On 3 April 2017, the Singapore Parliament passed proposed changes to the Computer Misuse and Cybersecurity Act (CMCA). The parliamentary debates on the amendment Bill shed further light on Singapore’s legislative framework for combatting cybercrime.
The new section 8A of the amended Act criminalises the use of personal data obtained via an act in breach of the CMCA, where the person knows or has reason to believe that the personal information was so obtained. It is not an offence if the information was used for a purpose other than to commit or facilitate the commission of an offence.
In this regard, the Senior Minister of State for Home Affairs, Mr. Desmond Lee, further clarified the scope of section 8A. The Minister explained that journalists or researchers who use information derived from hacks for their news reports or research would not fall afoul of the law, as long as they do not circulate the personal details that were disclosed through the hack.
On the whole, Section 8A arguably gives the prosecution more teeth to tackle cybercrime. For the purpose of proving the person’s knowledge that the information was obtained in breach of the CMCA, the prosecution does not have to prove the particulars of the contravention, such as who carried out the contravention and when it took place.
The Members of Parliament also raised their concerns over low cybersecurity risk awareness amongst businesses. In particular, the new section 8B of the amended Act criminalises the act of obtaining and the act of dealing in tools which may be used to commit a CMCA offence. Businesses which are less prudent may therefore fall afoul of the law in the course of selling their products.
In response, the Minister noted that the Singapore Computer Emergency Response Team (SingCERT) provides cautionary advisories to companies to alert them to cyber threats. Moreover, the Info-communications Media Development Authority of Singapore (IMDA) will be establishing a new Technology Hub to provide, inter alia, cybersecurity advice to small- and medium-sized enterprises (SMEs).
Going forward, it will be worth keeping an eye on how the amended Act operates hand-in-hand with the impending Cybersecurity Act, which is set to be tabled in Parliament later this year.