Happens
You can't build a breach response during the 72 hours. The businesses that come through a breach cheaply are the ones that prepared. A short list.
- A written breach response plan naming who does what, in what order.
- A forensic and legal contact you can call on day one, or a cyber policy that provides one.
- Offline backups you've actually tested, so you can restore without paying a ransom.
- A breach register, and someone who owns it.
- Cyber insurance sized to the volume of personal data you hold.
If a ransomware attack is what triggers your breach, the response overlaps heavily with what we cover in our ransomware insurance guide. And if you want the product view first, our data breach insurance guide walks through what a policy covers.
FAQ
How much does a data breach cost a Malaysian business?
There's no single figure, because it scales with the number of records exposed and how long you're disrupted. The cost is a stack: forensics, legal advice, notifying the regulator and customers, credit monitoring, lost income and, later, third-party claims. For most SMEs the response cost dwarfs any fine, which is why cyber insurance focuses on that response.
Is the PDPA fine the biggest cost of a breach?
Usually not. The maximum fine for a data protection principle breach is RM1,000,000, but actual fines to date have been far lower. The larger costs are typically the investigation, notification, business disruption and third-party claims that come with responding to the breach, which is where the real money goes.
Which breach costs does cyber insurance actually pay?
A comprehensive cyber policy pays for incident response (forensics and legal), notification and credit monitoring, regulatory defence and insurable fines, business interruption, and third-party privacy claims. It does not pay to upgrade your systems beyond their pre-breach state. See our cyber insurance guide for the full list.
Do I have to tell customers about a breach?
Yes, where the breach is likely to cause significant harm. You must notify the PDPC within 72 hours and affected individuals within 7 days of that notification. Even where individual notification isn't triggered, the breach still has to be recorded in your register.
My business is small. Does any of this apply to me?
Yes. The PDPA applies to any business processing personal data in commercial dealings, regardless of size. If you hold customer names, contact details, IC numbers or payment data, the breach duties and the response costs apply to you the same as a large company.
Contingent Conclusion
A data breach turns into a bill in stages: the regulator's clock first, then the customers, then the disruption and the claims. The fine everyone worries about is usually the smallest part. What hurts is everything around it, and that's the part a business rarely has sitting in reserve.
Compliance lowers the chance of a breach. Cyber insurance pays for the response when one happens anyway. Both together is the sensible position for any Malaysian business holding personal data.
Want a breach response you don't have to fund yourself?
Contingent helps Malaysian businesses put cyber insurance in place that pays for the forensics, notification, defence and downtime of a data breach. Whether you're buying for the first time or reviewing a policy, our team can help.
Related reading: PDPA amendments guide, cyber insurance for Malaysian businesses, and data breach insurance and the PDPA.
Disclaimer: This article provides general guidance for Malaysian businesses as of August 2026. PDPA references reflect the Personal Data Protection Act 2010 as amended in 2024; verify current figures and deadlines with the Personal Data Protection Commissioner before relying on them. Insurance terms, coverage and availability vary by insurer and risk profile. This is not a policy document. Always consult a qualified insurance professional before making coverage decisions.
Written by Michelle Chin, Founder. Last reviewed: August 2026.




