Cyber Security (Singapore)
In the recent judgment in Public Prosecutor v James Raj s/o Arokiasamy  SGDC 36, the Singapore court commented that cyber-security offences, in addition to harming the immediate victims, also have the wider-felt impact of triggering unease and offending the sensibilities of the general public. A deterrent sentence is therefore necessary and appropriate to quell public disquiet and the unease engendered by such crimes. Given the current climate where international and domestic terrorist security threats are more prevalent than before, cyber-attacks in a country like Singapore that is highly networked, should be visited with exemplary sentences.
In no uncertain terms, the Court emphasized that given how Singapore positions itself to be an intelligent island and a global centre for e-commerce, deterrence functions as a necessary sentencing consideration in all cyber security offences in order to protect the integrity of Singapore’s computer systems and the security of financial and commercial institutions, foreign investors and locals alike.
This is an apt backdrop against which to consider the legislations governing cyber security in Singapore and how the legislations are and/or are likely to be enforced.
What are the primary governing legislations?
- Computer Misuse and Cybersecurity Act (Cap. 50A)
- Electronic Transactions Act (Cap. 88)
- Personal Data Protection Act 2012 (Act 26 of 2012)
- Protection from Harassment Act (Cap. 256A)
What falls under the purview of these legislations and what are the offences?
- These are the types of offences under the Computer Misuse and Cybersecurity Act (“CMCA”), which is the earliest and primary legislation enacted to combat unauthorized exploitation of technology:
- Access-related offences
- Unauthorized access to computer material
- Access with intent to commit or facilitate commission of offence
- Unauthorized modification of computer material
- Usage-related offences
- Unauthorized use or interception of computer service
- Unauthorised obstruction of use of computer
- Unauthorized disclosure of access code
- Access-related offences
- In addition, where the Minister is satisfied that it is necessary for the purposes of preventing, detecting or countering any threat to the national security, essential services or defence of Singapore or foreign relations of Singapore, the Minister may authorise or direct any person or organisation specified in the certificate (to take such measures or comply with such requirements as may be necessary to prevent, detect or counter any threat to a computer or computer service or any class of computers or computer services.
- The Electronic Transactions Act (“ETA”) was enacted to minimise the incidence of forged electronic records, intentional and unintentional alteration of records, and fraud in electronic commerce and other electronic transactions and to promote public confidence in the integrity and reliability of electronic records and electronic commerce, and to foster the development of electronic commerce through the use of electronic signatures to lend authenticity and integrity to correspondence in any electronic medium. Amongst other things, it prescribes legal recognition of electronic records, what constitutes secure electronic records and secure electronic signatures, and specified security procedures. Some of the offences under the ETA include breach of confidentiality, and failure to observe directions issued by the Controller for compliance with the ETA.
- The Personal Data Protection Act (“PDPA”) was enacted to facilitate the use and sharing of personal data in a safe and responsible manner by encouraging and enforcing the responsible collection, use, disclosure, care and retention of and access to personal data. Under the PDPA, an organization is responsible not only for personal data in its possession but also personal data under its control. It must designate at least one individual to be responsible for ensuring that the organization complies with the stipulations of the PDPA.
- The Personal Data Protection Commission, empowered by the PDPA to administer and enforce the PDPA, announced in April 2016 that it had penalized 11 organizations in its first enforcement tranche for breaches of the PDPA. Speaking at the 2016 Personal Data Protection Seminar, Chairman of the Commission Mr Leong Keng Thai said that the Commission has observed that the more severe breaches were due to inadequate data protection measures in place, which resulted in the unauthorised disclosure of personal information. In particular, many organizations hire external vendors for the development, maintenance and operation of their IT systems. Organisations need to understand that the vendors they hire have an important role to play in data protection, and must work closely with them to ensure that the appropriate level of security is accorded to the protection of personal data.
- Some of the less perceived offences under the PDPA include:
- failing to cease to collect, use or disclose personal data after the consent for such collection, use or disclosure was withdrawn;
- collecting, using or disclosing personal data for purposes other than purposes for which the individual had been notified of when his consent was given;
- failing to make reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the personal data is likely to be used by the organisation to make a decision that affects the individual to whom the personal data relates or is likely to be disclosed by the organisation to another organisation
- A Do Not Call Registry was also set up under the auspices of the PDPA. Failing to check the Registry before sending an SMS to a Singapore telephone number is an offence punishable under the PDPA.
- The most recent of the legislations governing cyber security would be the Protection from Harassment Act (“POHA”). Prior to the enactment of the POHA in 2014, harassment and unlawful stalking was governed by some provisions in the Miscellaneous Offences (Public Order and Nuisance) Act (Cap. 184). However, those provisions did not expressly prescribe that cyber harassment and/or cyber stalking would also be unlawful under the Act. Part of the POHA re-enacts and enhances those provisions to extend to harassment and/or stalking made by electronic means. The POHA has also created a statutory tort of harassment and a victim of an offence under POHA may bring civil proceedings in court against the offender.
- Some of the offences under the POHA include the following:
- Using or making, by any means, threatening, abusive or insulting communication which is heard seen or perceived by any person who is likely to be caused harassment, alarm or distress;
- Using or making, by any means, threatening, abusive or insulting communication, with intent to cause harassment, alarm or distress to any person, and causing that person or any other person harassment alarm or distress;
- Using or making, by any means, threatening, abusive or insulting communication, where the victim is likely to believe that unlawful violence may be inflicted on him;
- Unlawful stalking by any means such as circulating revealing photographs of a co-worker to other workers, repeatedly sending e-mails to a co-worker with suggestive comments about the co-worker’s body.
What are the sanctions?
The penalty for a first conviction for unauthorized access to computer material, without damage to the computer material, is a fine of up to S$5,000 or imprisonment of up to 2 years or both. If damage is caused, the penalty is much more severe, being a fine of up to S$50,000 or imprisonment of up to 7 years or both.
For some of the above mentioned offences, if the computer accessed is a “protected computer” as defined in the CMCA to mean a computer, program or data used directly in connection with or necessary for purposes such as security, defence or international relations, enforcement of criminal law, public infrastructure and other such public purposes, the sanction for the commission of the offence may be enhanced to a fine of up to S$100,000 and imprisonment for a term not exceeding 20 years, in lieu of the otherwise prescribed sanction for the specific offence.
Access with intent to commit or facilitate the commission of an offence attracts the penalty of a fine up to S$50,000 or imprisonment of up to 10 years or both.
A first conviction for unauthorised modification, or any of the usage-related offences, or unauthorized disclosure, attracts a penalty of a fine of up to S$10,000 or imprisonment of up to 3 years or both.
In addition to the prescribed penalties, an order for compensation may also be made against a person convicted of an offence under the CMCA if there was damage.
The ETA empowers the Minister to make regulations such as regulations for specified security procedures and specified security procedure providers, and such regulations may provide that a contravention of such regulations would attract the penalties of a fine not exceeding S$50,000 or imprisonment for not more than 12 months or both.
Any person guilty of an offence under the ETA for which no penalty is expressly provided shall be liable on conviction to a fine not exceeding S$20,000 or to imprisonment for a term not exceeding 6 months or to both.
The Personal Data Protection Commission may, if it thinks fit in the circumstances to ensure compliance, give the organisation directions such as the following: (a) to stop collecting, using or disclosing personal data in contravention of the PDPA; (b) to destroy personal data collected in contravention of the PDPA; (c) to pay a financial penalty of such amount not exceeding S$1 million as the Commission thinks fit.
Offences in relation to access, alteration, falsification and/or destruction of personal data may attract a fine of up to S$5,000 or up to S$10,000 (depending on the nature of the offence) and/or imprisonment of up to 12 months for an individual, and a fine of up to S$50,000 or up to S$100,000 (depending on the nature of the offence) for an organization.
Offences for which no penalty has been expressly provided may attract a fine of up to S$10,000 or imprisonment of up to 3 years or both.
Vicarious liability of the employer for the acts done or conducted by employees in the course of their employment is expressly provided for in the PDPA.
The PDPA also expressly provides for a right of private action, such that any person who suffers loss or damage directly as a result of a contravention of the PDPA by an organization shall have a right of action for relief in civil proceedings in the Singapore court.
Where the harassment, alarm or distress was likely to be caused, the penalty is a fine of up to S$5,000. Where actual harassment, alarm or distress was caused, with intent, the penalty is a fine of up to S$5,000 or imprisonment for up to 6 months or both. Where the offence included threats of use of unlawful violence on the victim, the penalty increases to a fine of up to S$5,000 or imprisonment for up to 12 months or both. Unlawful stalking attracts the same maximum penalty as offences involving threats of unlawful violence. Subsequent offences attract enhanced penalties.