RHTLaw Taylor Wessing Intellectual and Property Technology Partner Jack Ow wrote an article published in CIO Asia titled “Privacy, cybercrime and the law in a post-ransomware world”.
The article was first published in the 23 June 2017 edition of CIO Asia.
Privacy, cybercrime and the law in a post-ransomware world
Source: CIO Asia
Date: 23 June 2017
Author: Jack Ow
In an age where data has become a valuable commodity that is the object of cybercrime, organisations and cybersecurity professionals must work within applicable legal frameworks in preventing, detecting and responding to cybercrime and cyberattacks.
This vendorwritten piece has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favour the submitter's approach.
Weeks before the Wannacry ransomware attacks, I became another victim of cybercrime earlier in April 2017.
My bank's SMS notification alerted me to a €2,800 transaction on my credit card in a restaurant in Vienna one afternoon. The last I checked, I was in Singapore. Within the next minute, I was on the phone with the bank. As we were verifying the unauthorised transaction, a second SMS notification alerted us to another €1,300 that was transacted on the same card at the same location.
It was somewhat ironic, because I had highlighted recent amendments to the Singapore Computer Misuse and Cybersecurity Act (CMCA) that was passed by the Singapore parliament just days before the unauthorised credit card transactions. Like most victims of cybercrime, it is unlikely for me to have the full facts behind the unauthorised collection, circulation and use of my credit card details, but I believe that the recent amendments to our cybercrime laws are a necessary step in the correct direction to address the proliferating ease of obtaining valuable and/or sensitive personal data, for commissioning or facilitating other offences.
Buyer Beware: Using Hacked Personal Data Could Be A Crime
With the changes to our cybercrime laws, there will be, understandably, some initial uncertainty among individuals and companies in the scope and application of the laws, especially if they are in the business of cybersecurity, or have cybersecurity concerns.
One of the main objectives for amending the CMCA is to criminalise dealings in hacked personal data for illicit purposes. In particular, the changes address the roles of, and close the gaps under the existing law against, "middlemen" that trade in such personal data, but are not directly involved in the computer hacking offences. (See: Singapore Parliamentary Debates, Official Report (3 April 2017), 2nd Reading, Computer Misuse and Cybersecurity (Amendment) Bill)).
As a consequence, the legislative changes would also mean that individuals and companies, including cybersecurity professionals, are obliged to exercise due care when dealing with personal data obtained through hacking.
For any personal data obtained or retained by individuals and companies to which the origin is unclear, including where such personal data may have been the product of hacking ("Hacked Personal Data"), individuals and companies must ensure that such Hacked Personal Data is not collected or used for the purpose of committing, or in facilitating the commission of, any offence ("legitimate purpose").
To the extent that individuals and companies supply, offer to supply, transmit or make available, by any means (each an "act of supplying") such Hacked Personal Data, they must (i) ensure that any act of supplying the Hacked Personal Data is only for a legitimate purpose, and (ii) be able to prove that they did not know, or have any reason to believe, that the hacked personal data will be, or is likely to be used, to commit, or facilitate the commission of, any offence.
In other words, dealings in Hacked Personal Data could attract criminal liability under Singapore law, unless it is collected and used only for a legitimate purpose, and due care has been exercised in its disclosure, both in terms of the nature of the contents actually disclosed and the party to whom it was disclosed.
When Public Domain is Not Public Knowledge
In addition to the issues that could attract criminal liability under the CMCA, individuals and companies dealing with Hacked Personal Data for legitimate purposes need to be aware of other concurrent legal obligations.
Under the Singapore Personal Data Protection Act 2012 (PDPA), the collection, use and disclosure of any personal data by an organisation requires the consent of the individual to which the person data pertains, unless the organisation can rely on exemptions under the PDPA, for example, where:
1) the collection, use and/or disclosure of the personal data is necessary:
to respond to an emergency that threatens the life, health or safety of the individual or another individual; or
for any investigation or proceedings; or
for evaluative purposes; or
2) the personal data is publicly available.
The application of these exemptions under the PDPA may not be straightforward with regard to dealings with Hacked Personal Data, as the PDPA has ascribed specific meanings and parameters on what constitutes "investigation", "proceedings", "evaluative purposes", and "publicly available".
Individuals and organisations also must not forget that confidential data do not automatically lose their confidential status when they are made available in the public domain. This was clarified by the Singapore Court of Appeal in the recent decision of Wee Shuo Woon v HT S.R.L.
International law firm RHTLaw Taylor Wessing, in conjunction with Taylor Wessing, launched its inaugural Global Data Protection Guide (GDPG) - spanning more than 60 countries - to capitalise on market demand for readily accessible information on data protection laws.
This innovative online map examines national data protection laws in multiple jurisdictions across the globe, for the benefit of all businesses across all sectors, who need to navigate the complexities of the global data privacy landscape. The GDPG addresses, amongst many others, the following questions:
Is there a national data protection law in place?
Are data processing notification requirements enforced by a regulator?
Are there rules on data transfers?
What are the guidelines for employee monitoring?
In addition, the tool allows the user to compare up to 5 countries at a time spanning data protection regimes across Europe, the US, South America, parts of Asia and Africa. The GDPG will be regularly updated so that it fully encompasses all significant changes relating to global data protection, including the introduction of the General Data Protection Regulation (GDPR) which will occur in May 2018.
The GDPR is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). The primary objectives of the GDPR are to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international businesses by unifying the regulation within the EU.
While Singapore has its own data protection laws in the form of the Personal Data Protection Act (PDPA), Singapore businesses are increasingly recognising the need to comply with the GDPR as well. Singapore is the EU’s largest commercial partner in ASEAN and local companies that do business with customers from the EU risk incurring hefty fines if they do not comply with the GDPR.
Rizwi Wun, Partner in the Intellectual Property & Technology practice at RHTLaw Taylor Wessing noted, “As data emerges as the new currency in the digital economy, the protection of data will be one key component of this new era. The GDPG will provide easy access to a useful database of data protection laws in many countries, and will prove to be a tool that companies will no doubt find very useful as a valuable resource.”
Vin Bange, Partner in the International Data Protection practice at Taylor Wessing commented, “With data protection compliance becoming headline news and following on from direct client feedback, the GDPG is incredibly timely. Data Protection laws impact all businesses, across all sectors, worldwide which means companies are now sitting up and taking note of what this actually means. Put simply, no business can escape from these laws. The idea, therefore, behind GDPG is to address the issues worrying firms head on and help everyone prepare for the market changes ahead."
The new launch follows other recent innovations by Taylor Wessing, including the TW: Cyber Response app and builds on the wealth of international industry-focused thought leadership content available on the Global Data Hub, which provides expert insight and analysis on data protection issues and Download, which offers guidance on key developments in the media and technology sectors.
View the Global Data Protection Guide here.
RHTLaw Taylor Wessing Family and Matrimonial Law Partner Michelle Woodworth wrote an article published in AsiaOne titled “Dads, here's how to survive Father's Day post-divorce”.
The article was first published in the 19 June 2017 edition of AsiaOne.
Dads, here's how to survive Father's Day post-divorce
Date: 19 June 2017
Author: Michelle Woodworth
Celebrating special occasions post-divorce may no longer be the same, not just for ex-spouses but for the children caught in between as well.
In the immediate years following a divorce, Mother's and Father's Day can be emotionally charged seasons.
Such occasions can also be confusing and pressurising for children as they adjust to not celebrating the occasion together with both parents.
For Mother's Day a month ago, I shared how divorced mothers can and should still celebrate their motherhood.
On the back of Father's Day this weekend, my hope is for ex-partners to embrace their lives post-divorce or separation.
In these times, dads are no longer just breadwinners for the family. They are actively involved in their children's lives and do make the time to bond with them.
My experience has revealed that divorced dads can be plagued with feelings of inadequacy for not always being there for their children.
This is a real concern post-divorce if they become the non-residential parent. It is still possible to nurture a loving relationship with children post-divorce.
Here are some suggested strategies to make fathering forever:
Don't be a 'Disney Dad'
Some dads feel a need to "make it up" to their children by trying to plan every visit as a fun-filled one.
From taking the children to amusement parks or buying them the latest toys or gadgets, there may be an internalised perception that indulgence is the best way to show love.
While children may respond well to gift-giving, it is suggested that the load of routine and daily parenting, such as helping children with homework or getting them to help out with household chores, form part of time spent together.
Sharing consistent boundaries
While you may not be living with your children, it may go a long way to participate in the dos and don'ts in a consistent manner with your co-parent.
Where possible, develop an approach that is enforced in both homes.
Composing such a list as co-parents, for example, a set bedtime on school nights, displays a commitment to parenting children as a team, putting personal differences aside.
Treat your ex with respect and civility
It may be challenging for ex-partners to maintain a cordial relationship all the time.
Yet, continued hostility and conflict between parents hurt children.
Avoid directing feelings of resentment or anger about the demised relationship to your children.
Rather, reinforce to the children that both parents love them, no matter what.
Be emotionally present
Your divorce, separation or breakdown in relationship may have taken a toll on you emotionally, but do try not to emotionally detach from your children.
Children thrive on love, affection and affirmation.
Always let your children know you are available and willing to talk or listen, even if you may not physically be with them.
Parenting is forever, even if a relationship has ended. Involved fatherhood post such an event can be a reality.
This Father's Day, a big shout-out to all dads. A very happy Father's Day!
To the giants in my life, my loving father and husband, "If I have seen further, it is by standing on the shoulders of giants." (Isaac Newton in 1676).
Michelle Woodworth is a Partner at RHTLaw Taylor Wessing, Court-appointed Child Representative, Senior Mediator under the Law Society Mediation Scheme, and an IMI and SIMI certified Mediator.