The Singapore Parliament passed amendments to the existing Computer Misuse and Cybersecurity Act (Chapter 50A) (“CMCA”) on 3 April 2017. The amendments are designed to address the changing nature of computer offences and the growing threat of cyber crime.
This e-bulletin will discuss the key amendments, including: (a) two additional offences; and (b) the extension of the CMCA’s extraterritorial reach beyond Singapore. Businesses, in particular those organisations which receive, transmit and process information online on a regular basis, should pay attention to the amendments.
1. New Offences
Section 8A: Supplying (etc), personal information obtained in contravention of certain provisions
The new Section 8A regulates acts done in relation to personal information of individuals that the perpetrator knows or has reason to believe has been obtained by committing a computer crime. A person is guilty of an offence if the person obtains, retains, supplies, offers to supply, transmits or makes available personal information in breach of the CMCA, subject to the following exceptions:
If in ‘obtaining or retaining the information’ the user did it for a legitimate purpose, it would not be an offence. Legitimate in this context is defined as a purpose other than (a) for use in committing, or in facilitating the commission of, any offence; or (b) for supply, transmission or making available by any means for the personal information to be used in committing, or in facilitating the commission of, any offence.
If in relation to supplying, offering to supply, transmitting or making available personal information, the user did such act for a legitimate purpose and additionally did not know or have reason to believe that the information will be or is likely to be used to commit or facilitate the commission of an offence, it would equally not be an offence. For these other acts, legitimate is defined as a purpose other than (a) for the personal information to be used in committing, or in facilitating the commission of, any offence; and (b) the person did not know or have reason to believe that the personal information will be or is likely to be used to commit or facilitate the commission of any offence.
In proposing the amendment, the Government provided the following example of an act done for a legitimate purpose. Company A comes across a list of credit card numbers on the internet belonging to individuals who are customers of Company B, which Company A has reason to believe were obtained by securing access without authority to Company B’s server. If Company A retains the list and transmits it to Company B for the purpose of notifying it of the unauthorised access, it would be for a legitimate purpose, and not an offence. Equally, if an employee of Company B after receiving the list from Company A transmits it to another employee within its company for the purpose of investigation, it would be for a legitimate purpose, and no offence is committed.
From an evidentiary perspective, the amendment bill also provided that the prosecution would not need to prove the underlying offence when proving that the perpetrator knows or has reason to believe that personal information was obtained by committing a computer crime. In the amendment bill, the Government provided an example of a person coming across personal information the nature of which suggests that it could only have been obtained by unauthorised access to another person’s computer. Under such circumstances, the person would be in breach of Section 8A if the person carries out prohibited acts, regardless of whether the original person who carried out the unauthorised access is known or can be discovered.
Section 8B: Obtaining (etc), items for use in certain offences
The new Section 8B regulates acts done in connection with an item that is designed, adapted or is capable of being used to commit a computer crime, or by which a computer or part of a computer is capable of being accessed. Such acts are divided into two categories: (a) obtaining or retaining such an item intending to use it to commit or to facilitate the commission of a computer crime, or with a view to it being supplied or made available for such use; and (b) making, supplying, offering to supply or making available such item intending it to be used to commit or to facilitate the commission of a computer crime.
2. Extending the extraterritorial reach of CMCA
i. Extended reach and its scope
With the amendment, the CMCA now has extraterritorial application as long as the relevant act causes or creates a significant risk of serious harm in Singapore. The latter is defined as (a) illness, injury or death of individuals in Singapore; (b) disruption of, or a serious diminution of public confidence in, the provision of any essential service; (c) disruption of, or serious diminution of public confidence in the performance of any duty or function of, or the exercise of any power by, the Government; and (d) damage to the national security, defence or foreign relations.
In proposing the amendment, the Government proposed the following examples as ‘significant risk of serious harm in Singapore’: (a) providing public access to the account numbers of customers of a bank in Singapore (i.e. seriously diminishing public confidence in the provision of an essential service); and (b) providing to the public access to confidential documents belonging to a ministry of the Government (i.e. seriously diminishing public confidence in the Government’s exercise of power).
ii. Limited reach of the previous legislation
Prior to the amendment, if an offence under the CMCA was committed by any person outside Singapore, the person could only be dealt with as if the offence had been committed within Singapore if either of the following conditions were satisfied: (a) the accused was in Singapore at the material time; or (b) the computer, program or data was in Singapore at the material time. This prevented enforcement actions from being taken against persons who were overseas at the material time of the commission of the crime, or who targeted an overseas computer, even if the act resulted in serious harm or a significant risk of such harm, in Singapore.
Conclusions and recommendations
As noted by Members of Parliament, there is a concern that Singapore businesses, and SMEs in particular, may not be as aware as they should be of cybersecurity. Such legislation, though offering more protection to society as a whole, can also be a source of concern for such businesses as they navigate the extent to which their current handling of information might be in contravention of the amended CMCA. To assist with this, the Singapore Computer Emergency Response Team (“SingCERT”) would post advisories on its website to alert companies of online threats and how they can be managed. In the third quarter of this year, the Info-communications Media Development Authority of Singapore (“IMDA”) will be establishing a new SME Technology Hub which will provide in-person advice on cybersecurity.
Equally, the legislation also applies to anyone who uses such information in their daily work. Journalists and academics should be particularly cautious of using information from leaked information derived from hacks. Depending on the circumstances, indiscriminately making available hacked personal information may amount to an offence.