16 March, 2018
During 2017, cyberattacks continued to evolve and develop sophistication, exploiting both previously unidentified vulnerabilities and known vulnerabilities in new ways. Ransomware attacks such as Petya and WannaCry put critical functions across the world and across industries on hold, while the Mirai botnet attack, unleashed in late 2016, highlighted the increasing vulnerabilities of networked Internet of Things (or IoT) devices.
In this context, global regulators and legislators continue to implement new measures aimed at tightening cybersecurity and data privacy requirements for corporates. In 2017 alone, new and stringent regulations came into force in China, Australia, and New York State, with 2018 already seeing Singapore’s new cybersecurity law enacted and Europe’s GDPR set to enter into force within a few months. In the first of a series of Asian cybersecurity updates, we highlight new developments in Australia, Singapore and China.
Australia
The Privacy Amendment (Notifiable Data Breaches) Act 2017 (the “Amendment Act”), which amends the Privacy Act 1988, took effect on 22 February 2018. The Privacy Act 1988, which contains thirteen Australian Privacy Principles (“APPs”), regulates how personal information is to be handled. Subject to limited exemptions, the APPs will apply to a wide cross section of entities, including sole traders, corporates, partnerships, trusts and unincorporated associations (“APP entities”). The exemptions comprise small businesses (generally, entities having an annual turnover of AUD3,000,000 or less), registered political parties and State/Territory authorities.
The Amendment Act introduces the Notifiable Data Breaches scheme, which obliges all APP entities to make notifications of “eligible data breaches”, namely breaches involving personal information that are likely to result in serious harm to any individual affected. An APP regulated entity that becomes aware of a potential eligible data breach must:
(i)
conduct reasonable and expeditious assessment within 30 days to determine if an eligible data breach has occurred and therefore requires notification; and
(ii)
upon confirming the occurrence of an eligible breach, the APP entity must promptly notify the individuals whose information is involved in the breach, including details of the breach and recommendations about the steps such individual should take in response to the breach. It must also lodge a statement in the prescribed form to the Australian Information Commissioner as soon as practicable.
Determining whether or not an eligible breach has occurred will likely depend upon whether or not the data breach is likely (more probable than not) to result in serious harm to an individual whose personal information was part of the data breach. Although not defined by the Privacy Act 1988, the Office of the Australian Information Commissioner has stated that serious harm may include serious physical, physiological, emotional, financial or reputational harm.
In the aftermath of a data breach APP entities will therefore need to carefully assess the likelihood of serious harm to individuals on a holistic basis taking into account the nature of the data breach and the potential consequences of this data becoming public.
Singapore
Cybersecurity Bill passed on 8 February 2018
On 8 February 2018 the Singapore Parliament passed the Cybersecurity Bill (the "Bill”). The Bill aims to establish a framework for the legal oversight of national cybersecurity in Singapore, with an emphasis on the proactive protection of what falls within the classification of critical information infrastructure (“CII”) against cyber threats. The Bill (link here) will take effect as the Cybersecurity Act 2018 on a date determined by notification in the Gazette.
Key features of the new legislation are:
(i)
the existing Cybersecurity Security Agency of Singapore (“CSA”) will be empowered to oversee and promote national cybersecurity. Its duties will include identifying CII and regulating CII owners, monitoring cyber threats, responding to cybersecurity incidents that threaten the national security or economy (whether they occur in or outside Singapore), licensing and establishing standards for cybersecurity service providers;
(ii)
CII owners will be subject to new cybersecurity obligations of sharing information, notifying change in ownership and material change in operation to the CSA, incident reporting, regular auditing, carrying out regular cybersecurity risk assessments and participating cybersecurity exercises; and
(iii)
vendors providing (a) penetration testing and (b) managed security operations centre monitoring must be licensed. Service providers applying for a license must are required to ensure their key executive officers are fit and proper, and may be refused a license if they fail to do so.
Updates on the proposed mandatory data breach notification regime
Financial institutions are already required to notify the Monetary Authority of Singapore within an hour of a security breach being discovery which has a severe and widespread impact on its operations or materially impacts its customers. However, there is currently no general requirement to report a data breach.
This may be set to change following a public consultation launched by the Personal Data Protection Commission (“PDPC”) of Singapore on 27 July 2017 which proposed introducing a mandatory data breach notification regime under the Personal Data Protection Act 2012 (“PDPA”). The PDPC published its updated proposals on 1 February 2018 in response to feedback received on the initial consultation.
The changes now proposed include:
- Notification criteria: notification to the PDPC and affected individuals would be required where the breach is likely to result in significant harm or impact to the individual to whom the information relates. Where the breach does not pose any risk of impact or harm to affected individuals but is of a significant scale, only notification to the PDPC is required; and
- Notification time frame: upon determining that the breach is eligible for reporting, an organisation must notify affected individuals and the PDPC as soon as practicable and the PDPC within 72 hours. This is consistent with other global regulatory schemes such as that in New York State and the forthcoming European GDPR. An organisation has up to 30 days from the date it becomes aware of the suspected breach to determine whether it is eligible for reporting.
It remains to be seen when these proposed changes will be implemented. The PDPC has indicated that it intends to conduct further public consultations in relation to a wider review of the PDPA, albeit no timeline has been provided for the completion of this exercise.
China
The China Cybersecurity Law (“Cybersecurity Law”), which took effect on 1 June 2017, introduced obligations that apply to individuals and organisations deemed to be “network operators” and other, more stringent requirements (e.g. in relation to data localisation and cross-border transfer restrictions) on those deemed to be operators of “critical information infrastructure”.
Over one year after the Cybersecurity Law was first published, the Cyberspace Administrator of China (“CAC”) together with other industry regulators and organisations, have released a series of guidelines (some of which are still in draft form) to give clarity on the implementation of the Cybersecurity Law (link here, in Chinese only).
Enforcement activity in relation to possible breaches of the Cybersecurity Law are also underway. These include:
- a review by the CAC and other regulators of the privacy terms of ten mainstream network products and services providers, including WeChat, Taobao, Alipay, and JD.com, following which these companies also signed a manifesto on personal information protection; and
- the CAC imposing the maximum fine provided under the Cybersecurity Law (RMB 500,000) in September 2017 on China’s top three internet companies (Tencent, Baidu and Sina) for failing to fulfil their management duties in relation to pornography, violence and other banned content on their sites.
Many countries in Asia have already passed or are considering passing strict cybersecurity regulations. While many features of these regulations overlap with those in other global regulations, key differences do appear. Since an attack in Singapore is likely also to be felt in London and in New York, for example, it will be important for multinational corporates to take a global compliance view, and have in place a holistic compliance and crisis response plan that accounts for multiple and sometimes cross-cutting regulatory requirements which apply in the jurisdictions in which they operate.
Paul Moloney, Partner, Eversheds Sutherland
paulmoloney@eversheds-sutherland.com