July 11, 2017

Intellectual Property & Technology Partner Jack Ow comments in The Business Times on the recent unveiling of Singapore’s draft Cybersecurity Bill

RHTLaw Taylor Wessing’s Intellectual Property & Technology Partner, Jack Ow, was quoted in The Business Times article titled “Cybersecurity Bill seeks to protect critical information infrastructure”.  The article was first published in The Business Times on 11 July 2017. Cybersecurity Bill seeks to protect critical information infrastructure Source: The Business Times © Singapore Press Holdings Ltd. Date: 11 July 2017 Author: Amit Roy Choudhury AS cyberattacks get more sophisticated and widespread, Singapore on Monday unveiled a comprehensive draft Cybersecurity Bill which seeks to protect Singapore's critical information infrastructure (CII), give more powers to the Cyber Security Agency (CSA), ensure proper information sharing during attacks, and introduce a licencing provision to regulate and ensure quality cybersecurity services are available here. The draft bill was released on Monday for public consultations and this process will continue until Aug 3. After changes, if any, it is likely to be tabled in Parliament for first reading by the end of this year. Work on the legislation started in late-2015. Under the bill, owners of CII will have to immediately inform CSA of a breach and share all relevant information. The bill sets out well-defined measures that CII owners need to undertake. These include, among others, providing technical information relating to the CII to CSA, conducting of compliance audits and risk assessments as well as compliance with codes of practice and standards of performance and issued directions (from the regulatory agencies). These measures are expected to be undertaken irrespective of whether there has been a breach or not. For CIIs, wilful non-compliance of duties generally carries a fine of up to S$100,000 and imprisonment of up to two years. These fines are separate from standard fines that are already in place in case of service disruption in CII sectors. The bill will provide CSA with enhanced powers to manage and respond to cybersecurity threats and incidents. In this regard, Section 15A of the current Computer Misuse and Cybersecurity Act (CMCA) provides some existing powers related to cybersecurity. These will be enhanced in the Cybersecurity Bill, and specific powers will be vested in CSA officers to allow them to deal with fast-moving cybersecurity threats and incidents. The bill also seeks to establish a framework for the sharing of cybersecurity information with and by CSA, and the protection of such information. It also seeks to introduce a "lighter-touch" licensing framework for the regulation of selected cybersecurity service providers. For example, licensing the provision of "penetration testing" - where specialists check to see if an IT network has any vulnerabilities by trying to "hack" into the network - and managed security operations centre (SOC) services. The proposed bill will focus on cybersecurity while crimes committed using a computer, such as hacking, will continue to be addressed by the CMCA. The bill is part of Singapore's Cybersecurity Strategy announced by Prime Minister Lee Hsien Loong last year. Singapore's move to table a comprehensive bill mirrors similar efforts being undertaken by several countries around the world which are seeking to enact an omnibus cybersecurity law, such as Germany. CSA chief executive David Koh noted that "currently the legislation or the regulations are disparate". As a result, he added, there are challenges, for example, in the area of information sharing. "This new bill will put everything together and seeks to provide us the capability to facilitate action, both pre-emptive action and reactive action. The focus of the bill is on CII, because these by definition are critical and provide essential services to the country. So it is everyone's interest to protect them," Mr Koh said. The CSA boss added that a need was also felt to facilitate CSA officers so that they would have the ability to respond to threats and facilitate information sharing "because . . . there are other rules which perhaps can be interpreted to prevent information sharing such as privacy rules, banking secrecy rules and others. "The bill is designed to allow information sharing within certain parameters," he added. Mr Koh will hold the position of the Commissioner of Cybersecurity. The Minister-in-charge of Cybersecurity could also appoint a Deputy Commissioner as well as a number of Assistant Commissioners. Talking to The Business Times, Jack Ow, intellectual property & technology partner, RHTLaw Taylor Wessing, noted: "The draft bill is intended to be a broad framework for cybersecurity requirements to be consistently applied across sectors, but yet flexible enough to take into account the unique circumstances of each sector. "In this regard, the requirements in the draft bill, especially the duties on cybersecurity imposed on owners of CII, can be viewed as baseline requirements applicable to all industries, as long as you are considered a 'CII'." Daryl Pereira, head of cybersecurity at KPMG in Singapore, added that the proposed bill, specifically the framework for the protection of CII, "seeks to level the playing field and raise the maturity and preparedness of all sectors in Singapore to a common baseline". "This Cybersecurity Bill will help to form a strong foundation for Singapore to transform itself into a digital economy, powered by innovation and enabled by cybersecurity readiness," Mr Pereira added. Steve Lam, advisory partner, Ernst & Young Advisory, added that the bill served to provide a framework for the protection of Singapore's essential services against cyber-attacks. "If passed in its current state, (the bill) clarifies and sets in law the accountability of the board, senior management and participants in protecting Singapore's national interests across both the public and private sectors."
July 11, 2017

Intellectual Property & Technology Partner Jack Ow shares with TODAY how imposing licensing on cyber security service providers can improve assurance on safety

RHTLaw Taylor Wessing’s Intellectual Property & Technology Partner, Jack Ow, was quoted in a TODAY article titled “Laws proposed to boost Singapore defences against cyber attacks”. The article was first published in The Business Times on 11 July 2017. Laws proposed to boost Singapore defences against cyber attacks Source: TODAY © Mediacorp Press Ltd. Date: 11 July 2017 Author: Tan Weizhen SINGAPORE — To beef up the country’s defences against increasingly sophisticated cyber attacks, new laws have been proposed that, among other things, require owners of critical information infrastructure (CII) in 11 key sectors to report any cyber security incidents, and to share information with the authorities when ordered. These sectors provide essential services and comprise government, security and emergency, healthcare, telecommunications, banking and finance, energy, water, media, land transport, air transport and maritime. The draft Cybersecurity Bill also proposes to license cyber security service providers and practitioners, starting with those providing penetration testing and managed security operations centre services. Public consultation for the proposed laws began on Monday, and closes on Aug 3. The Bill may supersede existing secrecy laws in the various sectors, and establishes a framework to manage cyber security in Singapore. It also gives the Cyber Security Agency (CSA) powers to carry out its functions. Under the proposed Bill, public and private-sector owners of CII — defined as computer systems necessary for the continuous delivery of essential services — will have certain statutory duties, such as reporting cyber attacks to the Commissioner of Cybersecurity, and carrying out audits, risk assessments as well as participating in cyber security exercises. The list of CII will be constantly evaluated, and additions will be made when necessary by the CSA. While the CII owners will not be directly penalised for cyber security breaches, they are liable for criminal offences “in cases where they fail to perform their duties wilfully, or fail to comply with the commissioner’s directions without reasonable excuse”, based on the public consultation paper. In such cases, they could be fined up to S$100,000, and jailed for a maximum of two years if convicted. CSA chief executive officer David Koh said that the draft Bill is different from existing legislation — such as the Computer Misuse Act — in terms of having an expanded scope, officially designating CII, and spelling out clearly the duties of CII owners, for instance. “The (draft) Bill also aims to raise our overall cyber security posture, by licensing certain cyber security service providers,” he said. A framework will be established for the sharing of cyber security information with CSA officers. This will be for the purpose of preventing, detecting or investigating any cyber security threat or incident. If necessary, any relevant organisations that are outside the 11 key sectors may be compelled to share information with the CSA. The licensing regime was proposed in light of the “need for more credible services, as cyber security risks become more mainstream”, said the CSA. Nevertheless, in-house providers will be exempted. Two types of licences are proposed for investigative and non-investigative cyber security services. To meet licensing requirements, service providers must have key executive officers, who are fit and proper persons, comply with a code of ethics and retain service records for five years, among others. Under the new laws, unlicensed cyber service providers, for example, could be fined as much as S$50,000, or jailed for a maximum of two years, or both. Cyber security experts and lawyers TODAY spoke to welcomed the draft Bill, which “elevates” cyber security in sectors providing essential services “from what was previously a decision left to the business owner’s discretion”, as Mr Steve Lam, a partner at Ernst & Young Advisory, put it. Mr Vincent Loy, Cyber and Financial Crime leader at PWC, noted that it specifically places responsibility on individuals, rather than organisations. Under the draft Bill, senior management could be held liable for specific offences. “Now someone is personally liable, and he can go to jail or has to pay a fine. This creates more impact, and highlights the importance of complying with the rules,” Mr Loy said. Lawyer Bryan Tan of Pinsent Masons added: “In future, people do really need to pay attention, as the laws would have more bite than ever before.” He noted that with the licensing of penetration testing, a line would be drawn between white-hat and blackhat hackers, and this would encourage legitimate hackers to get licensed. The licensing regime would “improve assurance on security and safety”, as well as raise quality of cyber security services, said Mr Jack Ow, Intellectual Property & Technology partner at RHTLaw Taylor Wessing. KEY THRUSTS OF THE PROPOSED CYBERSECURITY BILL A total of 11 sectors will have to comply with the proposed Bill. Apart from the government, others include security and emergency, healthcare, telecommunications, banking and finance, water and media sectors. Critical information infrastructure (CII) owners in these sectors will have to report cyber attacks, carry out audits and risk assessments, as well as take part in cyber security exercises, among other statutory duties. CII owners are liable if they wilfully fail to comply with any of their duties. Organisations will be compelled to share cyber security information with Cyber Security Agency of Singapore officers, in order to investigate any cyber security threat or attack. Cyber security service providers and practitioners will be licensed, starting with those providing penetration testing and managed security operations centre services.
June 30, 2017

Intellectual and Property Technology Partner Jack Ow wrote an article published in CIO Asia titled “Privacy, cybercrime and the law in a post-ransomware world”

RHTLaw Taylor Wessing Intellectual and Property Technology Partner Jack Ow wrote an article published in CIO Asia titled “Privacy, cybercrime and the law in a post-ransomware world”. The article was first published in the 23 June 2017 edition of CIO Asia. Privacy, cybercrime and the law in a post-ransomware world Source: CIO Asia Date: 23 June 2017 Author: Jack Ow In an age where data has become a valuable commodity that is the object of cybercrime, organisations and cybersecurity professionals must work within applicable legal frameworks in preventing, detecting and responding to cybercrime and cyber­attacks. This vendor­written piece has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favour the submitter's approach. Weeks before the Wannacry ransomware attacks, I became another victim of cybercrime earlier in April 2017. My bank's SMS notification alerted me to a €2,800 transaction on my credit card in a restaurant in Vienna one afternoon. The last I checked, I was in Singapore. Within the next minute, I was on the phone with the bank. As we were verifying the unauthorised transaction, a second SMS notification alerted us to another €1,300 that was transacted on the same card at the same location. It was somewhat ironic, because I had highlighted recent amendments to the Singapore Computer Misuse and Cybersecurity Act (CMCA) that was passed by the Singapore parliament just days before the unauthorised credit card transactions. Like most victims of cybercrime, it is unlikely for me to have the full facts behind the unauthorised collection, circulation and use of my credit card details, but I believe that the recent amendments to our cybercrime laws are a necessary step in the correct direction to address the proliferating ease of obtaining valuable and/or sensitive personal data, for commissioning or facilitating other offences. Buyer Beware: Using Hacked Personal Data Could Be A Crime With the changes to our cybercrime laws, there will be, understandably, some initial uncertainty among individuals and companies in the scope and application of the laws, especially if they are in the business of cybersecurity, or have cybersecurity concerns. One of the main objectives for amending the CMCA is to criminalise dealings in hacked personal data for illicit purposes. In particular, the changes address the roles of, and close the gaps under the existing law against, "middlemen" that trade in such personal data, but are not directly involved in the computer hacking offences. (See: Singapore Parliamentary Debates, Official Report (3 April 2017), 2nd Reading, Computer Misuse and Cybersecurity (Amendment) Bill)). As a consequence, the legislative changes would also mean that individuals and companies, including cybersecurity professionals, are obliged to exercise due care when dealing with personal data obtained through hacking. For any personal data obtained or retained by individuals and companies to which the origin is unclear, including where such personal data may have been the product of hacking ("Hacked Personal Data"), individuals and companies must ensure that such Hacked Personal Data is not collected or used for the purpose of committing, or in facilitating the commission of, any offence ("legitimate purpose"). To the extent that individuals and companies supply, offer to supply, transmit or make available, by any means (each an "act of supplying") such Hacked Personal Data, they must (i) ensure that any act of supplying the Hacked Personal Data is only for a legitimate purpose, and (ii) be able to prove that they did not know, or have any reason to believe, that the hacked personal data will be, or is likely to be used, to commit, or facilitate the commission of, any offence. In other words, dealings in Hacked Personal Data could attract criminal liability under Singapore law, unless it is collected and used only for a legitimate purpose, and due care has been exercised in its disclosure, both in terms of the nature of the contents actually disclosed and the party to whom it was disclosed. When Public Domain is Not Public Knowledge In addition to the issues that could attract criminal liability under the CMCA, individuals and companies dealing with Hacked Personal Data for legitimate purposes need to be aware of other concurrent legal obligations. Under the Singapore Personal Data Protection Act 2012 (PDPA), the collection, use and disclosure of any personal data by an organisation requires the consent of the individual to which the person data pertains, unless the organisation can rely on exemptions under the PDPA, for example, where:­ 1) the collection, use and/or disclosure of the personal data is necessary: to respond to an emergency that threatens the life, health or safety of the individual or another individual; or for any investigation or proceedings; or for evaluative purposes; or 2) the personal data is publicly available. The application of these exemptions under the PDPA may not be straightforward with regard to dealings with Hacked Personal Data, as the PDPA has ascribed specific meanings and parameters on what constitutes "investigation", "proceedings", "evaluative purposes", and "publicly available". Individuals and organisations also must not forget that confidential data do not automatically lose their confidential status when they are made available in the public domain. This was clarified by the Singapore Court of Appeal in the recent decision of Wee Shuo Woon v HT S.R.L.
June 19, 2017

Managing Partner Tan Chong Huat shares with The Business Times the different schemes RHTLaw Taylor Wessing adopts in taking in practice trainees following the glut of law graduates in Singapore

RHTLaw Taylor Wessing Managing Partner Tan Chong Huat was quoted in The Business Times article titled “More local law firms willing to take in trainees, but without pay”. The article was first published in The Straits Times on 19 June 2017. More local law firms willing to take in trainees, but without pay Source: The Business Times © Singapore Press Holdings Ltd. Date: 19 June 2017 Author: Claudia Chong FOLLOWING the glut of law graduates in Singapore, more local law firms are taking in practice trainees who are unable to secure placements elsewhere - on the condition that they do not receive an honorarium during their stint. Both foreign and local law graduates are required to complete a six-month practice training contract at a Singapore law practice before being called to the Bar. Senior partner Tan Chong Huat told The Business Times that his firm, RHTLaw Taylor Wessing, typically has different schemes for the practice trainees that it takes in. Trainees in the first scheme are those that the firm intends to retain - "mature students" or those with a "very good track record". Trainees in the second scheme have their pay varied and have not been identified for retention. The last scheme comprises trainees who were unable to find a place at other law firms to complete their training. "They come around and say, 'Can you offer us a place here?' Mostly these will be business associates' referrals," said Mr Tan. "So we take them on and they might just have no pay." Honorariums for training contracts can range from S$800 to S$1,600 a month, according to a listing on the Law Society of Singapore website. Another senior partner practising at a large local law firm said that for the past two years, his firm has taken in one or two such trainees per year. But these arrangements are kept private between the trainee and the management to avoid stigmatisation, and the trainees perform the standard rotation work and are exposed to the same kinds of cases as ordinary trainees, he said. These unpaid trainees are often graduates who read law overseas; returning overseas graduates might face difficulties securing a training contract if they had not previously interned at law firms here. "How we, as a firm, hire trainees nowadays is nearly always through (structured) internships. We very seldom hire trainees through direct applications," said the senior partner, who spoke to BT on condition of anonymity. Students reading law at the National University of Singapore (NUS) and the Singapore Management University (SMU) are encouraged to pursue internships during semester breaks. While NUS Law does not make internships mandatory for students, SMU requires undergraduates undergoing its bachelor of laws programme to complete 10 weeks of internship with either a law firm or a legal department, or a combination of both. The issue of the glut of lawyers here has become a hotly debated topic in recent years. While the number of students accepted yearly by NUS and SMU's law schools has remained fairly constant, the annual number of returning overseas law graduates rose from around 210 in 2011 to around 310 in 2015, said the Ministry of Law (MinLaw) in response to queries from BT. The increase in students reading law overseas prompted MinLaw in 2015 to axe eight UK universities from the list of foreign universities approved for graduate admission to the Singapore Bar. The move was implemented from Academic Year 2016/17 onwards; there are now 11 UK universities on the list. In the meantime, it appears that returning graduates will continue to struggle to get a training contract placement. Statistics from MinLaw show that from 2011 to 2015, around 70 per cent of overseas-trained graduates secured training contracts, compared to around 90 per cent of local graduates. In response, the Singapore Institute of Legal Education in December 2015 made changes to the number of practice trainees that a senior practitioner can supervise, easing the quota from two to four. "There has been an influx of law graduates in the past few years and not enough training places to absorb them all," said Stefanie Yuen Thio, joint managing director of TSMP Law Corporation. "Firms that previously did not take in trainees have started doing so, partly to do their bit for law graduates who cannot otherwise get contracts." Small-sized firm Exodus Law Corporation typically has two to four trainees working with it at any given time, though the firm's managing director Daniel Xu said that it does not need more than two trainees. The firm gives its trainees an allowance of S$300 to S$500 a month to cover their basic expenses, depending on the applicant's previous work experience. "I am not paying the best allowance in town. I am one of the lowest among the rest, but I can't afford more," said Mr Xu. "As far as I'm concerned . . . I'm doing a form of National Service - providing these graduates with an opportunity to complete their training so that they can go on and become lawyers in the near future."