Out-Law / Your Daily Need-To-Know

Using hacked personal data an offence under new Singapore cyber laws

05 Apr 2017, 9:58 am

Businesses in Singapore that come across databases of personal data stolen from other organisations could be fined if they keep that data for themselves or share it with others, under new laws introduced earlier this week.

Amendments to the country's Computer Misuse and Cybersecurity Act were passed by Singapore's parliament on Monday (10-page / 71KB PDF).

The new laws will not prevent businesses from notifying companies to whom the information belongs that their data has been compromised, or from businesses that fell victim to hacking sharing the data internally for the purposes of investigating the breach.

"The new [amendment] covers acts done in relation to personal information of individuals that the perpetrator knows or has reason to believe has been obtained by committing a computer crime," an explanatory statement included alongside the new laws said. "The prohibited acts are obtaining, retaining, supplying, offering to supply, transmitting or making available the personal information."

"It is not an offence (in relation to the act of obtaining or retaining the information) if the perpetrator did the act for a legitimate purpose. It is not an offence (in relation to the other acts) if the perpetrator did the act for a legitimate purpose, and did not know or have reason to believe that the information will be or is likely to be used to commit or facilitate the commission of an offence," it said.

The use of hacking tools by businesses has also been criminalised in Singapore under the reforms.

The new laws could potentially effect businesses operating outside of Singapore, as an offence will be considered to have taken place under the new Singapore laws "where the act causes or creates a significant risk of serious harm in Singapore".

Businesses could be fined up to SIN$10,000 ($7,148), or SIN$20,000 ($14,296) for a repeat offence, and individuals responsible for the breach could be fined up to three years, or five years in the case of repeat offenders.

"The continuous tightening of cybercrime laws comes as no surprise given the new threats and scenarios that are emerging," said technology law expert Bryan Tan of Pinsent Masons MPillay, the Singapore joint venture partner of Pinsent Masons, the law firm behind Out-Law.com. "In addition, it is clear that this round of amendments is aimed at tackling cybercrime whereas the cybersecurity provisions will be beefed up in the new cybersecurity law which the government has indicated will be introduced this year."