Minter Ellison head of insurance and corporate risk, Asia, Will Harrison gives his take on the state of play of cyber regulation in Australia, Singapore and Hong Kong
On 4 December 2015, the Australian Government released draft legislation providing for the mandatory data breach notification and commenced a consultation process. The government has indicated that it intends to introduce the bill to parliament in the first half of 2016.
The legislation would mark a significant increase in the level of cyber regulation in Australia, coming after instances of customer information being stolen from two high street businesses, David Jones and Kmart.
The current regime is somewhat piecemeal, being found in the Corporations Act 2001, the Privacy Act 1988 and various other industry specific legislation. The principal regulator, the Office of the Australian Information Commissioner (OAIC) currently runs a voluntary notification regime.
Breach of the current regime can lead to compensation orders or pecuniary penalties being imposed and also increasingly exposes companies to class action litigation from the affected persons. For listed companies, the securities regulator, ASIC, has made repeated public statements noting the listed company directors’ duties could be breached by a failure to manage cyber risks appropriately.
The trend going forward is clearly one of increasing concern from government and regulatory authorities leading to new rules across multiple regulatory spheres together with increased and more creative enforcement of existing rules.
Singapore’s cyber related legislation is extensive and, potentially, intrusive for businesses.
The recent Computer Misuse and Cybersecurity Act (CMCA) is a key part of the implementation of the its five-year “National Cyber Security Masterplan 2018”. Under the CMCA the government is entitled to take pre-emptive measures to prevent, detect and counter threats to “essential” industries (including banking and finance, transport, infrastructure, security and health), national security and foreign relations.
Under the CMCA, the Home Minister has power to issue a certificate to require any person to: (i) provide information obtained from a computer controlled or operated by that person which is necessary to identify, detect or counter any threat; and (ii) to provide a report of a breach (or an attempted breach) of security fitting the description specified in the Home Minister’s certificate.
In addition, Singapore has recently enacted the Personal Data Protection Act, which addresses data privacy matters and has various regulatory guidelines, including the Monetary Authority of Singapore’s “Technology Risk Management Notice and Guidelines” which serve to promote data and cyber security.The Singapore approach is quite distinct from other jurisdictions. It is apparent that cyber security is treated as a matter similar to (or part of) national security and that the government is entitled to take a proactive role in addressing threats. From this, it can be assumed that Singapore would not hesitate to introduce further requirements such as a general data breach notification obligation, if it believed it was necessary to guard against cyber threats.
The key legislation relating to cyber security is the Personal Data (Privacy) Ordinance and the Computer Crimes Ordinance.
The former addresses the collection, use and transfer of personal data and is not directly aimed at addressing cyber crime. The Computer Crimes Ordinance amended various other existing ordinances to create various offences including those relating to the unauthorized access to a computer or unlawfully altering any data on a computer.
The Privacy Commissioner has transformed since the scandal relating to the sale by Octopus (the cashless payment card provider) of customer data to certain life insurers.
After the Octopus case, the regulatory moved from being known as a “toothless tiger” to an aggressive regulator that increasingly adopts a “name and shame” approach to companies that do deal with customers’ personal information adequately. This has been coupled with a far greater awareness among the public of its rights and a commensurate increase in the number of complaints.
There is no provision for mandatory reporting of data breaches in Hong Kong and no published proposals to introduce any such requirements. However, Hong Kong has a history of legislating in these areas only when there is a sufficient public outcry: the provisions in the Personal Data (Privacy) Ordinance relating to the transfer of data for direct marketing purposes were significantly strengthened (to require express consent) following the Octopus scandal.
It remains to be seen if the recent theft of thousands of children’s and their parents personal information from Hong Kong toymaker, Vtech, could lead to a change on this front.