Recent Amendments to the Computer Misuse and Cybersecurity Bill
Mar27

Recent Amendments to the Computer Misuse and Cybersecurity Bill

Introduction On 22 March 2017, Ravi Menon, managing director of the Monetary Authority of Singapore, warned of the growing threat of cybersecurity in the financial services sector. Highlighting privacy and systemic concerns that could result from cybercrime, he said cyberattacks have become so sophisticated that they now have the power to potentially trigger financial crises. The proposed changes to the Computer Misuse and Cybersecurity Act (“CMCA”) in the Computer Misuse and Cybersecurity (Amendment) Bill (the “Bill”) on 9 March 2017 are timely to keep up with increasingly complex cyber threats in recent years, including the hacking of the Ministry of Defence’s systems just last month.   What does the Bill say? The Bill is widely drafted. It aims to introduce new offences under the CMCA to criminalise a wide spectrum of cybercrime and cope with the nature, scale and scope of complex cyber threats (e.g. from the intrusion of a single computer to large scale attacks on cyber infrastructure). There are two new (widely-drafted) offences. The first offence is for any person to provide or receive personal information which he suspects was obtained through unauthorised means. There are limited exceptions to this, e.g. there is a legitimate purpose for the person to deal with the personal information or, in a case where the person provides information, he did not know the personal information would be used to commit a computer crime. The second is for a person to deal with items designed for, adapted to and used to commit computer crimes, including hardware and software (e.g. computer programmes, passwords or access codes). The Bill has extraterritorial effect by criminalising acts that cause significant risk of serious harm in Singapore, regardless of whether the perpetrator, computer, programme or data was in Singapore at the material time. “Serious harm” is defined widely, and includes illness, injury or death to individuals, as well as disruptions and diminution of public confidence in key infrastructure and governmental bodies. This serves as a catch-all for the various CMCA offences and covers even unsuccessful attempts at computer crimes, since only “significant risk of serious harm” need be established. The prosecution may prosecute cybercriminal acts using the same computer committed over a 12-month period (e.g. through a series of hacking incidents) under one charge. The prosecution no longer has to establish the exact date of each cybercriminal act but may instead rely on a general timeframe during which these acts take place.   What does this mean for your organisation? Given the increasing number of sophisticated and complex cyberattacks, organisations should continue to adopt a proactive security stance to harden their defences against cyberattacks and be equipped...

Read More
Singapore Copyright Changes – Five Key Takeaways for the Media and Technology Sectors
Aug29

Singapore Copyright Changes – Five Key Takeaways for the Media and Technology Sectors

On 23 August 2016, Singapore’s Ministry of Law and IPOS announced a public consultation on proposed changes to the Copyright Act. The proposed changes would represent the first major overhaul of copyright law in Singapore for a decade. In this post, we comment on what the changes could mean for the media and technology sectors. Five Key Takeaways VPNs are in the spotlight again We’ll start with the issue that has consumed the most media attention – the legality of Virtual Private Networks (VPNs). The volume of coverage is surprising given that VPNs are not even mentioned in the consultation paper. Nonetheless, there has been speculation in some quarters about the possibility of VPN services being banned altogether in Singapore. This is of course a misreading of what is a highly-nuanced issue. No one is seriously proposing that VPN technologies be subject to a blanket ban in Singapore. There is widespread acceptance that VPNs can and are used for legitimate purposes. Instead, the concern in the media industry is about the deliberate promotion, sale and use of VPNs as a tool to bypass geographical content restrictions. The most common example is companies who promote VPN services as a way to watch, for example, US Netflix or UK Amazon Prime Video, even though those services are not licensed for use in Singapore. From a media industry perspective, there are two major issues with the promotion, sale and use of VPNs to bypass geographical restrictions. The first is a copyright issue. The international TV, film and music industries are built upon a system of territorial licensing. Rights are usually licensed by country. The reason for this is simple – it generates revenues which, in turn, incentivises creative industries to invest more in new content. Any law that limits the ability for media companies to grant or exercise rights by territory arguably puts a major dent in the industry’s business model and that could lead to lower investment in content and, ultimately, a more limited range of lower-quality content for consumers. The second issue of concern for the media industry is content regulation. Singapore, like many countries, has a range of content regulations to protect community standards. Content delivered via VPN might comply with the content regulations in the territory at which it is targeted but it might not comply in Singapore. Not only do VPNs bypass copyright restrictions, they can also bypass content regulation, which arguably risks creating a playing field that is tilted against local, licensed operators who play by the local rules. As the consultation rightly points out, “A good copyright regime balances between providing exclusive rights as an...

Read More
Leveraging the Schooling Effect: Opportunities and Challenges in Asian Sponsorship Deals
Aug23

Leveraging the Schooling Effect: Opportunities and Challenges in Asian Sponsorship Deals

CELEBRITY endorsements are a multi-million dollar business and especially prominent in the world of sports. Companies such as Nike, Under Armour, Puma and Omega spend millions of dollars securing prized endorsements from famous athletes such as Michael Phelps, Usain Bolt and Serena Williams. Here in Singapore, we are already witnessing the “Schooling Effect“, with various brands seeking to leverage the star power of Singapore’s first ever Olympic gold medallist. While celebrity endorsements can be a great way to build awareness of and position the brands, there are some important legal and commercial considerations for brands to bear in mind. Here are our eight key takeaways for brands. Have a contract in place This is to avoid false celebrity endorsement, where it appears that there is an endorsement by a celebrity for a brand when there is in fact none. The celebrities have a right to take legal action against a brand if the brand comes across as misrepresenting its association with the individual. They may be allowed to do so to protect them against damage arising from a false claim or suggestion of endorsement of a third party’s goods or business. In some cases, celebrities have registered intellectual property rights such as trademarks and these could also be infringed where there is no contract in place. In short, tread carefully when leveraging star power. Be clear as to what the celebrity must do For example, how many shoots must the celebrity show up for? Are they doing sponsored tweets? If so, how many and when? Do they have to seek approval before posting comments on social media? Clearly defining the celebrity’s responsibility goes a long way in avoiding future disagreements. Protect yourself from brand damage By connecting your brand with a celebrity, you obviously hope to generate substantial goodwill. By the same token, however, if there is an incident involving the celebrity with adverse media coverage, then that could actually damage your brand or adversely affect the reputation of your business. This is usually addressed through contractual protections, including commitments from the celebrity and termination rights. Define and scope out exclusivity This will ensure that the value of the investment on the celebrity endorsement will not be eroded because of an association between the celebrity and a competitive product. As a rule of thumb, the endorsement deals should set out the period and scope of exclusivity. You might want to prohibit the celebrity from undertaking incompatible or potentially offensive, inappropriate or controversial marketing programmes. Consider whether the celebrity should seek approval before entering into any other endorsement. It is also important not to agree to contracts that conflict with...

Read More
A Cyber Security Crisis – What it Means For Your Organisation and How To Deal with it
Jul25

A Cyber Security Crisis – What it Means For Your Organisation and How To Deal with it

Understanding the cyber security landscape With the evolution of technology comes a new breed of crime ranging from data breach / theft, hacking, phishing, identify theft to network intrusion. For e.g. the global trend indicates an increasing number of high profile data thefts by hackers between 2013 to 2015 (e.g. Target (2013), Sony (2014) and Ashley Madison (2015)). Singapore too has not been spared from her share of cyber security related incidents in recent years. What does this mean for YOUR organisation? According to The Global State of Information Security Survey 2016, cyber attacks continue to escalate in frequency, severity and impact every year. Prevention and detection methods have proven largely ineffective against increasingly adept assaults, and many organisations don’t know what to do, or don’t have the resources to combat highly skilled and aggressive cybercriminals. Today’s cyber security incidents often leave behind a broad range of operational, reputational and financial implications. While not every cyber incident is major, given the increasing number and sophistication of cybercrimes as well as the publicity on negative cyber incidents, organisations can no longer adopt the traditional approach of fixing technical issues. Rather, there is an increasing urgency for organisations to step up their efforts to effectively prepare for and manage a cyber crisis in a timely and considered manner. In this article, we focus on (a) a plan of action going into a cyber incident; and (b) the tools to effectively react to and resolve it. How to survive a cyber security crisis? Here are some useful guidelines which every organisation can adopt and put into practice:   1. Identify the issue This typically requires an investigation (for e.g. forensic analysis, sensitive data recovery) by the internal IT team and external service providers to: (a) identify the affected data and systems; (b) indicate any past breach, any ongoing compromise and/or any potential future breach / compromise; (c) contain and resolve the problem; and (d) provide a timely and accurate report on the nature, severity and extent of the breach as well as steps taken to respond and resolve the issue. This can be used to support notifications to affected parties and regulators (if needed). 2. Have a multi-disciplinary team ready to provide a structured and coordinated response. An effective cyber incident response team should typically consist of: (a) An internal response task force comprising of key personnel from: (i) Management; (ii) Legal; (iii) IT; (iv) Finance; and (v) Human Resource (b) Third party support, specialising in cyber breach response. For e.g. have a list of identified external service providers across: (i) Legal; (ii) Fraud mitigation; (iii) Credit monitoring; (iv) Advanced IT specialists (e.g. forensic...

Read More
App Developers – Watch Out for Privacy!
Jan20

App Developers – Watch Out for Privacy!

Towards the end of last year The Straits Times reported that 90 per cent of mobile apps in Singapore (including those from banks, telcos, real estate agents and financial advisers) do not adequately comply with data protection laws in Singapore. The concern continues this year in another article in the Straits Times. This topic is important. In today’s online world, it is worrying to hear about such a high level of non-compliance.  In this post we look at the issues of non-compliance and provide our top tips to help app developers in 2016. Why are apps still not in compliance? There are two key areas where apps are not in compliance: Lack of transparency: Apps are not providing app users with clear information about what data is collected and are not obtaining informed consent from app users. Data maximisation: Apps are collecting more data than they really need. It doesn’t take much of a leap to understand that if apps collect more data than they need, then there is more risk of apps misusing the data that they don’t need. Why else would you collect it? The level of non-compliance quoted is surprising.  Apps are ubiquitous, all of us use apps and we all put our data onto apps on a daily basis.  It is even more surprising because the data protection laws in Singapore have been on the books since 2012 and have been in force since mid-2014.  In addition, the regulator (the PDPC) has published plenty of helpful guidance here. So what if apps are non-compliant? The PDPC has the ability to fine non-compliance (and in extreme cases there can be imprisonment). As yet the PDPC has not fined a non-compliant app.  However, the PDPC has actively fined and investigated others for non-compliance e.g. Xiaomi, Tuition Agency, M1.   It can only take a few complaints to grab a regulator’s attention. But it’s not just about the legal risk.  Our view is that the data protection laws in Singapore represent good business and common sense.  It is not hard to comply with the requirements and organisations that do so are more likely to win the trust of their customers. Our top tips for app developers The good news is that compliance is not difficult.  So, to get 2016 off on the right path, app developers must (as a minimum) follow the following top tips: Write out a clear and easy-to-read privacy policy on what user information is collected and how it will be used; Make the privacy policy easily accessible from the app store/ the app download page and in (or from) the app itself; Obtain consent at the outset through acceptance of...

Read More