RHTLaw Taylor Wessing Intellectual and Property Technology Partner Jack Ow wrote an article published in CIO Asia titled “Privacy, cybercrime and the law in a post-ransomware world”.
The article was first published in the 23 June 2017 edition of CIO Asia.
Privacy, cybercrime and the law in a post-ransomware world
Source: CIO Asia
Date: 23 June 2017
Author: Jack Ow
In an age where data has become a valuable commodity that is the object of cybercrime, organisations and cybersecurity professionals must work within applicable legal frameworks in preventing, detecting and responding to cybercrime and cyberattacks.
This vendorwritten piece has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favour the submitter's approach.
Weeks before the Wannacry ransomware attacks, I became another victim of cybercrime earlier in April 2017.
My bank's SMS notification alerted me to a €2,800 transaction on my credit card in a restaurant in Vienna one afternoon. The last I checked, I was in Singapore. Within the next minute, I was on the phone with the bank. As we were verifying the unauthorised transaction, a second SMS notification alerted us to another €1,300 that was transacted on the same card at the same location.
It was somewhat ironic, because I had highlighted recent amendments to the Singapore Computer Misuse and Cybersecurity Act (CMCA) that was passed by the Singapore parliament just days before the unauthorised credit card transactions. Like most victims of cybercrime, it is unlikely for me to have the full facts behind the unauthorised collection, circulation and use of my credit card details, but I believe that the recent amendments to our cybercrime laws are a necessary step in the correct direction to address the proliferating ease of obtaining valuable and/or sensitive personal data, for commissioning or facilitating other offences.
Buyer Beware: Using Hacked Personal Data Could Be A Crime
With the changes to our cybercrime laws, there will be, understandably, some initial uncertainty among individuals and companies in the scope and application of the laws, especially if they are in the business of cybersecurity, or have cybersecurity concerns.
One of the main objectives for amending the CMCA is to criminalise dealings in hacked personal data for illicit purposes. In particular, the changes address the roles of, and close the gaps under the existing law against, "middlemen" that trade in such personal data, but are not directly involved in the computer hacking offences. (See: Singapore Parliamentary Debates, Official Report (3 April 2017), 2nd Reading, Computer Misuse and Cybersecurity (Amendment) Bill)).
As a consequence, the legislative changes would also mean that individuals and companies, including cybersecurity professionals, are obliged to exercise due care when dealing with personal data obtained through hacking.
For any personal data obtained or retained by individuals and companies to which the origin is unclear, including where such personal data may have been the product of hacking ("Hacked Personal Data"), individuals and companies must ensure that such Hacked Personal Data is not collected or used for the purpose of committing, or in facilitating the commission of, any offence ("legitimate purpose").
To the extent that individuals and companies supply, offer to supply, transmit or make available, by any means (each an "act of supplying") such Hacked Personal Data, they must (i) ensure that any act of supplying the Hacked Personal Data is only for a legitimate purpose, and (ii) be able to prove that they did not know, or have any reason to believe, that the hacked personal data will be, or is likely to be used, to commit, or facilitate the commission of, any offence.
In other words, dealings in Hacked Personal Data could attract criminal liability under Singapore law, unless it is collected and used only for a legitimate purpose, and due care has been exercised in its disclosure, both in terms of the nature of the contents actually disclosed and the party to whom it was disclosed.
When Public Domain is Not Public Knowledge
In addition to the issues that could attract criminal liability under the CMCA, individuals and companies dealing with Hacked Personal Data for legitimate purposes need to be aware of other concurrent legal obligations.
Under the Singapore Personal Data Protection Act 2012 (PDPA), the collection, use and disclosure of any personal data by an organisation requires the consent of the individual to which the person data pertains, unless the organisation can rely on exemptions under the PDPA, for example, where:
1) the collection, use and/or disclosure of the personal data is necessary:
to respond to an emergency that threatens the life, health or safety of the individual or another individual; or
for any investigation or proceedings; or
for evaluative purposes; or
2) the personal data is publicly available.
The application of these exemptions under the PDPA may not be straightforward with regard to dealings with Hacked Personal Data, as the PDPA has ascribed specific meanings and parameters on what constitutes "investigation", "proceedings", "evaluative purposes", and "publicly available".
Individuals and organisations also must not forget that confidential data do not automatically lose their confidential status when they are made available in the public domain. This was clarified by the Singapore Court of Appeal in the recent decision of Wee Shuo Woon v HT S.R.L.
International law firm RHTLaw Taylor Wessing, in conjunction with Taylor Wessing, launched its inaugural Global Data Protection Guide (GDPG) - spanning more than 60 countries - to capitalise on market demand for readily accessible information on data protection laws.
This innovative online map examines national data protection laws in multiple jurisdictions across the globe, for the benefit of all businesses across all sectors, who need to navigate the complexities of the global data privacy landscape. The GDPG addresses, amongst many others, the following questions:
Is there a national data protection law in place?
Are data processing notification requirements enforced by a regulator?
Are there rules on data transfers?
What are the guidelines for employee monitoring?
In addition, the tool allows the user to compare up to 5 countries at a time spanning data protection regimes across Europe, the US, South America, parts of Asia and Africa. The GDPG will be regularly updated so that it fully encompasses all significant changes relating to global data protection, including the introduction of the General Data Protection Regulation (GDPR) which will occur in May 2018.
The GDPR is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). The primary objectives of the GDPR are to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international businesses by unifying the regulation within the EU.
While Singapore has its own data protection laws in the form of the Personal Data Protection Act (PDPA), Singapore businesses are increasingly recognising the need to comply with the GDPR as well. Singapore is the EU’s largest commercial partner in ASEAN and local companies that do business with customers from the EU risk incurring hefty fines if they do not comply with the GDPR.
Rizwi Wun, Partner in the Intellectual Property & Technology practice at RHTLaw Taylor Wessing noted, “As data emerges as the new currency in the digital economy, the protection of data will be one key component of this new era. The GDPG will provide easy access to a useful database of data protection laws in many countries, and will prove to be a tool that companies will no doubt find very useful as a valuable resource.”
Vin Bange, Partner in the International Data Protection practice at Taylor Wessing commented, “With data protection compliance becoming headline news and following on from direct client feedback, the GDPG is incredibly timely. Data Protection laws impact all businesses, across all sectors, worldwide which means companies are now sitting up and taking note of what this actually means. Put simply, no business can escape from these laws. The idea, therefore, behind GDPG is to address the issues worrying firms head on and help everyone prepare for the market changes ahead."
The new launch follows other recent innovations by Taylor Wessing, including the TW: Cyber Response app and builds on the wealth of international industry-focused thought leadership content available on the Global Data Hub, which provides expert insight and analysis on data protection issues and Download, which offers guidance on key developments in the media and technology sectors.
View the Global Data Protection Guide here.