Singapore made changes to its Computer Misuse and Cybersecurity Act in April to target cybercrime, an issue that has been of increasing concern around the world especially with the WannaCry ransomware attacks. The amendments will criminalise activities that involve the dealing in and trading of personal information. Businesses that collect and work with personal data for legitimate purposes should take heed of the changes to avoid potential breaches.

Under the changes, it is an offence to use and trade data with a criminal intent, such as using credit card details and the buying and selling of hacking tools for malicious purposes. Penalties guilty of offences shall be fined up to $14,000 and may face up to five years of imprisonment. The changes apply not only within Singapore, but also to computers located overseas if the act creates a significant risk of serious harm in Singapore, such as disruption to essential services like healthcare, a risk that has been observed in the global ransomware attacks that have crippled parts of healthcare systems.

Rakesh Kirpalani

“The main impact will likely be on businesses that deal with personal data,” says Rakesh Kirpalani, a director specialising in commercial dispute resolution at Drew & Napier. “Hacking to obtain personal data is already an offence under the Act. The changes expand the scope of offences to ring-fence the hacked personal data by regulating what someone who stumbles upon the hacked personal data can and cannot do with this data. In short, the hacked personal data should not be used for an illegitimate purpose.”

“There is a worldwide trend towards systems and data protection with regulators increasing surveillance on data protection and data breaches,” says Stephen Soh, partner at Colin Ng & Partners. “Singapore is taking steps to protect systems for essential services such as utilities, power, energy grids, healthcare and emergency response without which could cripple the country.”

What businesses should do

Businesses should be careful where their operations involve personal data and would be wise to put in training programmes and reporting procedures for staff who work with such data. “Businesses dealing in personal data likely have to be prepared to exercise increased vigilance over staff who should be trained to recognise illegally obtained personal information and report the same,” says Kirpalani.

“In today’s digital world, it is important that business not underestimate cybersecurity risk,” says Kirpalani. “They should educate themselves on the forms of cybersecurity risks and what can be done to mitigate these risks. It is sometimes too easy for this to be downplayed as priority because of the ephemeral nature of the digital world. Your digital locks need to be as strong as your physical ones to keep data and systems safe.”

“Businesses will need to show regulators that they’ve done what they can in setting internal policies, putting in the technical systems, having staff training and ongoing monitoring programs in securing data,” says Soh.

“The Cyber Security Agency of Singapore has been working with the business community to increase awareness and training to change the mindset of businesses in viewing cybersecurity as a sunken cost to an investment,” says Soh.

Stephen Soh

Through the cyber security awareness alliance, the Cyber Security Agency of Singapore is working closely with the public and private sector to promote awareness and adoption of cyber security practices via talks, conferences and online resources. To target assistance to SMEs, the agency is providing specialist technology advice through a digital tech hub that will be open later this year.

“While some cyber security solutions will inevitably incur some costs, there are quick and relatively low-cost measures, such as ensuring regular back-up of company data and software updates, and employee education,” says Connie Lee, senior assistant director, communications and engagement office at the Cyber Security Agency of Singapore.

More regulation to come

A new cybersecurity Act will come in later this year to support the changes in existing regulation. “The Act is expected to identify critical information infrastructure (CII) operators and impose requirements to create and maintain cybersecurity systems,” says Kirpalani. “The Act is expected to allow the government to audit these operators and develop frameworks for cooperating with them to manage and ensure continuity in the event of large-scale cyberattacks.”

“Many other Asian countries require data breaches to be reported at some level,” adds Kirpalani. “In certain cases the notification obligation is restricted to key industries while other cases take a more expansive approach. Currently, there is no requirement to report data breaches under Singapore law. In the future, the Cybersecurity Act is expected to provide for CII operators to report cyber security incidents to the authorities.”

“A potentially contentious area is whether the government will go further to control and criminalise activities that are disruptive of the country not just in terms of essential services,” says Soh. “For example, with China’s cybersecurity law, digital and content providers are being monitored. It remains to be seen whether the government will have a close handle on proprietary systems and trade secrets.”

Businesses should ensure that their operations have clear cybersecurity and data protection guidelines, training and monitoring programmes, and be vigilant about new measures in the Cybersecurity Act that is due to come out later this year.