Proposed Strengthening of Singapore Cybersecurity Law

In keeping with Singapore’s recent emphasis on strengthening national cybersecurity protections, on March 9, 2017, the Ministry of Home Affairs (MHA) announced proposed amendments to the existing Computer Misuse and Cybersecurity Act (CMCA). The proposed amendment, Bill No. 15/2017, would broaden the scope of the CMCA by criminalizing certain conduct not covered by the existing law and enhancing penalties in certain situations.

The key provisions of the amendment are as follows:

  • The bill criminalizes obtaining, retaining or dealing in personal information to carry out a crime if the offender knows or has reason to believe that the data was obtained by violating the CMCA, even if the offender did not steal the data himself. Thus, it would be a crime for someone to illegally use personal information that appears to have been obtained through unauthorized hacking, even if the using offender has no connection with the original hacker.
  • The bill also criminalizes obtaining, retaining or dealing in devices, computer programs and passwords for the purpose of facilitating computer crimes. Programs such as password breakers and malware would fall under this provision.
  • The bill broadens the extraterritorial reach of the CMCA. As the notes to the bill explain, the CMCA currently does not apply to actions by persons outside of Singapore who have targeted overseas computers even if their actions resulted in harm in Singapore. The bill would make such actions a criminal offense regardless of the location of the offender or of the targeted computer/data if the conduct “causes, or creates a significant risk of, serious harm in Singapore.”
  • Finally, the bill would allow authorities to combine offenses that involve the same computer and are committed within a 12-month period into a single charge (“amalgamation of charges”) rather than splitting up the charges individually. This amalgamation would allow authorities to describe the series of attacks as a single act and also make available enhanced penalties if combined damages are greater.

As in other jurisdictions in the region, Singapore continues to toughen its criminal cybersecurity provisions in response to increasing threats and incidents. Businesses likewise should continue to maintain their vigilance and consider strengthening their protections to manage cybersecurity risk.