July 11, 2017

Intellectual Property & Technology Partner Jack Ow shares with TODAY how imposing licensing on cyber security service providers can improve assurance on safety

RHTLaw Taylor Wessing’s Intellectual Property & Technology Partner, Jack Ow, was quoted in a TODAY article titled “Laws proposed to boost Singapore defences against cyber attacks”. The article was first published in The Business Times on 11 July 2017. Laws proposed to boost Singapore defences against cyber attacks Source: TODAY © Mediacorp Press Ltd. Date: 11 July 2017 Author: Tan Weizhen SINGAPORE — To beef up the country’s defences against increasingly sophisticated cyber attacks, new laws have been proposed that, among other things, require owners of critical information infrastructure (CII) in 11 key sectors to report any cyber security incidents, and to share information with the authorities when ordered. These sectors provide essential services and comprise government, security and emergency, healthcare, telecommunications, banking and finance, energy, water, media, land transport, air transport and maritime. The draft Cybersecurity Bill also proposes to license cyber security service providers and practitioners, starting with those providing penetration testing and managed security operations centre services. Public consultation for the proposed laws began on Monday, and closes on Aug 3. The Bill may supersede existing secrecy laws in the various sectors, and establishes a framework to manage cyber security in Singapore. It also gives the Cyber Security Agency (CSA) powers to carry out its functions. Under the proposed Bill, public and private-sector owners of CII — defined as computer systems necessary for the continuous delivery of essential services — will have certain statutory duties, such as reporting cyber attacks to the Commissioner of Cybersecurity, and carrying out audits, risk assessments as well as participating in cyber security exercises. The list of CII will be constantly evaluated, and additions will be made when necessary by the CSA. While the CII owners will not be directly penalised for cyber security breaches, they are liable for criminal offences “in cases where they fail to perform their duties wilfully, or fail to comply with the commissioner’s directions without reasonable excuse”, based on the public consultation paper. In such cases, they could be fined up to S$100,000, and jailed for a maximum of two years if convicted. CSA chief executive officer David Koh said that the draft Bill is different from existing legislation — such as the Computer Misuse Act — in terms of having an expanded scope, officially designating CII, and spelling out clearly the duties of CII owners, for instance. “The (draft) Bill also aims to raise our overall cyber security posture, by licensing certain cyber security service providers,” he said. A framework will be established for the sharing of cyber security information with CSA officers. This will be for the purpose of preventing, detecting or investigating any cyber security threat or incident. If necessary, any relevant organisations that are outside the 11 key sectors may be compelled to share information with the CSA. The licensing regime was proposed in light of the “need for more credible services, as cyber security risks become more mainstream”, said the CSA. Nevertheless, in-house providers will be exempted. Two types of licences are proposed for investigative and non-investigative cyber security services. To meet licensing requirements, service providers must have key executive officers, who are fit and proper persons, comply with a code of ethics and retain service records for five years, among others. Under the new laws, unlicensed cyber service providers, for example, could be fined as much as S$50,000, or jailed for a maximum of two years, or both. Cyber security experts and lawyers TODAY spoke to welcomed the draft Bill, which “elevates” cyber security in sectors providing essential services “from what was previously a decision left to the business owner’s discretion”, as Mr Steve Lam, a partner at Ernst & Young Advisory, put it. Mr Vincent Loy, Cyber and Financial Crime leader at PWC, noted that it specifically places responsibility on individuals, rather than organisations. Under the draft Bill, senior management could be held liable for specific offences. “Now someone is personally liable, and he can go to jail or has to pay a fine. This creates more impact, and highlights the importance of complying with the rules,” Mr Loy said. Lawyer Bryan Tan of Pinsent Masons added: “In future, people do really need to pay attention, as the laws would have more bite than ever before.” He noted that with the licensing of penetration testing, a line would be drawn between white-hat and blackhat hackers, and this would encourage legitimate hackers to get licensed. The licensing regime would “improve assurance on security and safety”, as well as raise quality of cyber security services, said Mr Jack Ow, Intellectual Property & Technology partner at RHTLaw Taylor Wessing. KEY THRUSTS OF THE PROPOSED CYBERSECURITY BILL A total of 11 sectors will have to comply with the proposed Bill. Apart from the government, others include security and emergency, healthcare, telecommunications, banking and finance, water and media sectors. Critical information infrastructure (CII) owners in these sectors will have to report cyber attacks, carry out audits and risk assessments, as well as take part in cyber security exercises, among other statutory duties. CII owners are liable if they wilfully fail to comply with any of their duties. Organisations will be compelled to share cyber security information with Cyber Security Agency of Singapore officers, in order to investigate any cyber security threat or attack. Cyber security service providers and practitioners will be licensed, starting with those providing penetration testing and managed security operations centre services.
June 30, 2017

Intellectual and Property Technology Partner Jack Ow wrote an article published in CIO Asia titled “Privacy, cybercrime and the law in a post-ransomware world”

RHTLaw Taylor Wessing Intellectual and Property Technology Partner Jack Ow wrote an article published in CIO Asia titled “Privacy, cybercrime and the law in a post-ransomware world”. The article was first published in the 23 June 2017 edition of CIO Asia. Privacy, cybercrime and the law in a post-ransomware world Source: CIO Asia Date: 23 June 2017 Author: Jack Ow In an age where data has become a valuable commodity that is the object of cybercrime, organisations and cybersecurity professionals must work within applicable legal frameworks in preventing, detecting and responding to cybercrime and cyber­attacks. This vendor­written piece has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favour the submitter's approach. Weeks before the Wannacry ransomware attacks, I became another victim of cybercrime earlier in April 2017. My bank's SMS notification alerted me to a €2,800 transaction on my credit card in a restaurant in Vienna one afternoon. The last I checked, I was in Singapore. Within the next minute, I was on the phone with the bank. As we were verifying the unauthorised transaction, a second SMS notification alerted us to another €1,300 that was transacted on the same card at the same location. It was somewhat ironic, because I had highlighted recent amendments to the Singapore Computer Misuse and Cybersecurity Act (CMCA) that was passed by the Singapore parliament just days before the unauthorised credit card transactions. Like most victims of cybercrime, it is unlikely for me to have the full facts behind the unauthorised collection, circulation and use of my credit card details, but I believe that the recent amendments to our cybercrime laws are a necessary step in the correct direction to address the proliferating ease of obtaining valuable and/or sensitive personal data, for commissioning or facilitating other offences. Buyer Beware: Using Hacked Personal Data Could Be A Crime With the changes to our cybercrime laws, there will be, understandably, some initial uncertainty among individuals and companies in the scope and application of the laws, especially if they are in the business of cybersecurity, or have cybersecurity concerns. One of the main objectives for amending the CMCA is to criminalise dealings in hacked personal data for illicit purposes. In particular, the changes address the roles of, and close the gaps under the existing law against, "middlemen" that trade in such personal data, but are not directly involved in the computer hacking offences. (See: Singapore Parliamentary Debates, Official Report (3 April 2017), 2nd Reading, Computer Misuse and Cybersecurity (Amendment) Bill)). As a consequence, the legislative changes would also mean that individuals and companies, including cybersecurity professionals, are obliged to exercise due care when dealing with personal data obtained through hacking. For any personal data obtained or retained by individuals and companies to which the origin is unclear, including where such personal data may have been the product of hacking ("Hacked Personal Data"), individuals and companies must ensure that such Hacked Personal Data is not collected or used for the purpose of committing, or in facilitating the commission of, any offence ("legitimate purpose"). To the extent that individuals and companies supply, offer to supply, transmit or make available, by any means (each an "act of supplying") such Hacked Personal Data, they must (i) ensure that any act of supplying the Hacked Personal Data is only for a legitimate purpose, and (ii) be able to prove that they did not know, or have any reason to believe, that the hacked personal data will be, or is likely to be used, to commit, or facilitate the commission of, any offence. In other words, dealings in Hacked Personal Data could attract criminal liability under Singapore law, unless it is collected and used only for a legitimate purpose, and due care has been exercised in its disclosure, both in terms of the nature of the contents actually disclosed and the party to whom it was disclosed. When Public Domain is Not Public Knowledge In addition to the issues that could attract criminal liability under the CMCA, individuals and companies dealing with Hacked Personal Data for legitimate purposes need to be aware of other concurrent legal obligations. Under the Singapore Personal Data Protection Act 2012 (PDPA), the collection, use and disclosure of any personal data by an organisation requires the consent of the individual to which the person data pertains, unless the organisation can rely on exemptions under the PDPA, for example, where:­ 1) the collection, use and/or disclosure of the personal data is necessary: to respond to an emergency that threatens the life, health or safety of the individual or another individual; or for any investigation or proceedings; or for evaluative purposes; or 2) the personal data is publicly available. The application of these exemptions under the PDPA may not be straightforward with regard to dealings with Hacked Personal Data, as the PDPA has ascribed specific meanings and parameters on what constitutes "investigation", "proceedings", "evaluative purposes", and "publicly available". Individuals and organisations also must not forget that confidential data do not automatically lose their confidential status when they are made available in the public domain. This was clarified by the Singapore Court of Appeal in the recent decision of Wee Shuo Woon v HT S.R.L.
June 28, 2017

RHTLaw Taylor Wessing and Taylor Wessing Go Global With Digital Data Protection Tool

International law firm RHTLaw Taylor Wessing, in conjunction with Taylor Wessing, launched its inaugural Global Data Protection Guide (GDPG) - spanning more than 60 countries - to capitalise on market demand for readily accessible information on data protection laws. This innovative online map examines national data protection laws in multiple jurisdictions across the globe, for the benefit of all businesses across all sectors, who need to navigate the complexities of the global data privacy landscape. The GDPG addresses, amongst many others, the following questions:  Is there a national data protection law in place? Are data processing notification requirements enforced by a regulator? Are there rules on data transfers? What are the guidelines for employee monitoring? In addition, the tool allows the user to compare up to 5 countries at a time spanning data protection regimes across Europe, the US, South America, parts of Asia and Africa. The GDPG will be regularly updated so that it fully encompasses all significant changes relating to global data protection, including the introduction of the General Data Protection Regulation (GDPR) which will occur in May 2018. The GDPR is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). The primary objectives of the GDPR are to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international businesses by unifying the regulation within the EU. While Singapore has its own data protection laws in the form of the Personal Data Protection Act (PDPA), Singapore businesses are increasingly recognising the need to comply with the GDPR as well. Singapore is the EU’s largest commercial partner in ASEAN and local companies that do business with customers from the EU risk incurring hefty fines if they do not comply with the GDPR. Rizwi Wun, Partner in the Intellectual Property & Technology practice at RHTLaw Taylor Wessing noted, “As data emerges as the new currency in the digital economy, the protection of data will be one key component of this new era. The GDPG will provide easy access to a useful database of data protection laws in many countries, and will prove to be a tool that companies will no doubt find very useful as a valuable resource.” Vin Bange, Partner in the International Data Protection practice at Taylor Wessing commented, “With data protection compliance becoming headline news and following on from direct client feedback, the GDPG is incredibly timely. Data Protection laws impact all businesses, across all sectors, worldwide which means companies are now sitting up and taking note of what this actually means. Put simply, no business can escape from these laws. The idea, therefore, behind GDPG is to address the issues worrying firms head on and help everyone prepare for the market changes ahead." The new launch follows other recent innovations by Taylor Wessing, including the TW: Cyber Response app and builds on the wealth of international industry-focused thought leadership content available on the Global Data Hub, which provides expert insight and analysis on data protection issues and Download, which offers guidance on key developments in the media and technology sectors. View the Global Data Protection Guide here.
June 19, 2017

Managing Partner Tan Chong Huat shares with The Business Times the different schemes RHTLaw Taylor Wessing adopts in taking in practice trainees following the glut of law graduates in Singapore

RHTLaw Taylor Wessing Managing Partner Tan Chong Huat was quoted in The Business Times article titled “More local law firms willing to take in trainees, but without pay”. The article was first published in The Straits Times on 19 June 2017. More local law firms willing to take in trainees, but without pay Source: The Business Times © Singapore Press Holdings Ltd. Date: 19 June 2017 Author: Claudia Chong FOLLOWING the glut of law graduates in Singapore, more local law firms are taking in practice trainees who are unable to secure placements elsewhere - on the condition that they do not receive an honorarium during their stint. Both foreign and local law graduates are required to complete a six-month practice training contract at a Singapore law practice before being called to the Bar. Senior partner Tan Chong Huat told The Business Times that his firm, RHTLaw Taylor Wessing, typically has different schemes for the practice trainees that it takes in. Trainees in the first scheme are those that the firm intends to retain - "mature students" or those with a "very good track record". Trainees in the second scheme have their pay varied and have not been identified for retention. The last scheme comprises trainees who were unable to find a place at other law firms to complete their training. "They come around and say, 'Can you offer us a place here?' Mostly these will be business associates' referrals," said Mr Tan. "So we take them on and they might just have no pay." Honorariums for training contracts can range from S$800 to S$1,600 a month, according to a listing on the Law Society of Singapore website. Another senior partner practising at a large local law firm said that for the past two years, his firm has taken in one or two such trainees per year. But these arrangements are kept private between the trainee and the management to avoid stigmatisation, and the trainees perform the standard rotation work and are exposed to the same kinds of cases as ordinary trainees, he said. These unpaid trainees are often graduates who read law overseas; returning overseas graduates might face difficulties securing a training contract if they had not previously interned at law firms here. "How we, as a firm, hire trainees nowadays is nearly always through (structured) internships. We very seldom hire trainees through direct applications," said the senior partner, who spoke to BT on condition of anonymity. Students reading law at the National University of Singapore (NUS) and the Singapore Management University (SMU) are encouraged to pursue internships during semester breaks. While NUS Law does not make internships mandatory for students, SMU requires undergraduates undergoing its bachelor of laws programme to complete 10 weeks of internship with either a law firm or a legal department, or a combination of both. The issue of the glut of lawyers here has become a hotly debated topic in recent years. While the number of students accepted yearly by NUS and SMU's law schools has remained fairly constant, the annual number of returning overseas law graduates rose from around 210 in 2011 to around 310 in 2015, said the Ministry of Law (MinLaw) in response to queries from BT. The increase in students reading law overseas prompted MinLaw in 2015 to axe eight UK universities from the list of foreign universities approved for graduate admission to the Singapore Bar. The move was implemented from Academic Year 2016/17 onwards; there are now 11 UK universities on the list. In the meantime, it appears that returning graduates will continue to struggle to get a training contract placement. Statistics from MinLaw show that from 2011 to 2015, around 70 per cent of overseas-trained graduates secured training contracts, compared to around 90 per cent of local graduates. In response, the Singapore Institute of Legal Education in December 2015 made changes to the number of practice trainees that a senior practitioner can supervise, easing the quota from two to four. "There has been an influx of law graduates in the past few years and not enough training places to absorb them all," said Stefanie Yuen Thio, joint managing director of TSMP Law Corporation. "Firms that previously did not take in trainees have started doing so, partly to do their bit for law graduates who cannot otherwise get contracts." Small-sized firm Exodus Law Corporation typically has two to four trainees working with it at any given time, though the firm's managing director Daniel Xu said that it does not need more than two trainees. The firm gives its trainees an allowance of S$300 to S$500 a month to cover their basic expenses, depending on the applicant's previous work experience. "I am not paying the best allowance in town. I am one of the lowest among the rest, but I can't afford more," said Mr Xu. "As far as I'm concerned . . . I'm doing a form of National Service - providing these graduates with an opportunity to complete their training so that they can go on and become lawyers in the near future."