July 11, 2017

Intellectual Property & Technology Partner Jack Ow comments in The Business Times on the recent unveiling of Singapore’s draft Cybersecurity Bill

RHTLaw Taylor Wessing’s Intellectual Property & Technology Partner, Jack Ow, was quoted in The Business Times article titled “Cybersecurity Bill seeks to protect critical information infrastructure”.  The article was first published in The Business Times on 11 July 2017. Cybersecurity Bill seeks to protect critical information infrastructure Source: The Business Times © Singapore Press Holdings Ltd. Date: 11 July 2017 Author: Amit Roy Choudhury AS cyberattacks get more sophisticated and widespread, Singapore on Monday unveiled a comprehensive draft Cybersecurity Bill which seeks to protect Singapore's critical information infrastructure (CII), give more powers to the Cyber Security Agency (CSA), ensure proper information sharing during attacks, and introduce a licencing provision to regulate and ensure quality cybersecurity services are available here. The draft bill was released on Monday for public consultations and this process will continue until Aug 3. After changes, if any, it is likely to be tabled in Parliament for first reading by the end of this year. Work on the legislation started in late-2015. Under the bill, owners of CII will have to immediately inform CSA of a breach and share all relevant information. The bill sets out well-defined measures that CII owners need to undertake. These include, among others, providing technical information relating to the CII to CSA, conducting of compliance audits and risk assessments as well as compliance with codes of practice and standards of performance and issued directions (from the regulatory agencies). These measures are expected to be undertaken irrespective of whether there has been a breach or not. For CIIs, wilful non-compliance of duties generally carries a fine of up to S$100,000 and imprisonment of up to two years. These fines are separate from standard fines that are already in place in case of service disruption in CII sectors. The bill will provide CSA with enhanced powers to manage and respond to cybersecurity threats and incidents. In this regard, Section 15A of the current Computer Misuse and Cybersecurity Act (CMCA) provides some existing powers related to cybersecurity. These will be enhanced in the Cybersecurity Bill, and specific powers will be vested in CSA officers to allow them to deal with fast-moving cybersecurity threats and incidents. The bill also seeks to establish a framework for the sharing of cybersecurity information with and by CSA, and the protection of such information. It also seeks to introduce a "lighter-touch" licensing framework for the regulation of selected cybersecurity service providers. For example, licensing the provision of "penetration testing" - where specialists check to see if an IT network has any vulnerabilities by trying to "hack" into the network - and managed security operations centre (SOC) services. The proposed bill will focus on cybersecurity while crimes committed using a computer, such as hacking, will continue to be addressed by the CMCA. The bill is part of Singapore's Cybersecurity Strategy announced by Prime Minister Lee Hsien Loong last year. Singapore's move to table a comprehensive bill mirrors similar efforts being undertaken by several countries around the world which are seeking to enact an omnibus cybersecurity law, such as Germany. CSA chief executive David Koh noted that "currently the legislation or the regulations are disparate". As a result, he added, there are challenges, for example, in the area of information sharing. "This new bill will put everything together and seeks to provide us the capability to facilitate action, both pre-emptive action and reactive action. The focus of the bill is on CII, because these by definition are critical and provide essential services to the country. So it is everyone's interest to protect them," Mr Koh said. The CSA boss added that a need was also felt to facilitate CSA officers so that they would have the ability to respond to threats and facilitate information sharing "because . . . there are other rules which perhaps can be interpreted to prevent information sharing such as privacy rules, banking secrecy rules and others. "The bill is designed to allow information sharing within certain parameters," he added. Mr Koh will hold the position of the Commissioner of Cybersecurity. The Minister-in-charge of Cybersecurity could also appoint a Deputy Commissioner as well as a number of Assistant Commissioners. Talking to The Business Times, Jack Ow, intellectual property & technology partner, RHTLaw Taylor Wessing, noted: "The draft bill is intended to be a broad framework for cybersecurity requirements to be consistently applied across sectors, but yet flexible enough to take into account the unique circumstances of each sector. "In this regard, the requirements in the draft bill, especially the duties on cybersecurity imposed on owners of CII, can be viewed as baseline requirements applicable to all industries, as long as you are considered a 'CII'." Daryl Pereira, head of cybersecurity at KPMG in Singapore, added that the proposed bill, specifically the framework for the protection of CII, "seeks to level the playing field and raise the maturity and preparedness of all sectors in Singapore to a common baseline". "This Cybersecurity Bill will help to form a strong foundation for Singapore to transform itself into a digital economy, powered by innovation and enabled by cybersecurity readiness," Mr Pereira added. Steve Lam, advisory partner, Ernst & Young Advisory, added that the bill served to provide a framework for the protection of Singapore's essential services against cyber-attacks. "If passed in its current state, (the bill) clarifies and sets in law the accountability of the board, senior management and participants in protecting Singapore's national interests across both the public and private sectors."
July 11, 2017

Intellectual Property & Technology Partner Jack Ow shares with TODAY how imposing licensing on cyber security service providers can improve assurance on safety

RHTLaw Taylor Wessing’s Intellectual Property & Technology Partner, Jack Ow, was quoted in a TODAY article titled “Laws proposed to boost Singapore defences against cyber attacks”. The article was first published in The Business Times on 11 July 2017. Laws proposed to boost Singapore defences against cyber attacks Source: TODAY © Mediacorp Press Ltd. Date: 11 July 2017 Author: Tan Weizhen SINGAPORE — To beef up the country’s defences against increasingly sophisticated cyber attacks, new laws have been proposed that, among other things, require owners of critical information infrastructure (CII) in 11 key sectors to report any cyber security incidents, and to share information with the authorities when ordered. These sectors provide essential services and comprise government, security and emergency, healthcare, telecommunications, banking and finance, energy, water, media, land transport, air transport and maritime. The draft Cybersecurity Bill also proposes to license cyber security service providers and practitioners, starting with those providing penetration testing and managed security operations centre services. Public consultation for the proposed laws began on Monday, and closes on Aug 3. The Bill may supersede existing secrecy laws in the various sectors, and establishes a framework to manage cyber security in Singapore. It also gives the Cyber Security Agency (CSA) powers to carry out its functions. Under the proposed Bill, public and private-sector owners of CII — defined as computer systems necessary for the continuous delivery of essential services — will have certain statutory duties, such as reporting cyber attacks to the Commissioner of Cybersecurity, and carrying out audits, risk assessments as well as participating in cyber security exercises. The list of CII will be constantly evaluated, and additions will be made when necessary by the CSA. While the CII owners will not be directly penalised for cyber security breaches, they are liable for criminal offences “in cases where they fail to perform their duties wilfully, or fail to comply with the commissioner’s directions without reasonable excuse”, based on the public consultation paper. In such cases, they could be fined up to S$100,000, and jailed for a maximum of two years if convicted. CSA chief executive officer David Koh said that the draft Bill is different from existing legislation — such as the Computer Misuse Act — in terms of having an expanded scope, officially designating CII, and spelling out clearly the duties of CII owners, for instance. “The (draft) Bill also aims to raise our overall cyber security posture, by licensing certain cyber security service providers,” he said. A framework will be established for the sharing of cyber security information with CSA officers. This will be for the purpose of preventing, detecting or investigating any cyber security threat or incident. If necessary, any relevant organisations that are outside the 11 key sectors may be compelled to share information with the CSA. The licensing regime was proposed in light of the “need for more credible services, as cyber security risks become more mainstream”, said the CSA. Nevertheless, in-house providers will be exempted. Two types of licences are proposed for investigative and non-investigative cyber security services. To meet licensing requirements, service providers must have key executive officers, who are fit and proper persons, comply with a code of ethics and retain service records for five years, among others. Under the new laws, unlicensed cyber service providers, for example, could be fined as much as S$50,000, or jailed for a maximum of two years, or both. Cyber security experts and lawyers TODAY spoke to welcomed the draft Bill, which “elevates” cyber security in sectors providing essential services “from what was previously a decision left to the business owner’s discretion”, as Mr Steve Lam, a partner at Ernst & Young Advisory, put it. Mr Vincent Loy, Cyber and Financial Crime leader at PWC, noted that it specifically places responsibility on individuals, rather than organisations. Under the draft Bill, senior management could be held liable for specific offences. “Now someone is personally liable, and he can go to jail or has to pay a fine. This creates more impact, and highlights the importance of complying with the rules,” Mr Loy said. Lawyer Bryan Tan of Pinsent Masons added: “In future, people do really need to pay attention, as the laws would have more bite than ever before.” He noted that with the licensing of penetration testing, a line would be drawn between white-hat and blackhat hackers, and this would encourage legitimate hackers to get licensed. The licensing regime would “improve assurance on security and safety”, as well as raise quality of cyber security services, said Mr Jack Ow, Intellectual Property & Technology partner at RHTLaw Taylor Wessing. KEY THRUSTS OF THE PROPOSED CYBERSECURITY BILL A total of 11 sectors will have to comply with the proposed Bill. Apart from the government, others include security and emergency, healthcare, telecommunications, banking and finance, water and media sectors. Critical information infrastructure (CII) owners in these sectors will have to report cyber attacks, carry out audits and risk assessments, as well as take part in cyber security exercises, among other statutory duties. CII owners are liable if they wilfully fail to comply with any of their duties. Organisations will be compelled to share cyber security information with Cyber Security Agency of Singapore officers, in order to investigate any cyber security threat or attack. Cyber security service providers and practitioners will be licensed, starting with those providing penetration testing and managed security operations centre services.
June 30, 2017

Intellectual and Property Technology Partner Jack Ow wrote an article published in CIO Asia titled “Privacy, cybercrime and the law in a post-ransomware world”

RHTLaw Taylor Wessing Intellectual and Property Technology Partner Jack Ow wrote an article published in CIO Asia titled “Privacy, cybercrime and the law in a post-ransomware world”. The article was first published in the 23 June 2017 edition of CIO Asia. Privacy, cybercrime and the law in a post-ransomware world Source: CIO Asia Date: 23 June 2017 Author: Jack Ow In an age where data has become a valuable commodity that is the object of cybercrime, organisations and cybersecurity professionals must work within applicable legal frameworks in preventing, detecting and responding to cybercrime and cyber­attacks. This vendor­written piece has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favour the submitter's approach. Weeks before the Wannacry ransomware attacks, I became another victim of cybercrime earlier in April 2017. My bank's SMS notification alerted me to a €2,800 transaction on my credit card in a restaurant in Vienna one afternoon. The last I checked, I was in Singapore. Within the next minute, I was on the phone with the bank. As we were verifying the unauthorised transaction, a second SMS notification alerted us to another €1,300 that was transacted on the same card at the same location. It was somewhat ironic, because I had highlighted recent amendments to the Singapore Computer Misuse and Cybersecurity Act (CMCA) that was passed by the Singapore parliament just days before the unauthorised credit card transactions. Like most victims of cybercrime, it is unlikely for me to have the full facts behind the unauthorised collection, circulation and use of my credit card details, but I believe that the recent amendments to our cybercrime laws are a necessary step in the correct direction to address the proliferating ease of obtaining valuable and/or sensitive personal data, for commissioning or facilitating other offences. Buyer Beware: Using Hacked Personal Data Could Be A Crime With the changes to our cybercrime laws, there will be, understandably, some initial uncertainty among individuals and companies in the scope and application of the laws, especially if they are in the business of cybersecurity, or have cybersecurity concerns. One of the main objectives for amending the CMCA is to criminalise dealings in hacked personal data for illicit purposes. In particular, the changes address the roles of, and close the gaps under the existing law against, "middlemen" that trade in such personal data, but are not directly involved in the computer hacking offences. (See: Singapore Parliamentary Debates, Official Report (3 April 2017), 2nd Reading, Computer Misuse and Cybersecurity (Amendment) Bill)). As a consequence, the legislative changes would also mean that individuals and companies, including cybersecurity professionals, are obliged to exercise due care when dealing with personal data obtained through hacking. For any personal data obtained or retained by individuals and companies to which the origin is unclear, including where such personal data may have been the product of hacking ("Hacked Personal Data"), individuals and companies must ensure that such Hacked Personal Data is not collected or used for the purpose of committing, or in facilitating the commission of, any offence ("legitimate purpose"). To the extent that individuals and companies supply, offer to supply, transmit or make available, by any means (each an "act of supplying") such Hacked Personal Data, they must (i) ensure that any act of supplying the Hacked Personal Data is only for a legitimate purpose, and (ii) be able to prove that they did not know, or have any reason to believe, that the hacked personal data will be, or is likely to be used, to commit, or facilitate the commission of, any offence. In other words, dealings in Hacked Personal Data could attract criminal liability under Singapore law, unless it is collected and used only for a legitimate purpose, and due care has been exercised in its disclosure, both in terms of the nature of the contents actually disclosed and the party to whom it was disclosed. When Public Domain is Not Public Knowledge In addition to the issues that could attract criminal liability under the CMCA, individuals and companies dealing with Hacked Personal Data for legitimate purposes need to be aware of other concurrent legal obligations. Under the Singapore Personal Data Protection Act 2012 (PDPA), the collection, use and disclosure of any personal data by an organisation requires the consent of the individual to which the person data pertains, unless the organisation can rely on exemptions under the PDPA, for example, where:­ 1) the collection, use and/or disclosure of the personal data is necessary: to respond to an emergency that threatens the life, health or safety of the individual or another individual; or for any investigation or proceedings; or for evaluative purposes; or 2) the personal data is publicly available. The application of these exemptions under the PDPA may not be straightforward with regard to dealings with Hacked Personal Data, as the PDPA has ascribed specific meanings and parameters on what constitutes "investigation", "proceedings", "evaluative purposes", and "publicly available". Individuals and organisations also must not forget that confidential data do not automatically lose their confidential status when they are made available in the public domain. This was clarified by the Singapore Court of Appeal in the recent decision of Wee Shuo Woon v HT S.R.L.
June 28, 2017

RHTLaw Taylor Wessing and Taylor Wessing Go Global With Digital Data Protection Tool

International law firm RHTLaw Taylor Wessing, in conjunction with Taylor Wessing, launched its inaugural Global Data Protection Guide (GDPG) - spanning more than 60 countries - to capitalise on market demand for readily accessible information on data protection laws. This innovative online map examines national data protection laws in multiple jurisdictions across the globe, for the benefit of all businesses across all sectors, who need to navigate the complexities of the global data privacy landscape. The GDPG addresses, amongst many others, the following questions:  Is there a national data protection law in place? Are data processing notification requirements enforced by a regulator? Are there rules on data transfers? What are the guidelines for employee monitoring? In addition, the tool allows the user to compare up to 5 countries at a time spanning data protection regimes across Europe, the US, South America, parts of Asia and Africa. The GDPG will be regularly updated so that it fully encompasses all significant changes relating to global data protection, including the introduction of the General Data Protection Regulation (GDPR) which will occur in May 2018. The GDPR is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). The primary objectives of the GDPR are to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international businesses by unifying the regulation within the EU. While Singapore has its own data protection laws in the form of the Personal Data Protection Act (PDPA), Singapore businesses are increasingly recognising the need to comply with the GDPR as well. Singapore is the EU’s largest commercial partner in ASEAN and local companies that do business with customers from the EU risk incurring hefty fines if they do not comply with the GDPR. Rizwi Wun, Partner in the Intellectual Property & Technology practice at RHTLaw Taylor Wessing noted, “As data emerges as the new currency in the digital economy, the protection of data will be one key component of this new era. The GDPG will provide easy access to a useful database of data protection laws in many countries, and will prove to be a tool that companies will no doubt find very useful as a valuable resource.” Vin Bange, Partner in the International Data Protection practice at Taylor Wessing commented, “With data protection compliance becoming headline news and following on from direct client feedback, the GDPG is incredibly timely. Data Protection laws impact all businesses, across all sectors, worldwide which means companies are now sitting up and taking note of what this actually means. Put simply, no business can escape from these laws. The idea, therefore, behind GDPG is to address the issues worrying firms head on and help everyone prepare for the market changes ahead." The new launch follows other recent innovations by Taylor Wessing, including the TW: Cyber Response app and builds on the wealth of international industry-focused thought leadership content available on the Global Data Hub, which provides expert insight and analysis on data protection issues and Download, which offers guidance on key developments in the media and technology sectors. View the Global Data Protection Guide here.