July 13, 2017

RHTLaw Taylor Wessing contributes an article to Singapore infocomm Technology Federation on digital transformation disrupting the legal sector

RHTLaw Taylor Wessing submitted a response to Singapore infocomm Technology Federation (SiTF) on “Digital Transformation”. The article was first published on Singapore infocomm Technology Federation’s (SiTF) website on 8 June 2017. Digital Transformation Source: Singapore infocomm Technology Federation (SiTF) ©  Date: 8 June 2017 Digital transformation is a process that involves the accelerated evolution of our business model that leverages on digital technology. In today’s world, digital transformation helps us remain relevant, competitive and profitable. In our context, digital transformation is a strategy that will cover four main areas of our business: (a) enhanced engagement within the client ecosystem (b) stream-lining the internal processes (c) innovation (d) scalability 1.  Can you describe RHTLaw Taylor Wessing LLP and how is the firm embracing digital transformation? Legal services are a segment of the professional services sector and it is primed for major disruption.  Advances in technology have made the client or customer a central feature in business. The clutter is no more as clients can now engage and interact directly with businesses and services.  Company incorporation and government services are now available online. Transparency and efficiency is a given and the layering of the various touchpoints has become a matter of history.  The legal services sector faces considerable challenges.  The pressure on fees, the commoditisation of work product and external disruption by law and non-law service providers are some of the growing challenges law firms face in the region. Legal practitioners must adapt to the changing circumstances and embrace technology to bring about disruption to their own practice.  It is no longer true that “if it isn’t broken, don’t fix it”.  Self-disruption is the only way to ensure a law firm’s continued survival. We have long recognised these challenges and embarked on a long-term strategy to force the evolution of our business models and processes.  Being clued in on new technology is essential for this transformation process.  Digital transformation is enabled by new technology.  However, technology isn’t the endgame.  People are. Client insight is an interesting aspect of this transformation process.  Cutting edge technology that will benefit clients counts for nothing if our people are not motivated to change the way we work.   On the other hand, rolling out a fantastic online client engagement tool will fail if we do not understand client behaviour, preferences and needs.  There are reasons why some apps succeed and why some fail miserably. The analysis of data must precede the change.  We cannot undertake the transformation process without an analysis of client behaviour, preferences and needs.  2.  Could you describe your strategy for digital transformation Our strategy for digital transformation encompasses four pillars of execution: enhancing the client experience internal processes continual innovation scalability Enhancing the Client Experience: Client insight is an interesting aspect of this transformation process.  Cutting edge technology that will benefit clients counts for nothing if our people are not motivated to change the way we work.   On the other hand, rolling out a fantastic online client engagement tool will fail if we do not understand client behaviour, preferences and needs.  There are reasons why some apps succeed and why some fail miserably.  What we think should be the client experience can be very different from what the client is inclined to prefer.  The analysis of data must precede this. We cannot undertake the transformation process without an analysis of client behaviour, preferences and needs.  Internal Processes: The internal process is invisible to the client.  For every shift in the client experience transformation, the internal processes will experience change.  Automating processes from submission of expense claims to document generation are the in thing today.  They make processes more efficient and seamless.  Filing systems and document management systems are also made flat to facilitate collaboration across departments.  Changes must be based on the analysis of real data and strategic decisions are made more quickly and in greater detail as a result.  Invariably, the redesign of the operational processes will impact our ability to provide our clients with not only good service but also a great experience. Continual Innovation and Scalability: In today’s world, it is not enough to undertake this exercise on a piecemeal or one-off basis.  There will have to be a cultural revolution to change mindsets.  Innovation must be a continual process with owners constantly thinking of the next best thing.  The business model of the firm will have to evolve; with new service offerings being constantly rolled out using new technology.  New technology must also be scalable in order to have economies of scale.  In the end, there must be the ability to do more with less.  It is key to understand that this is about efficiency, not productivity.  Productivity is about doing more with the same. Recent changes in the legal landscape show that the Singapore government is keen to see law firms evolve to change with the times. This is a move in the right direction. In fact, the legal industry is not the only sector set to embark on a digital transformation; other industries including transport, transportation, hospitality and education are affected as well, from the likes of Uber, Deliveroo, Airbnb and Coursera. 3.  How far ahead is RHTLaw Taylor Wessing LLP in implementing these changes? We’re collecting data.  A customer relationship management system is being put into place to collect client and prospect information into a common database.  Together with our practice management system, we will be able to analyse client trends and behaviours.  We are streamlining our internal processes: from the management of human resources, to expense claims and financial management, to digitising the entire workflow.: We already have in place a document management system and have begun studying our options for document assembly.  We are closely watching the artificial intelligence space for the latest developments. Replacing paper and manual processes with apps and software is the easier part.  It is more challenging dealing with the client ecosystem and understanding how clients want to be engaged.  There is unlikely to be a one-size-fits-all situation.  More sophisticated clients will want a bespoke client experience. To do this, we need to personalise the enhanced client experience to allow us this flexibility.  This aspect of the transformation is still underway. 4. What has been the  impact of Digital Transformation on your organisation? The jury is still out there but we are confident that the strategy that we have developed is the correct one for us.  We hope that the completion of the digital transformation will lead to increased efficiency and will give us a competitive edge in the crowded marketplace.  An enhanced client experience is a unique differentiator in the digital business world.  This transformation will continue over time as technology evolves. Contributed by Arcis Communications (SiTF PR Agency) Courtesy of RHTLaw Taylor Wessing LLP  Published date: 8 Jun 2017
July 11, 2017

Intellectual Property & Technology Partner Jack Ow comments in The Business Times on the recent unveiling of Singapore’s draft Cybersecurity Bill

RHTLaw Taylor Wessing’s Intellectual Property & Technology Partner, Jack Ow, was quoted in The Business Times article titled “Cybersecurity Bill seeks to protect critical information infrastructure”.  The article was first published in The Business Times on 11 July 2017. Cybersecurity Bill seeks to protect critical information infrastructure Source: The Business Times © Singapore Press Holdings Ltd. Date: 11 July 2017 Author: Amit Roy Choudhury AS cyberattacks get more sophisticated and widespread, Singapore on Monday unveiled a comprehensive draft Cybersecurity Bill which seeks to protect Singapore's critical information infrastructure (CII), give more powers to the Cyber Security Agency (CSA), ensure proper information sharing during attacks, and introduce a licencing provision to regulate and ensure quality cybersecurity services are available here. The draft bill was released on Monday for public consultations and this process will continue until Aug 3. After changes, if any, it is likely to be tabled in Parliament for first reading by the end of this year. Work on the legislation started in late-2015. Under the bill, owners of CII will have to immediately inform CSA of a breach and share all relevant information. The bill sets out well-defined measures that CII owners need to undertake. These include, among others, providing technical information relating to the CII to CSA, conducting of compliance audits and risk assessments as well as compliance with codes of practice and standards of performance and issued directions (from the regulatory agencies). These measures are expected to be undertaken irrespective of whether there has been a breach or not. For CIIs, wilful non-compliance of duties generally carries a fine of up to S$100,000 and imprisonment of up to two years. These fines are separate from standard fines that are already in place in case of service disruption in CII sectors. The bill will provide CSA with enhanced powers to manage and respond to cybersecurity threats and incidents. In this regard, Section 15A of the current Computer Misuse and Cybersecurity Act (CMCA) provides some existing powers related to cybersecurity. These will be enhanced in the Cybersecurity Bill, and specific powers will be vested in CSA officers to allow them to deal with fast-moving cybersecurity threats and incidents. The bill also seeks to establish a framework for the sharing of cybersecurity information with and by CSA, and the protection of such information. It also seeks to introduce a "lighter-touch" licensing framework for the regulation of selected cybersecurity service providers. For example, licensing the provision of "penetration testing" - where specialists check to see if an IT network has any vulnerabilities by trying to "hack" into the network - and managed security operations centre (SOC) services. The proposed bill will focus on cybersecurity while crimes committed using a computer, such as hacking, will continue to be addressed by the CMCA. The bill is part of Singapore's Cybersecurity Strategy announced by Prime Minister Lee Hsien Loong last year. Singapore's move to table a comprehensive bill mirrors similar efforts being undertaken by several countries around the world which are seeking to enact an omnibus cybersecurity law, such as Germany. CSA chief executive David Koh noted that "currently the legislation or the regulations are disparate". As a result, he added, there are challenges, for example, in the area of information sharing. "This new bill will put everything together and seeks to provide us the capability to facilitate action, both pre-emptive action and reactive action. The focus of the bill is on CII, because these by definition are critical and provide essential services to the country. So it is everyone's interest to protect them," Mr Koh said. The CSA boss added that a need was also felt to facilitate CSA officers so that they would have the ability to respond to threats and facilitate information sharing "because . . . there are other rules which perhaps can be interpreted to prevent information sharing such as privacy rules, banking secrecy rules and others. "The bill is designed to allow information sharing within certain parameters," he added. Mr Koh will hold the position of the Commissioner of Cybersecurity. The Minister-in-charge of Cybersecurity could also appoint a Deputy Commissioner as well as a number of Assistant Commissioners. Talking to The Business Times, Jack Ow, intellectual property & technology partner, RHTLaw Taylor Wessing, noted: "The draft bill is intended to be a broad framework for cybersecurity requirements to be consistently applied across sectors, but yet flexible enough to take into account the unique circumstances of each sector. "In this regard, the requirements in the draft bill, especially the duties on cybersecurity imposed on owners of CII, can be viewed as baseline requirements applicable to all industries, as long as you are considered a 'CII'." Daryl Pereira, head of cybersecurity at KPMG in Singapore, added that the proposed bill, specifically the framework for the protection of CII, "seeks to level the playing field and raise the maturity and preparedness of all sectors in Singapore to a common baseline". "This Cybersecurity Bill will help to form a strong foundation for Singapore to transform itself into a digital economy, powered by innovation and enabled by cybersecurity readiness," Mr Pereira added. Steve Lam, advisory partner, Ernst & Young Advisory, added that the bill served to provide a framework for the protection of Singapore's essential services against cyber-attacks. "If passed in its current state, (the bill) clarifies and sets in law the accountability of the board, senior management and participants in protecting Singapore's national interests across both the public and private sectors."
July 11, 2017

Intellectual Property & Technology Partner Jack Ow shares with TODAY how imposing licensing on cyber security service providers can improve assurance on safety

RHTLaw Taylor Wessing’s Intellectual Property & Technology Partner, Jack Ow, was quoted in a TODAY article titled “Laws proposed to boost Singapore defences against cyber attacks”. The article was first published in The Business Times on 11 July 2017. Laws proposed to boost Singapore defences against cyber attacks Source: TODAY © Mediacorp Press Ltd. Date: 11 July 2017 Author: Tan Weizhen SINGAPORE — To beef up the country’s defences against increasingly sophisticated cyber attacks, new laws have been proposed that, among other things, require owners of critical information infrastructure (CII) in 11 key sectors to report any cyber security incidents, and to share information with the authorities when ordered. These sectors provide essential services and comprise government, security and emergency, healthcare, telecommunications, banking and finance, energy, water, media, land transport, air transport and maritime. The draft Cybersecurity Bill also proposes to license cyber security service providers and practitioners, starting with those providing penetration testing and managed security operations centre services. Public consultation for the proposed laws began on Monday, and closes on Aug 3. The Bill may supersede existing secrecy laws in the various sectors, and establishes a framework to manage cyber security in Singapore. It also gives the Cyber Security Agency (CSA) powers to carry out its functions. Under the proposed Bill, public and private-sector owners of CII — defined as computer systems necessary for the continuous delivery of essential services — will have certain statutory duties, such as reporting cyber attacks to the Commissioner of Cybersecurity, and carrying out audits, risk assessments as well as participating in cyber security exercises. The list of CII will be constantly evaluated, and additions will be made when necessary by the CSA. While the CII owners will not be directly penalised for cyber security breaches, they are liable for criminal offences “in cases where they fail to perform their duties wilfully, or fail to comply with the commissioner’s directions without reasonable excuse”, based on the public consultation paper. In such cases, they could be fined up to S$100,000, and jailed for a maximum of two years if convicted. CSA chief executive officer David Koh said that the draft Bill is different from existing legislation — such as the Computer Misuse Act — in terms of having an expanded scope, officially designating CII, and spelling out clearly the duties of CII owners, for instance. “The (draft) Bill also aims to raise our overall cyber security posture, by licensing certain cyber security service providers,” he said. A framework will be established for the sharing of cyber security information with CSA officers. This will be for the purpose of preventing, detecting or investigating any cyber security threat or incident. If necessary, any relevant organisations that are outside the 11 key sectors may be compelled to share information with the CSA. The licensing regime was proposed in light of the “need for more credible services, as cyber security risks become more mainstream”, said the CSA. Nevertheless, in-house providers will be exempted. Two types of licences are proposed for investigative and non-investigative cyber security services. To meet licensing requirements, service providers must have key executive officers, who are fit and proper persons, comply with a code of ethics and retain service records for five years, among others. Under the new laws, unlicensed cyber service providers, for example, could be fined as much as S$50,000, or jailed for a maximum of two years, or both. Cyber security experts and lawyers TODAY spoke to welcomed the draft Bill, which “elevates” cyber security in sectors providing essential services “from what was previously a decision left to the business owner’s discretion”, as Mr Steve Lam, a partner at Ernst & Young Advisory, put it. Mr Vincent Loy, Cyber and Financial Crime leader at PWC, noted that it specifically places responsibility on individuals, rather than organisations. Under the draft Bill, senior management could be held liable for specific offences. “Now someone is personally liable, and he can go to jail or has to pay a fine. This creates more impact, and highlights the importance of complying with the rules,” Mr Loy said. Lawyer Bryan Tan of Pinsent Masons added: “In future, people do really need to pay attention, as the laws would have more bite than ever before.” He noted that with the licensing of penetration testing, a line would be drawn between white-hat and blackhat hackers, and this would encourage legitimate hackers to get licensed. The licensing regime would “improve assurance on security and safety”, as well as raise quality of cyber security services, said Mr Jack Ow, Intellectual Property & Technology partner at RHTLaw Taylor Wessing. KEY THRUSTS OF THE PROPOSED CYBERSECURITY BILL A total of 11 sectors will have to comply with the proposed Bill. Apart from the government, others include security and emergency, healthcare, telecommunications, banking and finance, water and media sectors. Critical information infrastructure (CII) owners in these sectors will have to report cyber attacks, carry out audits and risk assessments, as well as take part in cyber security exercises, among other statutory duties. CII owners are liable if they wilfully fail to comply with any of their duties. Organisations will be compelled to share cyber security information with Cyber Security Agency of Singapore officers, in order to investigate any cyber security threat or attack. Cyber security service providers and practitioners will be licensed, starting with those providing penetration testing and managed security operations centre services.
June 30, 2017

Intellectual and Property Technology Partner Jack Ow wrote an article published in CIO Asia titled “Privacy, cybercrime and the law in a post-ransomware world”

RHTLaw Taylor Wessing Intellectual and Property Technology Partner Jack Ow wrote an article published in CIO Asia titled “Privacy, cybercrime and the law in a post-ransomware world”. The article was first published in the 23 June 2017 edition of CIO Asia. Privacy, cybercrime and the law in a post-ransomware world Source: CIO Asia Date: 23 June 2017 Author: Jack Ow In an age where data has become a valuable commodity that is the object of cybercrime, organisations and cybersecurity professionals must work within applicable legal frameworks in preventing, detecting and responding to cybercrime and cyber­attacks. This vendor­written piece has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favour the submitter's approach. Weeks before the Wannacry ransomware attacks, I became another victim of cybercrime earlier in April 2017. My bank's SMS notification alerted me to a €2,800 transaction on my credit card in a restaurant in Vienna one afternoon. The last I checked, I was in Singapore. Within the next minute, I was on the phone with the bank. As we were verifying the unauthorised transaction, a second SMS notification alerted us to another €1,300 that was transacted on the same card at the same location. It was somewhat ironic, because I had highlighted recent amendments to the Singapore Computer Misuse and Cybersecurity Act (CMCA) that was passed by the Singapore parliament just days before the unauthorised credit card transactions. Like most victims of cybercrime, it is unlikely for me to have the full facts behind the unauthorised collection, circulation and use of my credit card details, but I believe that the recent amendments to our cybercrime laws are a necessary step in the correct direction to address the proliferating ease of obtaining valuable and/or sensitive personal data, for commissioning or facilitating other offences. Buyer Beware: Using Hacked Personal Data Could Be A Crime With the changes to our cybercrime laws, there will be, understandably, some initial uncertainty among individuals and companies in the scope and application of the laws, especially if they are in the business of cybersecurity, or have cybersecurity concerns. One of the main objectives for amending the CMCA is to criminalise dealings in hacked personal data for illicit purposes. In particular, the changes address the roles of, and close the gaps under the existing law against, "middlemen" that trade in such personal data, but are not directly involved in the computer hacking offences. (See: Singapore Parliamentary Debates, Official Report (3 April 2017), 2nd Reading, Computer Misuse and Cybersecurity (Amendment) Bill)). As a consequence, the legislative changes would also mean that individuals and companies, including cybersecurity professionals, are obliged to exercise due care when dealing with personal data obtained through hacking. For any personal data obtained or retained by individuals and companies to which the origin is unclear, including where such personal data may have been the product of hacking ("Hacked Personal Data"), individuals and companies must ensure that such Hacked Personal Data is not collected or used for the purpose of committing, or in facilitating the commission of, any offence ("legitimate purpose"). To the extent that individuals and companies supply, offer to supply, transmit or make available, by any means (each an "act of supplying") such Hacked Personal Data, they must (i) ensure that any act of supplying the Hacked Personal Data is only for a legitimate purpose, and (ii) be able to prove that they did not know, or have any reason to believe, that the hacked personal data will be, or is likely to be used, to commit, or facilitate the commission of, any offence. In other words, dealings in Hacked Personal Data could attract criminal liability under Singapore law, unless it is collected and used only for a legitimate purpose, and due care has been exercised in its disclosure, both in terms of the nature of the contents actually disclosed and the party to whom it was disclosed. When Public Domain is Not Public Knowledge In addition to the issues that could attract criminal liability under the CMCA, individuals and companies dealing with Hacked Personal Data for legitimate purposes need to be aware of other concurrent legal obligations. Under the Singapore Personal Data Protection Act 2012 (PDPA), the collection, use and disclosure of any personal data by an organisation requires the consent of the individual to which the person data pertains, unless the organisation can rely on exemptions under the PDPA, for example, where:­ 1) the collection, use and/or disclosure of the personal data is necessary: to respond to an emergency that threatens the life, health or safety of the individual or another individual; or for any investigation or proceedings; or for evaluative purposes; or 2) the personal data is publicly available. The application of these exemptions under the PDPA may not be straightforward with regard to dealings with Hacked Personal Data, as the PDPA has ascribed specific meanings and parameters on what constitutes "investigation", "proceedings", "evaluative purposes", and "publicly available". Individuals and organisations also must not forget that confidential data do not automatically lose their confidential status when they are made available in the public domain. This was clarified by the Singapore Court of Appeal in the recent decision of Wee Shuo Woon v HT S.R.L.