Along with the Thailand Personal Data Protection Act (please see our previous client alert Get Ready: The First Thailand Personal Data Protection Act Has Been Passed), the Cybersecurity Act was also approved and endorsed by the National Legislative Assembly on 28 February 2019.
Please see below a key summary of the Cybersecurity Act.
1. Effective Date
Once the Cybersecurity Act is published in the Government Gazette, the Act will become effective. We expect that the Act will be published in the Government Gazette in a couple of months (tentatively in April or May 2019).
2. The definitions of Cybersecurity and Cyber Threats
Under the current version of the Cybersecurity Act, "Cybersecurity" means any measure or procedure established to prevent, handle, and/or mitigate the risk of Cyber Threats from both inside and outside the country, which affect national security, economic security, martial security, and public order.
"Cyber Threats" mean any action or unlawful undertaking done using a computer, computer system, or undesirable program with an intention to cause harm to the computer system, computer data, or other relevant data, and includes imminent threats which would cause damage or affect operation of the computer, computer system, or other relevant data.
3. Levels of Cyber Threats
The Act has classed Cyber Threats into three levels, as follows:
(1) non-critical level Cyber Threats;
(2) critical level Cyber Threats; and
(3) crisis level Cyber Threats.
The power and authority of relevant officials against private organizations will be different depending on the level of a particular Cyber Threat.
4. Obligations of Private Organizations
Private organizations could be subject to the Cybersecurity Act, as follows:
(1) Critical information infrastructure organizations
Private organizations using computers and computer systems in the course of their operations to maintain national security, public security, national economic security, or fundamental infrastructure for public interest could be deemed critical information infrastructure organizations under the Act.
Critical information infrastructure organizations have various obligations under the Act, including (i) providing names and contact information of the owner(s), person(s) possessing the computer and person(s) monitoring the computer system; (ii) complying with the code of practice and minimum cybersecurity standards; (iii) conducting risk assessment; and (iv) notifying of Cyber Threats.
In the event of a Cyber Threat, a critical information infrastructure organization is required to investigate related information, computer data, and the computer system of such affected organization, and protect, handle, and mitigate the risks from the Cyber Threats in accordance with the Code of Practice and cybersecurity standards. Critical information infrastructure organizations are also subject to the same obligations as private organizations.
(2) Private organizations
Private organizations which are not critical information infrastructure organizations are also subject to the Act.
In the event of a Cyber Threat, the relevant authorities may request cooperation from or order private organizations to perform various actions, such as (i) providing access to relevant computer data or a computer system, or other information related to the computer system only to the extent it is necessary to prevent Cyber Threats, (ii) monitoring the computer or computer system; (iii) allowing officials to test the operation of the computer or computer system, or seize or freeze a computer, a computer system, or any equipment.
Generally, such orders must be limited to the necessity to preventing or handling Cyber Threats. The extent of the orders will depend on the level of a particular Cyber Threat. Certain orders would require a court order, while others will not. The penalties vary from fines to imprisonment.
Once the Cybersecurity Act is published in the Government Gazette, any potential entities that could be deemed critical information infrastructure organizations should monitor the development of the Act closely and prepare for compliance. In addition, all other entities should prepare their IT systems and update relevant legal documents, including IT policies and breach notifications, and conduct personnel training to raise awareness on cybersecurity.