3 May, 2018
During 2017, cyberattacks continued to evolve and develop sophistication, exploiting both previously unidentified vulnerabilities and known vulnerabilities in new ways. Ransomware attacks such as Petya and WannaCry put critical functions across the world and across industries on hold, while the Mirai botnet attack, unleashed in late 2016, highlighted the increasing vulnerabilities of networked Internet of Things (or IoT) devices.
In this context, global regulators and legislators continue to implement new measures aimed at tightening cybersecurity and data privacy requirements for corporates. In 2017 alone, new and stringent regulations came into force in China, Australia, and New York State, with 2018 already seeing Singapore’s new cybersecurity law enacted and Europe’s GDPR set to enter into force within a few months.
On 8 February 2018 the Singapore Parliament passed the Cybersecurity Bill (the "Bill”). The Bill aims to establish a framework for the legal oversight of national cybersecurity in Singapore, with an emphasis on the proactive protection of what falls within the classification of critical information infrastructure (“CII”) against cyber threats. The Bill (link here) will take effect as the Cybersecurity Act 2018 on a date determined by notification in the Gazette.
Key features of the new legislation are:
(i) the existing Cybersecurity Security Agency of Singapore (“CSA”) will be empowered to oversee and promote national cybersecurity. Its duties will include identifying CII and regulating CII owners, monitoring cyber threats, responding to cybersecurity incidents that threaten the national security or economy (whether they occur in or outside Singapore), licensing and establishing standards for cybersecurity service providers;
(ii) CII owners will be subject to new cybersecurity obligations of sharing information, notifying change in ownership and material change in operation to the CSA, incident reporting, regular auditing, carrying out regular cybersecurity risk assessments and participating cybersecurity exercises; and
(iii) vendors providing (a) penetration testing and (b) managed security operations centre monitoring must be licensed. Service providers applying for a license must are required to ensure their key executive officers are fit and proper, and may be refused a license if they fail to do so.
Updates on the proposed mandatory data breach notification regime
Financial institutions are already required to notify the Monetary Authority of Singapore within an hour of a security breach being discovery which has a severe and widespread impact on its operations or materially impacts its customers. However, there is currently no general requirement to report a data breach.
This may be set to change following a public consultation launched by the Personal Data Protection Commission (“PDPC”) of Singapore on 27 July 2017 which proposed introducing a mandatory data breach notification regime under the Personal Data Protection Act 2012 (“PDPA”). The PDPC published its updated proposals on 1 February 2018 in response to feedback received on the initial consultation.
The changes now proposed include:
- Notification criteria: notification to the PDPC and affected individuals would be required where the breach is likely to result in significant harm or impact to the individual to whom the information relates. Where the breach does not pose any risk of impact or harm to affected individuals but is of a significant scale, only notification to the PDPC is required; and
- Notification time frame: upon determining that the breach is eligible for reporting, an organisation must notify affected individuals and the PDPC as soon as practicable and the PDPC within 72 hours. This is consistent with other global regulatory schemes such as that in New York State and the forthcoming European GDPR. An organisation has up to 30 days from the date it becomes aware of the suspected breach to determine whether it is eligible for reporting.
It remains to be seen when these proposed changes will be implemented. The PDPC has indicated that it intends to conduct further public consultations in relation to a wider review of the PDPA, albeit no timeline has been provided for the completion of this exercise.
Paul Moloney, Partner, Eversheds Sutherland
paulmoloney@eversheds-sutherland.com